PHP :: Bug #74960 :: Heap buffer overflow via str

Bug #74960

Heap buffer overflow via str_repeat

Submitted:

2017-07-21 04:41 UTC

Modified:

2021-07-21 12:11 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	0 of 1 (0.0%)

From:

zhihua dot yao at dbappsecurity dot com dot cn

Assigned:

cmb (profile)

Status:

Closed

Package:

Reproducible crash

PHP Version:

7.1.7

OS:

Private report:

CVE-ID:

None

View Developer Edit

[2017-07-21 04:41 UTC] zhihua dot yao at dbappsecurity dot com dot cn

Description:
------------
I have tested on Ubuntu x86.

Test script:
---------------
<?php
ini_set("memory_limit",-1);
$str=str_repeat("A",0x7fffffff);

$str.=$str;
    
?>


Expected result:
----------------
no crash

Actual result:
--------------
<?php
ini_set("memory_limit",-1);
$str=str_repeat("A",0x7fffffff);

$str.=$str;
    
?>

Patches

Pull Requests

Pull requests:

Fix #74960: Heap buffer overflow via str_repeat (php-src/7294)
Fix #74960: Integer overflow in zend_string_alloc() (php-src/7252)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-07-21 04:58 UTC] zhihua dot yao at dbappsecurity dot com dot cn

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
EAX: 0xb6e5f981 --> 0x0 
EBX: 0xb7a8b000 --> 0x1aada8 
ECX: 0x7ffffff6 
EDX: 0x36e5f980 
ESI: 0x36e5f977 
EDI: 0xb6e5f981 --> 0x0 
EBP: 0xbfffbae8 --> 0xbfffbb38 --> 0xbfffbb48 --> 0xbfffbb68 --> 0xbfffbba8 --> 0xbfffbbd8 (--> ...)
ESP: 0xbfffba60 --> 0xb6e14020 --> 0xb6e7c0fc --> 0x859b7ab (<ZEND_ASSIGN_CONCAT_SPEC_CV_CV_HANDLER>:	push   ebp)
EIP: 0xb7a14f84 (<__memcpy_ssse3_rep+3380>:	movdqu XMMWORD PTR [esi],xmm0)
EFLAGS: 0x210206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xb7a14f77 <__memcpy_ssse3_rep+3367>:	mov    esi,esi
   0xb7a14f79 <__memcpy_ssse3_rep+3369>:	lea    edi,[edi+eiz*1+0x0]
   0xb7a14f80 <__memcpy_ssse3_rep+3376>:	movdqu xmm1,XMMWORD PTR [eax]
=> 0xb7a14f84 <__memcpy_ssse3_rep+3380>:	movdqu XMMWORD PTR [esi],xmm0
   0xb7a14f88 <__memcpy_ssse3_rep+3384>:	movntdq XMMWORD PTR [edx],xmm1
   0xb7a14f8c <__memcpy_ssse3_rep+3388>:	add    eax,0x10
   0xb7a14f8f <__memcpy_ssse3_rep+3391>:	add    edx,0x10
   0xb7a14f92 <__memcpy_ssse3_rep+3394>:	sub    ecx,0x10
[------------------------------------stack-------------------------------------]
0000| 0xbfffba60 --> 0xb6e14020 --> 0xb6e7c0fc --> 0x859b7ab (<ZEND_ASSIGN_CONCAT_SPEC_CV_CV_HANDLER>:	push   ebp)
0004| 0xbfffba64 --> 0xb6e7c0fc --> 0x859b7ab (<ZEND_ASSIGN_CONCAT_SPEC_CV_CV_HANDLER>:	push   ebp)
0008| 0xbfffba68 --> 0x84efff0 (<concat_function>:	push   ebp)
0012| 0xbfffba6c --> 0x84f055d (<concat_function+1389>:	mov    edx,DWORD PTR [ebp-0x4c])
0016| 0xbfffba70 --> 0x36e5f977 
0020| 0xbfffba74 --> 0xb6e5f978 --> 0x0 
0024| 0xbfffba78 --> 0x7fffffff 
0028| 0xbfffba7c --> 0x83a5df6 (<zend_string_safe_alloc+153>:	mov    eax,DWORD PTR [ebp+0x8])
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__memcpy_ssse3_rep () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1269
1269	../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S: No such file or directory.
gdb-peda$ bt
#0  __memcpy_ssse3_rep ()
    at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1269
#1  0x084f055d in concat_function (result=0xb6e14050, op1=0xb6e14050, 
    op2=0xb6e14050) at /home/hjy/Desktop/php-7.1.7/Zend/zend_operators.c:1773
#2  0x0859b599 in zend_binary_assign_op_helper_SPEC_CV_CV (
    binary_op=0x84efff0 <concat_function>)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:44196
#3  0x0859b7bb in ZEND_ASSIGN_CONCAT_SPEC_CV_CV_HANDLER ()
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:44613
#4  0x08548973 in execute_ex (ex=0xb6e14020)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:429
#5  0x08548a36 in zend_execute (op_array=0xb6e6c1e0, return_value=0x0)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:474
#6  0x084f74a1 in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend.c:1476
#7  0x08479d1f in php_execute_script (primary_file=0xbfffdeb4)
    at /home/hjy/Desktop/php-7.1.7/main/main.c:2537
#8  0x085b9dbe in do_cli (argc=0x3, argv=0x8c4d068)
    at /home/hjy/Desktop/php-7.1.7/sapi/cli/php_cli.c:993
#9  0x085bac75 in main (argc=0x3, argv=0x8c4d068)
    at /home/hjy/Desktop/php-7.1.7/sapi/cli/php_cli.c:1381
#10 0xb78f9a83 in __libc_start_main (main=0x85ba68d <main>, argc=0x3, 
    argv=0xbffff154, init=0x85c3cd0 <__libc_csu_init>, 
    fini=0x85c3d40 <__libc_csu_fini>, rtld_fini=0xb7fed180 <_dl_fini>, 
    stack_end=0xbffff14c) at libc-start.c:287
#11 0x08070f21 in _start ()

[2017-07-21 06:04 UTC] zhihua dot yao at dbappsecurity dot com dot cn

-Summary: SIGSEV in concat_function +Summary: Heap buffer overflow via str_repeat

[2017-07-21 06:04 UTC] zhihua dot yao at dbappsecurity dot com dot cn

test script
<?php
ini_set("memory_limit",-1);
$str=str_repeat("A",0x7ffffff2);

$str.=$str;
    
?>
_____________________________
[----------------------------------registers-----------------------------------]
EAX: 0x80201000 ('A' <repeats 200 times>...)
EBX: 0x84efff0 (<concat_function>:	push   ebp)
ECX: 0x36a00000 --> 0x1 
EDX: 0x36a00000 --> 0x1 
ESI: 0xb6e14020 --> 0xb6e7c0fc --> 0x859b7ab (<ZEND_ASSIGN_CONCAT_SPEC_CV_CV_HANDLER>:	push   ebp)
EDI: 0xb6e7c0fc --> 0x859b7ab (<ZEND_ASSIGN_CONCAT_SPEC_CV_CV_HANDLER>:	push   ebp)
EBP: 0xbfffb9f8 --> 0xbfffba38 --> 0xbfffba68 --> 0xbfffbae8 --> 0xbfffbb38 --> 0xbfffbb48 (--> ...)
ESP: 0xbfffb980 --> 0xb6e00040 --> 0x0 
EIP: 0x84c70ed (<zend_mm_realloc_heap+1785>:	mov    eax,DWORD PTR [ebp+0x24])
EFLAGS: 0x200287 (CARRY PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x84c70e1 <zend_mm_realloc_heap+1773>:	mov    eax,DWORD PTR [ebp+0x8]
   0x84c70e4 <zend_mm_realloc_heap+1776>:	mov    eax,DWORD PTR [eax+0x8c]
   0x84c70ea <zend_mm_realloc_heap+1782>:	mov    DWORD PTR [ebp-0x10],eax
=> 0x84c70ed <zend_mm_realloc_heap+1785>:	mov    eax,DWORD PTR [ebp+0x24]
   0x84c70f0 <zend_mm_realloc_heap+1788>:	mov    DWORD PTR [esp+0x14],eax
   0x84c70f4 <zend_mm_realloc_heap+1792>:	mov    eax,DWORD PTR [ebp+0x20]
   0x84c70f7 <zend_mm_realloc_heap+1795>:	mov    DWORD PTR [esp+0x10],eax
   0x84c70fb <zend_mm_realloc_heap+1799>:	mov    eax,DWORD PTR [ebp+0x1c]
[------------------------------------stack-------------------------------------]
0000| 0xbfffb980 --> 0xb6e00040 --> 0x0 
0004| 0xbfffb984 --> 0x36a00000 --> 0x1 
0008| 0xbfffb988 --> 0x8b73aa0 ("/home/hjy/Desktop/php-7.1.7/Zend/zend_string.h")
0012| 0xbfffb98c --> 0xd0 
0016| 0xbfffb990 --> 0x0 
0020| 0xbfffb994 --> 0x0 
0024| 0xbfffb998 --> 0x80001000 ('A' <repeats 200 times>...)
0028| 0xbfffb99c --> 0x80000006 ('A' <repeats 200 times>...)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, zend_mm_realloc_heap (heap=0xb6e00040, ptr=0x36a00000, size=0xc, 
    copy_size=0xfffffff8, 
    __zend_filename=0x8b73aa0 "/home/hjy/Desktop/php-7.1.7/Zend/zend_string.h", __zend_lineno=0xd0, __zend_orig_filename=0x0, __zend_orig_lineno=0x0)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_alloc.c:1610
1610		ret = zend_mm_alloc_heap(heap, size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
gdb-peda$ p/x size
$1 = 0xc
gdb-peda$ n

[----------------------------------registers-----------------------------------]
EAX: 0xb6e5d060 --> 0xb6e5d080 --> 0xb6e5d0a0 --> 0xb6e5d0c0 --> 0xb6e5d0e0 --> 0xb6e5d100 (--> ...)
EBX: 0x84efff0 (<concat_function>:	push   ebp)
ECX: 0x7 
EDX: 0x0 
ESI: 0xb6e14020 --> 0xb6e7c0fc --> 0x859b7ab (<ZEND_ASSIGN_CONCAT_SPEC_CV_CV_HANDLER>:	push   ebp)
EDI: 0xb6e7c0fc --> 0x859b7ab (<ZEND_ASSIGN_CONCAT_SPEC_CV_CV_HANDLER>:	push   ebp)
EBP: 0xbfffb9f8 --> 0xbfffba38 --> 0xbfffba68 --> 0xbfffbae8 --> 0xbfffbb38 --> 0xbfffbb48 (--> ...)
ESP: 0xbfffb980 --> 0xb6e00040 --> 0x0 
EIP: 0x84c711e (<zend_mm_realloc_heap+1834>:	mov    eax,DWORD PTR [ebp-0x58])
EFLAGS: 0x200286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x84c7113 <zend_mm_realloc_heap+1823>:	mov    DWORD PTR [esp],eax
   0x84c7116 <zend_mm_realloc_heap+1826>:	
    call   0x84c6674 <zend_mm_alloc_heap>
   0x84c711b <zend_mm_realloc_heap+1831>:	mov    DWORD PTR [ebp-0xc],eax
=> 0x84c711e <zend_mm_realloc_heap+1834>:	mov    eax,DWORD PTR [ebp-0x58]
   0x84c7121 <zend_mm_realloc_heap+1837>:	cmp    DWORD PTR [ebp+0x14],eax
   0x84c7124 <zend_mm_realloc_heap+1840>:	cmovbe eax,DWORD PTR [ebp+0x14]
   0x84c7128 <zend_mm_realloc_heap+1844>:	mov    DWORD PTR [esp+0x8],eax
   0x84c712c <zend_mm_realloc_heap+1848>:	mov    eax,DWORD PTR [ebp+0xc]
[------------------------------------stack-------------------------------------]
0000| 0xbfffb980 --> 0xb6e00040 --> 0x0 
0004| 0xbfffb984 --> 0x20 (' ')
0008| 0xbfffb988 --> 0x8b73aa0 ("/home/hjy/Desktop/php-7.1.7/Zend/zend_string.h")
0012| 0xbfffb98c --> 0xd0 
0016| 0xbfffb990 --> 0x0 
0020| 0xbfffb994 --> 0x0 
0024| 0xbfffb998 --> 0x80001000 ('A' <repeats 200 times>...)
0028| 0xbfffb99c --> 0x80000006 ('A' <repeats 200 times>...)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
1611		memcpy(ret, ptr, MIN(old_size, copy_size));

gdb-peda$ p/x old_size
$2 = 0x80001000
gdb-peda$ p/x copy_size
$2 = 0xfffffff8
gdb-peda$ n

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
EAX: 0x36ba3020 ('A' <repeats 200 times>...)
EBX: 0xb7a8b000 --> 0x1aada8 
ECX: 0x7fe5df60 ('A' <repeats 200 times>...)
EDX: 0xb7000000 
ESI: 0xb6e14020 --> 0xb6e7c0fc ('A' <repeats 200 times>...)
EDI: 0xb6e7c0fc ('A' <repeats 200 times>...)
EBP: 0xbfffb9f8 --> 0xbfffba38 --> 0xbfffba68 --> 0xbfffbae8 --> 0xbfffbb38 --> 0xbfffbb48 (--> ...)
ESP: 0xbfffb978 --> 0x84efff0 (<concat_function>:	push   ebp)
EIP: 0xb7a14fe9 (<__memcpy_ssse3_rep+3481>:	movntdq XMMWORD PTR [edx],xmm0)
EFLAGS: 0x210206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xb7a14fda <__memcpy_ssse3_rep+3466>:	lea    eax,[eax+0x80]
   0xb7a14fe0 <__memcpy_ssse3_rep+3472>:	lfence 
   0xb7a14fe3 <__memcpy_ssse3_rep+3475>:	sub    ecx,0x80
=> 0xb7a14fe9 <__memcpy_ssse3_rep+3481>:	movntdq XMMWORD PTR [edx],xmm0
   0xb7a14fed <__memcpy_ssse3_rep+3485>:	
    movntdq XMMWORD PTR [edx+0x10],xmm1
   0xb7a14ff2 <__memcpy_ssse3_rep+3490>:	
    movntdq XMMWORD PTR [edx+0x20],xmm2
   0xb7a14ff7 <__memcpy_ssse3_rep+3495>:	
    movntdq XMMWORD PTR [edx+0x30],xmm3
   0xb7a14ffc <__memcpy_ssse3_rep+3500>:	
    movntdq XMMWORD PTR [edx+0x40],xmm4
[------------------------------------stack-------------------------------------]
0000| 0xbfffb978 --> 0x84efff0 (<concat_function>:	push   ebp)
0004| 0xbfffb97c --> 0x84c713e (<zend_mm_realloc_heap+1866>:	mov    eax,DWORD PTR [ebp+0x24])
0008| 0xbfffb980 --> 0xb6e5d060 --> 0x1 
0012| 0xbfffb984 --> 0x36a00000 --> 0x1 
0016| 0xbfffb988 --> 0x80001000 ('A' <repeats 200 times>...)
0020| 0xbfffb98c --> 0xd0 
0024| 0xbfffb990 --> 0x0 
0028| 0xbfffb994 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__memcpy_ssse3_rep () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1294
1294	../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S: No such file or directory.
gdb-peda$ bt
#0  __memcpy_ssse3_rep ()
    at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1294
#1  0x084c713e in zend_mm_realloc_heap (heap=0xb6e00040, ptr=0x36a00000, 
    size=0xc, copy_size=0xfffffff8, 
    __zend_filename=0x8b73aa0 "/home/hjy/Desktop/php-7.1.7/Zend/zend_string.h", __zend_lineno=0xd0, __zend_orig_filename=0x0, __zend_orig_lineno=0x0)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_alloc.c:1611
#2  0x084c8bcd in _erealloc (ptr=0x36a00000, size=0xfffffff8, 
    __zend_filename=0x8b73aa0 "/home/hjy/Desktop/php-7.1.7/Zend/zend_string.h", __zend_lineno=0xd0, __zend_orig_filename=0x0, __zend_orig_lineno=0x0)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_alloc.c:2446
#3  0x084e774f in zend_string_extend (s=0x36a00000, len=0xffffffe4, 
    persistent=0x0) at /home/hjy/Desktop/php-7.1.7/Zend/zend_string.h:208
#4  0x084f04ba in concat_function (result=0xb6e14050, op1=0xb6e14050, 
    op2=0xb6e14050) at /home/hjy/Desktop/php-7.1.7/Zend/zend_operators.c:1759
#5  0x0859b599 in zend_binary_assign_op_helper_SPEC_CV_CV (
    binary_op=0x84efff0 <concat_function>)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:44196
#6  0x0859b7bb in ZEND_ASSIGN_CONCAT_SPEC_CV_CV_HANDLER ()
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:44613
#7  0x08548973 in execute_ex (ex=0xb6e14020)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:429
#8  0x08548a36 in zend_execute (op_array=0xb6e6c1e0, return_value=0x0)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:474
#9  0x084f74a1 in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend.c:1476
#10 0x08479d1f in php_execute_script (primary_file=0xbfffdeb4)
    at /home/hjy/Desktop/php-7.1.7/main/main.c:2537
#11 0x085b9dbe in do_cli (argc=0x3, argv=0x8c4d068)
    at /home/hjy/Desktop/php-7.1.7/sapi/cli/php_cli.c:993
#12 0x085bac75 in main (argc=0x3, argv=0x8c4d068)
    at /home/hjy/Desktop/php-7.1.7/sapi/cli/php_cli.c:1381
#13 0xb78f9a83 in __libc_start_main (main=0x85ba68d <main>, argc=0x3, 
    argv=0xbffff154, init=0x85c3cd0 <__libc_csu_init>, 
    fini=0x85c3d40 <__libc_csu_fini>, rtld_fini=0xb7fed180 <_dl_fini>, 
    stack_end=0xbffff14c) at libc-start.c:287
#14 0x08070f21 in _start ()

The heap size is 0xc.Then old_size and copy_size are bigger than heap size.

[2021-07-16 15:45 UTC] cmb@php.net

-Status: Open +Status: Verified

[2021-07-16 15:45 UTC] cmb@php.net

See <https://bugs.php.net/75934#1524924818>.

[2021-07-16 16:23 UTC] cmb@php.net

-Summary: Heap buffer overflow via str_repeat +Summary: Integer overflow in zend_string_alloc() -Assigned To: +Assigned To: cmb

[2021-07-21 09:51 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #74960: Integer overflow in zend_string_alloc()
On GitHub:  https://github.com/php/php-src/pull/7252
Patch:      https://github.com/php/php-src/pull/7252.patch

[2021-07-21 12:11 UTC] cmb@php.net

-Summary: Integer overflow in zend_string_alloc() +Summary: Heap buffer overflow via str_repeat

[2021-07-21 12:11 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #74960: Heap buffer overflow via str_repeat
On GitHub:  https://github.com/php/php-src/pull/7294
Patch:      https://github.com/php/php-src/pull/7294.patch

[2021-07-21 13:37 UTC] git@php.net

Automatic comment on behalf of cmb69
Revision: https://github.com/php/php-src/commit/760ff841a14160f25348f7969985cb8a2c4da3cc
Log: Fix #74960: Heap buffer overflow via str_repeat

[2021-07-21 13:37 UTC] git@php.net

-Status: Verified +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 08:01:29 2024 UTC