Ubuntu
php5 package

Bug #611316
Comment #3

Comment 3 for bug 611316

Revision history for this message

Kurt Huwig (k-huwig) wrote on 2010-09-14:

Hi Clint,

I just put another 3 hours into it:

The bug happens in this source code line:

        if(passwd_len>255) {
                passwd[255] = '\0';
        }

of php_mssql_do_connect. I found this out by disassembling the code in the core dump:

Dump of assembler code for function php_mssql_04c330 <+0>: 0x00007f1d4804c332 <+2>: 0x00007f1d4804c334 <+4>: 0x00007f1d4804c336 <+6>: 0x00007f1d4804c339 <+9>: 0x00007f1d4804c33a <+10>: 0x00007f1d4804c33c <+12>: 0x00007f1d4804c33d <+13>: 0x00007f1d4804c340 <+16>: 0x00007f1d4804c347 <+23>: 0x00007f1d4804c34e <+30>: 0x00007f1d4804c357 <+39>: 0x00007f1d4804c35f <+47>: 0x00007f1d4804c361 <+49>: 0x00007f1d4804c369 <+57>: 0x00007f1d4804c371 <+65>: 0x00007f1d4804c376 <+70>: 0x00007f1d4804c37e <+78>: 0x00007f1d4804c383 <+83>: 0x00007f1d4804c38c <+92>: 0x00007f1d4804c391 <+97>: 0x00007f1d4804c399 <+105>: 0x00007f1d4804c3a2 <+114>: 0x00007f1d4804c3ab <+123>: 0x00007f1d4804c3b3 <+131>: mov 0x00007f1d4804c3b8 <+136>: lea 0x00007f1d4804c3bd <+141>: mov 0x00007f1d4804c3c1 <+145>: xor 0x00007f1d4804c3c3 <+147>: 0x00007f1d4804c3c8 <+152>: cmp 0x00007f1d4804c3cb <+155>: je 0x00007f1d4804c3d1 <+161>: 0x00007f1d4804c3dc <+172>: jle 0x00007f1d4804c3de <+174>: mov 0x00007f1d4804c3e3 <+179>: 0x00007f1d4804c3ea <+186>: 0x00007f1d4804c3f5 <+197>: jle 0x00007f1d4804c3f7 <+199>: mov 0x00007f1d4804c3fc <+204>: 0x00007f1d4804c403 <+211>: 0x00007f1d4804c40e <+222>: jle 0x00007f1d4804c410 <+224>: mov => 0x00007f1d4804c415 <+229>: movb 0x00007f1d4804c41c <+236>: cmp 0x00007f1d4804c41f <+239>: jbe 0x00007f1d4804c425 <+245>: 0x00007f1d4804c42b <+251>: lea 0x00007f1d4804c432 <+258>: je 0x00007f1d4804c438 <+264>: mov 0x00007f1d4804c43e <+270>: 0x00007f1d4804c443 <+275>: mov 0x00007f1d4804c449 <+281>: 0x00007f1d4804c44e <+286>: />do_connect:
push %r14
push %r13
push %r12
mov %r9d,%r12d
push %rbp
mov %edi,%ebp
push %rbx
mov %rsi,%rbx
lea 0x2ef8(%rip),%rsi # 0x7f1d4804f23f
sub $0xc0,%rsp
mov %fs:0x28,%rax
mov %rax,0xb8(%rsp)
xor %eax,%eax
lea 0x8f(%rsp),%rax
lea 0x88(%rsp),%rcx
lea 0x78(%rsp),%rdx
lea 0x84(%rsp),%r9
lea 0x70(%rsp),%r8
movq $0x0,0x78(%rsp)
mov %rax,0x10(%rsp)
lea 0x80(%rsp),%rax
movq $0x0,0x70(%rsp)
movq $0x0,0x68(%rsp)
movb $0x0,0x8f(%rsp)
%rax,0x8(%rsp)
0x68(%rsp),%rax
%rax,(%rsp)
%eax,%eax
callq 0x7f1d4804a768 <zend_parse_parameters@plt>
$0xffffffffffffffff,%eax
0x7f1d4804c7b3 <php_mssql_do_connect+1155>
cmpl $0xff,0x88(%rsp)
0x7f1d4804c3ea <php_mssql_do_connect+186>
0x78(%rsp),%rax
movb $0x0,0xff(%rax)
cmpl $0xff,0x84(%rsp)
0x7f1d4804c403 <php_mssql_do_connect+211>
0x70(%rsp),%rax
movb $0x0,0xff(%rax)
cmpl $0xff,0x80(%rsp)
0x7f1d4804c41c <php_mssql_do_connect+236>
0x68(%rsp),%rax
$0x0,0xff(%rax)
$0x4,%ebp
0x7f1d4804c7e0 <php_mssql_do_connect+1200>
cmpq $0x0,0x60(%rsp)
0x2e3a(%rip),%rdx # 0x7f1d4804f26c
0x7f1d4804c92f <php_mssql_do_connect+1535>
0x206d2a(%rip),%edi # 0x7f1d48253168 <mssql_globals+104>
callq 0x7f1d4804a508 <dbsetlogintime@plt>
0x206d27(%rip),%edi # 0x7f1d48253170 <mssql_globals+112>
callq 0x7f1d4804a468 <dbsettime@plt>
callq 0x7f1d4804a788 <dblogin@plt>

Having this hint, I checked the code of the PHP-script which was:

define ("MSSQL_SERVER", "www");
define ("MSSQL_USER", "xxx");
define ("MSSQL_PASSWORD", "yyy");
define ("MSSQL_DATABASE", "zzz");

mssql_connect(MSSQL_SERVER, MSSQL_USER, MSSQL_PASSWORD);
mssql_select_db(MSSQL_DATABASE);

So there was no error checking. In fact the hostname of the server was wrong, this is why the connection did not succeed. After I fixed the hostname, the code ran without the segmentation fault. It made no difference, if I use "define" or put in the values for the connection als strings.

So the bug is triggered, if the hostname for mssql_connect does not exist.

Hi Clint,

I just put another 3 hours into it:

The bug happens in this source code line:

if(passwd_len>255) {
                passwd[255] = '\0';
        }

of php_mssql_do_connect. I found this out by disassembling the code in the core dump:

Dump of assembler code for function php_mssql_do_connect:
   0x00007f1d4804c330 <+0>:     push   %r14
   0x00007f1d4804c332 <+2>:     push   %r13
   0x00007f1d4804c334 <+4>:     push   %r12
   0x00007f1d4804c336 <+6>:     mov    %r9d,%r12d
   0x00007f1d4804c339 <+9>:     push   %rbp
   0x00007f1d4804c33a <+10>:    mov    %edi,%ebp
   0x00007f1d4804c33c <+12>:    push   %rbx
   0x00007f1d4804c33d <+13>:    mov    %rsi,%rbx
   0x00007f1d4804c340 <+16>:    lea    0x2ef8(%rip),%rsi        # 0x7f1d4804f23f
   0x00007f1d4804c347 <+23>:    sub    $0xc0,%rsp
   0x00007f1d4804c34e <+30>:    mov    %fs:0x28,%rax
   0x00007f1d4804c357 <+39>:    mov    %rax,0xb8(%rsp)
   0x00007f1d4804c35f <+47>:    xor    %eax,%eax
   0x00007f1d4804c361 <+49>:    lea    0x8f(%rsp),%rax
   0x00007f1d4804c369 <+57>:    lea    0x88(%rsp),%rcx
   0x00007f1d4804c371 <+65>:    lea    0x78(%rsp),%rdx
   0x00007f1d4804c376 <+70>:    lea    0x84(%rsp),%r9
   0x00007f1d4804c37e <+78>:    lea    0x70(%rsp),%r8
   0x00007f1d4804c383 <+83>:    movq   $0x0,0x78(%rsp)
   0x00007f1d4804c38c <+92>:    mov    %rax,0x10(%rsp)
   0x00007f1d4804c391 <+97>:    lea    0x80(%rsp),%rax
   0x00007f1d4804c399 <+105>:   movq   $0x0,0x70(%rsp)
   0x00007f1d4804c3a2 <+114>:   movq   $0x0,0x68(%rsp)
   0x00007f1d4804c3ab <+123>:   movb   $0x0,0x8f(%rsp)
   0x00007f1d4804c3b3 <+131>:   mov    %rax,0x8(%rsp)
   0x00007f1d4804c3b8 <+136>:   lea    0x68(%rsp),%rax
   0x00007f1d4804c3bd <+141>:   mov    %rax,(%rsp)
   0x00007f1d4804c3c1 <+145>:   xor    %eax,%eax
   0x00007f1d4804c3c3 <+147>:   callq  0x7f1d4804a768 <zend_parse_parameters@plt>
   0x00007f1d4804c3c8 <+152>:   cmp    $0xffffffffffffffff,%eax
   0x00007f1d4804c3cb <+155>:   je     0x7f1d4804c7b3 <php_mssql_do_connect+1155>
   0x00007f1d4804c3d1 <+161>:   cmpl   $0xff,0x88(%rsp)
   0x00007f1d4804c3dc <+172>:   jle    0x7f1d4804c3ea <php_mssql_do_connect+186>
   0x00007f1d4804c3de <+174>:   mov    0x78(%rsp),%rax
   0x00007f1d4804c3e3 <+179>:   movb   $0x0,0xff(%rax)
   0x00007f1d4804c3ea <+186>:   cmpl   $0xff,0x84(%rsp)
   0x00007f1d4804c3f5 <+197>:   jle    0x7f1d4804c403 <php_mssql_do_connect+211>
   0x00007f1d4804c3f7 <+199>:   mov    0x70(%rsp),%rax
   0x00007f1d4804c3fc <+204>:   movb   $0x0,0xff(%rax)
   0x00007f1d4804c403 <+211>:   cmpl   $0xff,0x80(%rsp)
   0x00007f1d4804c40e <+222>:   jle    0x7f1d4804c41c <php_mssql_do_connect+236>
   0x00007f1d4804c410 <+224>:   mov    0x68(%rsp),%rax
=> 0x00007f1d4804c415 <+229>:   movb   $0x0,0xff(%rax)
   0x00007f1d4804c41c <+236>:   cmp    $0x4,%ebp
   0x00007f1d4804c41f <+239>:   jbe    0x7f1d4804c7e0 <php_mssql_do_connect+1200>
   0x00007f1d4804c425 <+245>:   cmpq   $0x0,0x60(%rsp)
   0x00007f1d4804c42b <+251>:   lea    0x2e3a(%rip),%rdx        # 0x7f1d4804f26c
   0x00007f1d4804c432 <+258>:   je     0x7f1d4804c92f <php_mssql_do_connect+1535>
   0x00007f1d4804c438 <+264>:   mov    0x206d2a(%rip),%edi        # 0x7f1d48253168 <mssql_globals+104>
   0x00007f1d4804c43e <+270>:   callq  0x7f1d4804a508 <dbsetlogintime@plt>
   0x00007f1d4804c443 <+275>:   mov    0x206d27(%rip),%edi        # 0x7f1d48253170 <mssql_globals+112>
   0x00007f1d4804c449 <+281>:   callq  0x7f1d4804a468 <dbsettime@plt>
   0x00007f1d4804c44e <+286>:   callq  0x7f1d4804a788 <dblogin@plt>

Having this hint, I checked the code of the PHP-script which was:

define ("MSSQL_SERVER", "www");
define ("MSSQL_USER", "xxx");
define ("MSSQL_PASSWORD", "yyy");
define ("MSSQL_DATABASE", "zzz");

mssql_connect(MSSQL_SERVER, MSSQL_USER, MSSQL_PASSWORD);
mssql_select_db(MSSQL_DATABASE);

So the bug is triggered, if the hostname for mssql_connect does not exist.

Ubuntuphp5 package

Comment 3 for bug 611316

Ubuntu
php5 package