Headline
CVE-2020-7064: PHP :: Sec Bug #79282 :: Use-of-uninitialized-value in exif
In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while parsing EXIF data with exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of uninitialized memory. This could potentially lead to information disclosure or crash.
Sec Bug #79282
Use-of-uninitialized-value in exif
Submitted:
2020-02-19 09:31 UTC
Modified:
2020-03-17 05:39 UTC
From:
Assigned:
stas (profile)
Status:
Closed
Package:
EXIF related
PHP Version:
master-Git-2020-02-19 (Git)
OS:
Private report:
No
CVE-ID:
2020-7064
[2020-02-19 09:31 UTC] [email protected]
Description:
From https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19581.
<?php var_dump(exif_read_data(‘data://image/jpeg;base64,/9jhAAlFeGlmAAAg’));
Results in:
Uninitialized bytes in MemcmpInterceptorCommon at offset 1 inside \[0x7010000006e8, 2)
==1==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x5004dc in \_\_interceptor\_bcmp /src/llvm-project/compiler-rt/lib/sanitizer\_common/sanitizer\_common\_interceptors.inc:885:10
#1 0x86693b in exif\_process\_TIFF\_in\_JPEG php-src/ext/exif/exif.c:3596:6
#2 0x861b7e in exif\_scan\_JPEG\_header php-src/ext/exif/exif.c:3793:6
#3 0x8609eb in exif\_scan\_FILE\_header php-src/ext/exif/exif.c:4186:8
#4 0x8602bb in exif\_read\_from\_impl php-src/ext/exif/exif.c:4327:8
#5 0x858b52 in exif\_read\_from\_stream php-src/ext/exif/exif.c:4344:8
#6 0x856001 in zif\_exif\_read\_data php-src/ext/exif/exif.c:4434:9
#7 0x112596d in zend\_call\_function php-src/Zend/zend\_execute\_API.c:817:4
#8 0x11236e2 in \_call\_user\_function\_ex php-src/Zend/zend\_execute\_API.c:638:9
#9 0x1696c7a in fuzzer\_call\_php\_func\_zval php-src/sapi/fuzzer/fuzzer-sapi.c:247:2
#10 0x169596f in LLVMFuzzerTestOneInput php-src/sapi/fuzzer/fuzzer-exif.c:52:2
#11 0x481101 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const\*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
#12 0x46bc21 in fuzzer::RunOneTest(fuzzer::Fuzzer\*, char const\*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
#13 0x4718de in fuzzer::FuzzerDriver(int\*, char\*\*\*, int (\*)(unsigned char const\*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:774:9
#14 0x49b802 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#15 0x7f3e6199882f in \_\_libc\_start\_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291
#16 0x445098 in \_start
Uninitialized value was created by a heap allocation
#0 0x4fc67d in malloc /src/llvm-project/compiler-rt/lib/msan/msan\_interceptors.cpp:925:3
#1 0x1088155 in \_\_zend\_malloc php-src/Zend/zend\_alloc.c:2975:14
#2 0x1082159 in \_emalloc php-src/Zend/zend\_alloc.c:2535:10
#3 0x865d76 in exif\_file\_sections\_add php-src/ext/exif/exif.c:2042:10
#4 0x8618c0 in exif\_scan\_JPEG\_header php-src/ext/exif/exif.c:3747:8
#5 0x8609eb in exif\_scan\_FILE\_header php-src/ext/exif/exif.c:4186:8
#6 0x8602bb in exif\_read\_from\_impl php-src/ext/exif/exif.c:4327:8
#7 0x858b52 in exif\_read\_from\_stream php-src/ext/exif/exif.c:4344:8
#8 0x856001 in zif\_exif\_read\_data php-src/ext/exif/exif.c:4434:9
#9 0x112596d in zend\_call\_function php-src/Zend/zend\_execute\_API.c:817:4
#10 0x11236e2 in \_call\_user\_function\_ex php-src/Zend/zend\_execute\_API.c:638:9
#11 0x1696c7a in fuzzer\_call\_php\_func\_zval php-src/sapi/fuzzer/fuzzer-sapi.c:247:2
#12 0x169596f in LLVMFuzzerTestOneInput php-src/sapi/fuzzer/fuzzer-exif.c:52:2
#13 0x481101 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const\*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
#14 0x46bc21 in fuzzer::RunOneTest(fuzzer::Fuzzer\*, char const\*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
#15 0x4718de in fuzzer::FuzzerDriver(int\*, char\*\*\*, int (\*)(unsigned char const\*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:774:9
#16 0x49b802 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#17 0x7f3e6199882f in \_\_libc\_start\_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291
I can’t reproduce under valgrind, so also can’t tell which versions are affected.
Patches
Add a Patch
Pull Requests
Add a Pull Request
History
AllCommentsChangesGit/SVN commitsRelated reports
[2020-02-19 10:08 UTC] [email protected]
-Assigned To: +Assigned To: stas
[2020-02-24 18:12 UTC] [email protected]
-CVE-ID: +CVE-ID: 2020-7064
[2020-03-16 03:30 UTC] [email protected]
I’ve verified that the fix fixes the issue on oss-fuzz setup.
[2020-03-17 05:39 UTC] [email protected]
-Status: Assigned +Status: Closed
Related news
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while parsing EXIF data with exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of uninitialized memory. This could potentially lead to information disclosure or crash.
The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.