CVE-2022-31625: PHP Vulnerability due to uninitialized array
A vulnerability was found in PHP due to an uninitialized array in pg_query_params() function. written by anshul vyas
Description
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.
Severity- 8.8 (high)
Vulnerability Analysis
Vulnerable code
In `PHP_FUNCTION`, use `safe_emalloc` to apply for the pointer array `params`, but it is not initialized, resulting in the `params` array containing residual data or pointers in memory. If an exception occurs, the code executes the `_php_pgsql_free_params` function to free the entire array of pointers:
emalloc() uses php’s own memory allocator (which is optimized for php’s workload, and enforces maximum memory usage). You should use emalloc() where possible, and you must use it if PHP may free or reallocate the memory region.
A vulnerability was found in PHP due to an uninitialized array in the pg_query_params() function. When using the Postgres database extension, supplying invalid parameters to the parameterized query may lead to PHP attempting to free memory, using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.
Patched code
This memory uninitialized vulnerability can easily be transformed into a UAF vulnerability and its exploitation is easier than CVE-2022–31626. It is very possible to achieve arbitrary memory release through remote heap feng shui, and then to achieve remote code execution through UAF. Affected customers need to do patch upgrades and protection as soon as possible.
UAF stands for Use-After-Free is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program. At present official repair version has been released and users can upgrade to the following security versions: PHP 8.1.7, PHP 8.0.20 and PHP 7.4.30.