Summary
A memory-related vulnerability in PHP’s filter handling system, particularly when processing input with convert.quoted-printable-decode filters, leads to a segmentation fault. This vulnerability is triggered through specific sequences of input data, causing PHP to crash. When exploited, it allows an attacker to extract a single byte of data from the heap or cause a DoS.
Details
The issue is caused by a missing bound check.
The crash is reliably detected by AddressSanitizer (ASAN), which reports a segmentation fault caused by a read memory access violation. This suggests that there may be an out-of-bounds read or a use-after-free condition in the affected filters. Below is an example stack trace as detected by ASAN:
AddressSanitizer: SEGV on unknown address 0x7ffff4200000 (pc 0x55555635d5b4 bp 0x000000000001 sp 0x7fffffff9e20 T0)
The signal is caused by a READ memory access.
#0 0x55555635d5b4 in php_conv_qprint_decode_convert (/php-8.3.13/sapi/cli/php+0xf5d5b4)
#1 0x555556355e00 in strfilter_convert_append_bucket (/php-8.3.13/sapi/cli/php+0xf55e00)
#2 0x55555635507d in strfilter_convert_filter (/php-8.3.13/sapi/cli/php+0xf5507d)
...
PoC
-
Set to not detect leaks
export ASAN_OPTIONS=detect_leaks=0 -
Run the following with the 2 attached files against php compiled with ASAN in php_crash.zip
cat ./php_crash | ./sapi/cli/php poc.php -
Note the ASAN trace once the final output his the echo implode
root@32fbd16f3ed1:/php-8.3.13# cat php_crash | ./sapi/cli/php zlib_fuzz.php
Warning: file_get_contents(): Unable to locate filter "bzip2.compress" in /php-8.3.13/zlib_fuzz.php on line 25
Warning: file_get_contents(): Unable to create filter (bzip2.compress) in /php-8.3.13/zlib_fuzz.php on line 25
Warning: file_get_contents(): Unable to locate filter "bzip2.decompress" in /php-8.3.13/zlib_fuzz.php on line 25
Warning: file_get_contents(): Unable to create filter (bzip2.decompress) in /php-8.3.13/zlib_fuzz.php on line 25
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1558930==ERROR: AddressSanitizer: SEGV on unknown address 0x7ffff4200000 (pc 0x55555635d5b4 bp 0x000000000001 sp 0x7fffffff9e40 T0)
==1558930==The signal is caused by a READ memory access.
#0 0x55555635d5b4 in php_conv_qprint_decode_convert /php-8.3.13/ext/standard/filters.c:999:46
#1 0x555556355e00 in strfilter_convert_append_bucket /php-8.3.13/ext/standard/filters.c
#2 0x55555635507d in strfilter_convert_filter /php-8.3.13/ext/standard/filters.c:1525:7
#3 0x5555563f7b0f in _php_stream_fill_read_buffer /php-8.3.13/main/streams/streams.c:583:14
#4 0x5555563f942e in _php_stream_read /php-8.3.13/main/streams/streams.c:747:8
#5 0x555556400a9c in _php_stream_copy_to_mem /php-8.3.13/main/streams/streams.c:1580:16
#6 0x5555561ced5e in zif_file_get_contents /php-8.3.13/ext/standard/file.c:445:18
#7 0x555556887bae in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /php-8.3.13/Zend/zend_vm_execute.h:1337:2
#8 0x5555566e729b in execute_ex /php-8.3.13/Zend/zend_vm_execute.h:57007:7
#9 0x5555566e7e95 in zend_execute /php-8.3.13/Zend/zend_vm_execute.h:61604:2
#10 0x5555565f7adb in zend_execute_scripts /php-8.3.13/Zend/zend.c:1893:4
#11 0x55555639c646 in php_execute_script /php-8.3.13/main/main.c:2528:13
#12 0x555556c29b97 in do_cli /php-8.3.13/sapi/cli/php_cli.c:966:5
#13 0x555556c270aa in main /php-8.3.13/sapi/cli/php_cli.c:1341:18
#14 0x7ffff75301c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#15 0x7ffff753028a in __libc_start_main csu/../csu/libc-start.c:360:3
#16 0x555555803bc4 in _start (/php-8.3.13/sapi/cli/php+0x403bc4) (BuildId: 712b3d4fbdcb978a011679cd1c90ada321af14cf)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /php-8.3.13/ext/standard/filters.c:999:46 in php_conv_qprint_decode_convert
Impact
It affects any systems that use these filters in sequence, especially those processing untrusted user input through php://filter. Systems leveraging this filter chain may be vulnerable to this overrun, and under specific conditions, there is a risk of DoS or information leakage.