PHP :: Bug #73275 :: crash in openssl

Bug #73275	crash in openssl_encrypt function
Submitted:	2016-10-09 15:19 UTC	Modified:	2017-02-13 01:08 UTC
From:	nguyenluan dot vnn at gmail dot com	Assigned:	stas (profile)
Status:	Closed	Package:	OpenSSL related
PHP Version:	5.6.26	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

[2016-10-09 15:19 UTC] nguyenluan dot vnn at gmail dot com

Description:
------------
Function openssl_encrypt() could produce output string larger than 2Gb and cause PHP to crash. Please refer to the test script and GDB output.

Test script:
---------------
<?php
    ini_set('memory_limit', -1);
    $encryption_key = openssl_random_pseudo_bytes(32);
    $iv = openssl_random_pseudo_bytes(16);
    $str = str_repeat('a', 0x7fffffe0);
    
    $str1 = openssl_encrypt($str, 'aes-256-cbc', $encryption_key, OPENSSL_ZERO_PADDING, $iv);
    
    var_dump(strlen($str1));
?>

Expected result:
----------------
No string return since output length is larger than 2Gb.

Actual result:
--------------
gdb-peda$ r ../test/string/test_openssl.php 
Starting program: /home/user/Desktop/php-5.6.26/sapi/cli/php ../test/string/test_openssl.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Warning: openssl_encrypt(): String too long, maximum is 536870911 in /home/user/Desktop/test/string/test_openssl.php on line 7
int(-134483248) // THIS IS OUTPUT LENGTH

Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0xfffffffff7fbf2d0 
RBX: 0x0 
RCX: 0x108d538 ("/home/user/Desktop/php-5.6.26/Zend/zend_execute.h")
RDX: 0x0 
RSI: 0x108d538 ("/home/user/Desktop/php-5.6.26/Zend/zend_execute.h")
RDI: 0x7ffff7fbf320 --> 0x0 
RBP: 0x7fffffffb9b0 --> 0x7fffffffb9e0 --> 0x7fffffffba10 --> 0x7fffffffba40 --> 0x7fffffffba60 --> 0x7fffffffba80 (--> ...)
RSP: 0x7fffffffb990 --> 0x7 
RIP: 0xa668d9 (<_zval_dtor_func+99>:	movzx  eax,BYTE PTR [rax])
R8 : 0x16c1f00 --> 0x0 
R9 : 0x108d500 ("9223372036854775808")
R10: 0xdb4 
R11: 0x7ffff3e09730 --> 0xfffda400fffda12f 
R12: 0x43ffe0 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe1a0 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xa668d1 <_zval_dtor_func+91>:	mov    eax,DWORD PTR [rax+0x8]
   0xa668d4 <_zval_dtor_func+94>:	cdqe   
   0xa668d6 <_zval_dtor_func+96>:	add    rax,rdx
=> 0xa668d9 <_zval_dtor_func+99>:	movzx  eax,BYTE PTR [rax]
   0xa668dc <_zval_dtor_func+102>:	test   al,al
   0xa668de <_zval_dtor_func+104>:	je     0xa6690d <_zval_dtor_func+151>
   0xa668e0 <_zval_dtor_func+106>:	mov    rax,QWORD PTR [rbp-0x8]
   0xa668e4 <_zval_dtor_func+110>:	mov    rax,QWORD PTR [rax]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffb990 --> 0x7 
0008| 0x7fffffffb998 --> 0x4ff7f8a3f8 
0016| 0x7fffffffb9a0 --> 0x108d538 ("/home/user/Desktop/php-5.6.26/Zend/zend_execute.h")
0024| 0x7fffffffb9a8 --> 0x7ffff7fbf320 --> 0x0 
0032| 0x7fffffffb9b0 --> 0x7fffffffb9e0 --> 0x7fffffffba10 --> 0x7fffffffba40 --> 0x7fffffffba60 --> 0x7fffffffba80 (--> ...)
0040| 0x7fffffffb9b8 --> 0xa51828 (<_zval_dtor+53>:	jmp    0xa5182b <_zval_dtor+56>)
0048| 0x7fffffffb9c0 ("/usr/local/lO")
0056| 0x7fffffffb9c8 --> 0x4f6c2f6c61 ('al/lO')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000a668d9 in _zval_dtor_func (zvalue=0x7ffff7fbf320, 
    __zend_filename=0x108d538 "/home/user/Desktop/php-5.6.26/Zend/zend_execute.h", __zend_lineno=0x4f)
    at /home/user/Desktop/php-5.6.26/Zend/zend_variables.c:36
36				CHECK_ZVAL_STRING_REL(zvalue);

gdb-peda$ bt
#0  0x0000000000a668d9 in _zval_dtor_func (zvalue=0x7ffff7fbf320, 
    __zend_filename=0x108d538 "/home/user/Desktop/php-5.6.26/Zend/zend_execute.h", __zend_lineno=0x4f)
    at /home/user/Desktop/php-5.6.26/Zend/zend_variables.c:36
#1  0x0000000000a51828 in _zval_dtor (zvalue=0x7ffff7fbf320, 
    __zend_filename=0x108d538 "/home/user/Desktop/php-5.6.26/Zend/zend_execute.h", __zend_lineno=0x4f)
    at /home/user/Desktop/php-5.6.26/Zend/zend_variables.h:35
#2  0x0000000000a518f3 in i_zval_ptr_dtor (zval_ptr=0x7ffff7fbf320, 
    __zend_filename=0x108f820 "/home/user/Desktop/php-5.6.26/Zend/zend_variables.c", __zend_lineno=0xbc)
    at /home/user/Desktop/php-5.6.26/Zend/zend_execute.h:79
#3  0x0000000000a52bcc in _zval_ptr_dtor (zval_ptr=0x7ffff7fc0818, 
    __zend_filename=0x108f820 "/home/user/Desktop/php-5.6.26/Zend/zend_variables.c", __zend_lineno=0xbc)
    at /home/user/Desktop/php-5.6.26/Zend/zend_execute_API.c:424
#4  0x0000000000a66e44 in _zval_ptr_dtor_wrapper (zval_ptr=0x7ffff7fc0818)
    at /home/user/Desktop/php-5.6.26/Zend/zend_variables.c:188
#5  0x0000000000a7bb63 in i_zend_hash_bucket_delete (
    ht=0x14167c8 <executor_globals+360>, p=0x7ffff7fc0800)
    at /home/user/Desktop/php-5.6.26/Zend/zend_hash.c:182
#6  0x0000000000a7bc3b in zend_hash_bucket_delete (
    ht=0x14167c8 <executor_globals+360>, p=0x7ffff7fc0800)
    at /home/user/Desktop/php-5.6.26/Zend/zend_hash.c:192
#7  0x0000000000a7d94e in zend_hash_graceful_reverse_destroy (
    ht=0x14167c8 <executor_globals+360>)
    at /home/user/Desktop/php-5.6.26/Zend/zend_hash.c:613
#8  0x0000000000a523c8 in shutdown_executor ()
    at /home/user/Desktop/php-5.6.26/Zend/zend_execute_API.c:244
#9  0x0000000000a69192 in zend_deactivate ()
    at /home/user/Desktop/php-5.6.26/Zend/zend.c:960
#10 0x00000000009ca332 in php_request_shutdown (dummy=0x0)
    at /home/user/Desktop/php-5.6.26/main/main.c:1899
#11 0x0000000000b281fd in do_cli (argc=0x2, argv=0x141b560)
    at /home/user/Desktop/php-5.6.26/sapi/cli/php_cli.c:1177
#12 0x0000000000b28a8f in main (argc=0x2, argv=0x141b560)
    at /home/user/Desktop/php-5.6.26/sapi/cli/php_cli.c:1378
#13 0x00007ffff3c95830 in __libc_start_main (main=0xb28272 <main>, argc=0x2, 
    argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe198)
    at ../csu/libc-start.c:291
#14 0x0000000000440009 in _start ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-10-11 20:20 UTC] stas@php.net

-Assigned To: +Assigned To: stas

[2016-10-11 20:20 UTC] stas@php.net

The fix is in security repo as 8822f7c9f0be2f591f8fa58834c5e1bc529b24dc and in https://gist.github.com/0019e9036c13ac48e17de155c51614c7

please verify

[2016-10-11 23:45 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8822f7c9f0be2f591f8fa58834c5e1bc529b24dc
Log: fix bug #73275 - crash in openssl_encrypt function

[2016-10-11 23:45 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2016-10-12 23:35 UTC] ab@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8822f7c9f0be2f591f8fa58834c5e1bc529b24dc
Log: fix bug #73275 - crash in openssl_encrypt function

[2016-10-14 02:23 UTC] ab@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8822f7c9f0be2f591f8fa58834c5e1bc529b24dc
Log: fix bug #73275 - crash in openssl_encrypt function

[2016-10-17 10:07 UTC] bwoebi@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8822f7c9f0be2f591f8fa58834c5e1bc529b24dc
Log: fix bug #73275 - crash in openssl_encrypt function

[2017-02-13 01:08 UTC] stas@php.net

-Type: Security +Type: Bug

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 31 18:00:01 2025 UTC