Core Code

Why this worth a frame?

I would say because it’s an often mistake, mainly when you are refactoring or backporting code. The way it is simple makes it worth. Though, if one don’t understand a bit of PHP internals would make that mistake often for sure, keep reading and you see why.

The story is full of simple bugs that caused mess all around the IT world. Do you remember the “goto fail” in Apple SSL? Remember it in here and you’ll have a clear idea that some bugs are quite simple but can cause quite a disaster. Like I used to say in the programming classes: “a small bug can cause a spaceship to crash into an innocent house, and you don’t want it at all!”.

But what CVE-2021-21708 is for?

 when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE.

source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21708

Sounds weirdo and alien to you? Better if we show the code so:

switch (is_numeric_string(num, p - num, &lval, &dval, 0)) {                                                                                                                                                       
                case IS_LONG:                                                                                                                                                                                             
                        zval_ptr_dtor(value);                                                                                                                                                                             
                        if ((min_range_set && (lval < min_range)) || (max_range_set && (lval > max_range))) {                                                                                                             
                                goto error;                                                                                                                                                                               
                        }                                                                                                                                                                                                 
                        ZVAL_DOUBLE(value, (double)lval);           

To be more clear, take a look in line 3. zval_ptr_dtor(value); If it is not clear yet, let me clarify what this function does:

zval_ptr_dtor will first decrement its refcount by one. If the refcount is 0 after decrementing by one, it will call zval_dtor to release tmp->value, and then call the efree_rel() function to remove the zval type structure pointed to by tmp. The occupied memory space is released.

What if it is not 0 after subtracting one? Then zval_ptr_dtor will not release tmp->value and tmp itself, but notify the GC garbage collector, and then return. 

REF: https://blog.fearcat.in/a?ID=00350-16e8d63c-af15-4ee2-b805-ca6d2ce025a4

All that description can be translated basically in: it does deallocate memory for value. And as you can see in the following code line 4 if it fails it goto error and let behind a piece of object that will soon be allocated to whatever, creating the use-after free bug/vulnerability. This type of vulnerability could possibly cause a crash (denial of service) and unexpected behaves. To make it more scared there is even a PoC to it. The way upstream fixed it was simply removing zval_ptr_dtor from 3 and adding above ZVAL_DOUBLE so it will deallocate and reinitialize value again. Elegant, isn’t?

Here is the beautiful frame for it 🙂

References:

Read Full Post »