php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #54193 Integer overflow in shmop_read()
Submitted: 2011-03-08 13:58 UTC Modified: 2011-03-23 14:25 UTC
From: felipe@php.net Assigned: felipe (profile)
Status: Closed Package: Unknown/Other Function
PHP Version: Irrelevant OS:
Private report: No CVE-ID: 2011-1092
 [2011-03-08 13:58 UTC] felipe@php.net
Description:
------------
"The problem is in the shmop_read php function, in the file
ext/shmop/shmop.c. This functions reads a given number of bytes from
memory, at a given offset starting from a shared memory area.

string shmop_read (int shmid, int start, int count)

Inside the code of the function itself, there are checks in the start
parameter and in the count parameter, to avoid reading arbitrary
memory outside the shared memory object:

    if (start < 0 || start > shmop->size) {
        php_error_docref(NULL TSRMLS_CC, E_WARNING, "start is out of range");
        RETURN_FALSE;
    }

    if (start + count > shmop->size || count < 0) {
        php_error_docref(NULL TSRMLS_CC, E_WARNING, "count is out of range");
        RETURN_FALSE;
    }

The first block check if start is lower than 0 or bigger than the size
of the shared memory area.

The second block checks that the SUM (ADDITION) of "start" and "count"
is not greater than the shared memory area, and later checks if count
its not lower than 0.

The problem is that both variables are signed longs, in 32 bits
architectures this means 2^31 maximum value, after this value, the
variable becomes negative.

So, if we put exactly 2^31 as a value in count, and 1 as a value in
start, the first condition: start + count would become negative
(2^31+1) and will pass the check, and the second condition (count > 0)
will also pass the check, because count its positive (2^31) and do not
get negative until the addition of 1."

CREDITS: Jose Carlos Norte <jose at eyeos dot org>

Test script:
---------------
<?php

$shm_key = ftok(__FILE__, 't');
$shm_id = shmop_open($shm_key, "c", 0644, 100);
$shm_data = shmop_read($shm_id, 1, 2147483647);
//if there is no segmentation fault past this point, we have 2gb of memory!
echo $shm_data;

Expected result:
----------------
No SIGSEGV

Actual result:
--------------
SIGSEGV

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-03-08 14:13 UTC] felipe@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: felipe
 [2011-03-08 14:13 UTC] felipe@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2011-03-08 15:04 UTC] felipe@php.net
-CVE-ID: +CVE-ID: 2011-1092
 [2021-07-23 09:26 UTC] mr dot sol dot 7788 at gmail dot com
PHP 7.4.3 (cli)
Zend Engine v3.4.0
Kubuntu (focal) - 64
Created shared memeory with size 28991029248. Write in all diapozon is normal.
Read bigest at position 2147483646 one byte.
shmop_read($shmp, 2147483647, 1)
getted error 
Warning: shmop_read(): count is out of range in

$shmp = shmop_open($KeyShm, 'n', 0644, 28991029248);
$WriteRes = shmop_write($shmp, "a", 2147483647);//All ok
$ReadRes1 = shmop_read($shmp, 2147483646, 1);//All ok
$ReadRes2 = shmop_read($shmp, 2147483647, 1);//Error 
//Warning: shmop_read(): count is out of range in
.....
 [2021-07-23 09:46 UTC] mr dot sol dot 7788 at gmail dot com
PHP_INT_SIZE:8 
PHP_INT_MAX:9223372036854775807
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC