PHP :: Request #68827 :: Double free with disabled ZMM

Request #68827	Double free with disabled ZMM
Submitted:	2015-01-13 18:04 UTC	Modified:	2015-01-22 08:56 UTC
From:	bugreports at internot dot info	Assigned:	ab (profile)
Status:	Closed	Package:	*General Issues
PHP Version:	master-Git-2015-01-13 (Git)	OS:	Linux Ubuntu 14.04
Private report:	No	CVE-ID:	None

View Developer Edit

[2015-01-13 18:04 UTC] bugreports at internot dot info

Description:
------------
Hi,

In /ext/fileinfo/libmagic/apprentice.c:

2609        if ((map = CAST(struct magic_map *, ecalloc(1, sizeof(*map)))) == NULL) {
2610                file_oomem(ms, sizeof(*map));
2611                efree(map);
2612                goto error;
2613        }

That goes to error:

2730error:
2731        if (stream) {
2732                php_stream_close(stream);
2733        }
2734        apprentice_unmap(map);

which as you can see, does a double free of 'map'.

The line in the apprentice_unmap function:
499        if (map == NULL)
is kind of useless, because even if it has already been freed, it won't be NULL(unless the php implementation of efree does something different?)


Thanks,

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-01-14 09:35 UTC] [email protected]

A map=NULL seems to be missing.
efree() does nothing more than free().

[2015-01-14 09:42 UTC] [email protected]

-Status: Open +Status: Feedback

[2015-01-14 09:42 UTC] [email protected]

The lines in if (map == ..) won't be executed ever when using Zend memory manager, because it bails out immediately on OOM error, so the only way to get them executed is to disable Zend MM and go with system MM.

man free says: 
If ptr is NULL, no operation is performed.

apprentice_unmap():
    if (map == NULL)
        return;

So.. where is the problem here?

[2015-01-14 12:17 UTC] bugreports at internot dot info

-Status: Feedback +Status: Open

[2015-01-14 12:17 UTC] bugreports at internot dot info

'map' is not NULL. efree(map) doesn't set map=NULL;.

[2015-01-14 12:33 UTC] [email protected]

-Status: Open +Status: Feedback

[2015-01-14 12:33 UTC] [email protected]

That's correct, efree() doesn't modify the pointer.
But it's already NULL at the time efree() is called, take a look at the if condition:

    if ((map = CAST(struct magic_map *, ecalloc(1, sizeof(*map)))) == NULL) {
        file_oomem(ms, sizeof(*map));
        efree(map);
        goto error;
    }

[2015-01-14 12:44 UTC] bugreports at internot dot info

-Status: Feedback +Status: Open

[2015-01-14 12:44 UTC] bugreports at internot dot info

Ahh, I see!

Well, then, this code:

2611                efree(map);
2612                goto error;

should just be replaced with 
return NULL;
since 'dbname', and 'stream' are not used at that stage.

Thanks,

[2015-01-14 12:53 UTC] [email protected]

-Type: Security +Type: Feature/Change Request

[2015-01-14 23:19 UTC] [email protected]

-Status: Open +Status: Not a bug

[2015-01-14 23:19 UTC] [email protected]

This is a file from fileinfo library, so it may make sense to report the issue here; http://bugs.gw.com/my_view_page.php

In this particular case return NULL may indeed be faster, but I don't see any security issue or PHP-related bug here.

[2015-01-22 00:31 UTC] [email protected]

-Status: Not a bug +Status: Open

[2015-01-22 00:31 UTC] [email protected]

@stas 

as it is a fileinfo issue and should also reported there, we do bundle it, patched. So it affects PHP more directly too. We should apply the fix.

[2015-01-22 07:44 UTC] [email protected]

-Assigned To: +Assigned To: ab

[2015-01-22 07:44 UTC] [email protected]

Looks like it's an issue in the PHP patch, the latest libmagic looks fine https://github.com/file/file/blob/master/src/apprentice.c#L1283 . Despite it's only an issue with disabled ZMM, worth fixing.

Thanks.

[2015-01-22 08:56 UTC] [email protected]

-Summary: Double free +Summary: Double free with disabled ZMM

[2015-01-22 09:04 UTC] [email protected]

Automatic comment on behalf of [email protected]
Revision: http://git.php.net/?p=php-src.git;a=commit;h=91aa340180eccfc15d4a143b54d47b8120f898be
Log: Fixed bug #68827 Double free with disabled ZMM

[2015-01-22 09:04 UTC] [email protected]

-Status: Assigned +Status: Closed

[2015-01-22 09:05 UTC] [email protected]

Automatic comment on behalf of [email protected]
Revision: http://git.php.net/?p=php-src.git;a=commit;h=91aa340180eccfc15d4a143b54d47b8120f898be
Log: Fixed bug #68827 Double free with disabled ZMM

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Jul 21 06:00:03 2025 UTC