PHP PDO PostgreSQL Driver Null Pointer Dereference Vulnerability

A null pointer dereference vulnerability has been identified in PHP versions 8.1.* prior to 8.1.34, 8.2.* prior to 8.2.30, 8.3.* prior to 8.3.29, 8.4.* prior to 8.4.16, and 8.5.* prior to 8.5.1. When the PDO PostgreSQL driver is used with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence in a prepared statement parameter can cause the quoting function PQescapeStringConn to return NULL. This leads to a null pointer dereference in the pdo_parse_params() function, causing a segmentation fault and potentially crashing the server, disrupting availability.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a denial-of-service condition on the server. In PHP's Zend Thread Safety (ZTS) mode, this disruption affects all currently served requests.

Reproduction

The vulnerability can be reproduced by compiling PHP with the PostgreSQL PDO driver enabled, using the AddressSanitizer for debugging. After compiling PHP, the PDO::ATTR_EMULATE_PREPARES option can be enabled. A prepared statement can then be executed with a parameter containing an invalid byte sequence, such as a byte representing a character that is not valid in the context, which will trigger the null pointer dereference and cause a segmentation fault.

Remediation

Users should upgrade to PHP versions 8.1.34, 8.2.30, 8.3.29, 8.4.16, or 8.5.1.