Hello, all
Mordred Labs advisory - Integer overflow in PHP socket_iovec_alloc()
function.
http://www.securitylab.ru/?ID=36819
IMHO it's not integer overflow, but using of nonexisting second
parameter, just try to call:
<?php
socket_iovec_alloc(1);
?>
and you'll get segfault.
Take a look at this part of code:
ext/sockets/sockets.c
if (argc < 1 || zend_get_parameters_array_ex(argc, args) ==
FAILURE) { efree(args);
WRONG_PARAM_COUNT;
}
convert_to_long_ex(args[0]);
num_vectors = Z_LVAL_PP(args[0]);
vector_array = emalloc(sizeof(struct iovec)*(num_vectors+1));
for (i = 0, j = 1; i < num_vectors; i++, j++) {
convert_to_long_ex(args[j]);
Anyone knows why this extension was not moved to PECL?
--
Wbr,
Antony Dovgal aka tony2001 mailto:tony2001@phpclub.net
http://phpclub.net
Stand for something or you will fall for nothing.
It isn't an overflow, in that particular case, but there are other parts
of the sockets extension where negative values can make their way to an
emalloc() call, and I suppose you could call that an integer overflow. I
don't see how it is in any way exploitable.
-Rasmus
Hello, all
Mordred Labs advisory - Integer overflow in PHP socket_iovec_alloc()
function.
http://www.securitylab.ru/?ID=36819IMHO it's not integer overflow, but using of nonexisting second
parameter, just try to call:
<?php
socket_iovec_alloc(1);
?>and you'll get segfault.
Take a look at this part of code:
ext/sockets/sockets.cif (argc < 1 || zend_get_parameters_array_ex(argc, args) ==FAILURE) { efree(args);
WRONG_PARAM_COUNT;
}convert_to_long_ex(args[0]); num_vectors = Z_LVAL_PP(args[0]); vector_array = emalloc(sizeof(struct iovec)*(num_vectors+1)); for (i = 0, j = 1; i < num_vectors; i++, j++) { convert_to_long_ex(args[j]);
Anyone knows why this extension was not moved to PECL?
--
Wbr,
Antony Dovgal aka tony2001 mailto:tony2001@phpclub.net
http://phpclub.netStand for something or you will fall for nothing.
On Wed, 26 Mar 2003 01:30:11 -0800 (Pacific Standard Time)
Rasmus Lerdorf rasmus@lerdorf.com wrote:
I don't see how it is in any way exploitable.
That's what I wanted to say indeed.
IMHO it will be much better to move this extension to PECL and to
avoid such articles, having bad influence on PHP's image.
--
Wbr,
Antony Dovgal aka tony2001 mailto:tony2001@phpclub.net
http://phpclub.net
Stand for something or you will fall for nothing.
On Wed, 26 Mar 2003 01:30:11 -0800 (Pacific Standard Time)
Rasmus Lerdorf rasmus@lerdorf.com wrote:I don't see how it is in any way exploitable.
That's what I wanted to say indeed.IMHO it will be much better to move this extension to PECL and to
avoid such articles, having bad influence on PHP's image.
So you are proposing to move sockets to PECL, because the extension will
not attract that much interest there and thus the possible security
issues will not be revealed so fast?
I agree with that up to a certain point, but technically this isn't a
great solution: The issues should be fixed before moving it to PECL.
Otherwise PECL will soon be a hazardous waste site for all sorts of PHP
extensions that have more or less severe security problems ;-).
- Martin
On 26 Mar 2003 14:38:36 +0100
Martin Jansen mj@php.net wrote:
So you are proposing to move sockets to PECL, because the extension
will not attract that much interest there and thus the possible
security issues will not be revealed so fast?
I agree with that up to a certain point, but technically this isn't a
great solution: The issues should be fixed before moving it to PECL.
Yes, of course.
I just don't see any reasons to include experimental extensions,
that will cause such "security advisories", into the core distribution.
Someone can explain this to me, maybe I'm wrong?
Otherwise PECL will soon be a hazardous waste site for all sorts of
PHP extensions that have more or less severe security problems ;-).
No, I'm not going to fill PECL with hazardous extentions =)
In PECL we can at least tell, that this extention is not stable
yet and we have only alpha/beta/gamma version.
IMHO, this will warn admins of installing this extention on production
environments.
--
Wbr,
Antony Dovgal aka tony2001 mailto:tony2001@phpclub.net
http://phpclub.net
Stand for something or you will fall for nothing.
On 26 Mar 2003 14:38:36 +0100
Martin Jansen mj@php.net wrote:
So you are proposing to move sockets to PECL, because the extension
will not attract that much interest there and thus the possible
security issues will not be revealed so fast?
I agree with that up to a certain point, but technically this isn't a
great solution: The issues should be fixed before moving it to PECL.
Yes, of course.
I just don't see any reasons to include experimental extensions,
that will cause such "security advisories", into the core distribution.
Someone can explain this to me, maybe I'm wrong?
Otherwise PECL will soon be a hazardous waste site for all sorts of
PHP extensions that have more or less severe security problems ;-).
No, I'm not going to fill PECL with hazardous extentions =)
In PECL we can at least tell, that this extention is not stable
yet and we have only alpha/beta/gamma version.
IMHO, this will warn admins of installing this extention on production
environments.
P.S. It seems, that cc'ing to Internals doesn't work.
Did I miss something?
--
Wbr,
Antony Dovgal aka tony2001 mailto:tony2001@phpclub.net
http://phpclub.net
Stand for something or you will fall for nothing.
I just don't see any reasons to include experimental extensions,
that will cause such "security advisories", into the core distribution.
Someone can explain this to me, maybe I'm wrong?
The plan is to move a lot of extension to PECL, once the infrastructure
is rock-solid. Please don't ask, when this will happen and which
extensions will be moved :-).
- Martin
On 26 Mar 2003 19:17:39 +0100
Martin Jansen mj@php.net wrote:
The plan is to move a lot of extension to PECL, once the
infrastructure is rock-solid. Please don't ask, when this will happen
and which extensions will be moved :-).
Yep, I know about this plan.
Ok, I just stated my IMHO.
Thank you for your attention =)
--
Wbr,
Antony Dovgal aka tony2001 mailto:tony2001@phpclub.net
http://phpclub.net
Stand for something or you will fall for nothing.
On Wed, 26 Mar 2003 01:30:11 -0800 (Pacific Standard Time)
Rasmus Lerdorf rasmus@lerdorf.com wrote:I don't see how it is in any way exploitable.
That's what I wanted to say indeed.IMHO it will be much better to move this extension to PECL and to
avoid such articles, having bad influence on PHP's image.
Its a segfault, it will be fixed. Sockets is a standard, and atm very
widely used and important extension - its not going to
siberia^H^H^H^Hpecl.
-Sterling
--
Wbr,
Antony Dovgal aka tony2001 mailto:tony2001@phpclub.net
http://phpclub.netStand for something or you will fall for nothing.
--
"The computer programmer is a creator of universes for which he
alone is responsible. Universes of virtually unlimited complexity
can be created in the form of computer programs."
- Joseph Weizenbaum
On 26 Mar 2003 13:10:25 -0500
Sterling Hughes sterling@bumblebury.com wrote:
Its a segfault, it will be fixed. Sockets is a standard, and atm very
widely used and important extension - its not going to
siberia^H^H^H^Hpecl.
I thought Siberia is much further, then PECL =)
By the way, in Russian "PECL" sounds almost like a word, that
means "hell"..
--
Wbr,
Antony Dovgal aka tony2001 mailto:tony2001@phpclub.net
http://phpclub.net
Stand for something or you will fall for nothing.
I thought Siberia is much further, then PECL =)
By the way, in Russian "PECL" sounds almost like a word, that
means "hell"..
In German, it sounds like "pimple". I've always been saying
that it was a bad choice.
- Sascha