php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75152 signed integer overflow in parse_iv (ext/standard/var_unserializer.c:339)
Submitted: 2017-09-02 20:06 UTC Modified: 2020-12-18 12:32 UTC
Votes:5
Avg. Score:4.2 ± 1.0
Reproduced:3 of 4 (75.0%)
Same Version:3 (100.0%)
Same OS:3 (100.0%)
From: geeknik at protonmail dot ch Assigned: cmb (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.1.9 OS: Ubuntu 16 x64
Private report: No CVE-ID: None
 [2017-09-02 20:06 UTC] geeknik at protonmail dot ch
Description:
------------
Triggered during AFL fuzzing. Only tested against 7.1.8 and 7.1.9. If we set USE_ZEND_ALLOC=0 the signed integer overflow remains, but the memory allocation error goes away.

Test script:
---------------
echo -ne 'o:200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000:"' | UBSAN_OPTIONS=print_stacktrace=1 ~/php-7.1.9/sapi/cli/php -r 'unserialize(file_get_contents("php://stdin"));'

Actual result:
--------------
/root/php-7.1.9/ext/standard/var_unserializer.c:339:20: runtime error: signed integer overflow: 2000000000000000000 * 10 cannot be represented in type 'long'
    #0 0x11cef10 in parse_iv2 /root/php-7.1.9/ext/standard/var_unserializer.c:339:20
    #1 0x11cef10 in object_common1 /root/php-7.1.9/ext/standard/var_unserializer.c:507
    #2 0x11c935c in php_var_unserialize_internal /root/php-7.1.9/ext/standard/var_unserializer.c:1372:13
    #3 0x118f3fd in zif_unserialize /root/php-7.1.9/ext/standard/var.c:1114:7
    #4 0x16b6789 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /root/php-7.1.9/Zend/zend_vm_execute.h:628:2
    #5 0x156d6f3 in execute_ex /root/php-7.1.9/Zend/zend_vm_execute.h:432:7
    #6 0x156e2ef in zend_execute /root/php-7.1.9/Zend/zend_vm_execute.h:474:2
    #7 0x13d5845 in zend_eval_stringl /root/php-7.1.9/Zend/zend_execute_API.c:1120:4
    #8 0x13d617b in zend_eval_stringl_ex /root/php-7.1.9/Zend/zend_execute_API.c:1161:11
    #9 0x13d617b in zend_eval_string_ex /root/php-7.1.9/Zend/zend_execute_API.c:1172
    #10 0x17bb258 in do_cli /root/php-7.1.9/sapi/cli/php_cli.c:1024:8
    #11 0x17b8f40 in main /root/php-7.1.9/sapi/cli/php_cli.c:1381:18
    #12 0x7fd3d03a83f0 in __libc_start_main /build/glibc-mXZSwJ/glibc-2.24/csu/../csu/libc-start.c:291
    #13 0x43ab99 in _start (/root/php-7.1.9/sapi/cli/php+0x43ab99)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /root/php-7.1.9/ext/standard/var_unserializer.c:339:20 in

Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 2415919104 bytes) in Command line code on line 1

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-09-11 04:45 UTC] laruence@php.net
-Type: Security +Type: Bug
 [2017-09-11 04:45 UTC] laruence@php.net
according to https://wiki.php.net/security?s[]=security&s[]=bug  
"requires invocation of functions with specific arguments, which may be valid but are obviously malicious"

this should not be a security bug.
 [2017-09-21 23:04 UTC] geeknik at protonmail dot ch
For some reason, this is still hidden from the public and shows Private report: Yes.
 [2020-12-18 12:32 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2020-12-18 12:32 UTC] cmb@php.net
This is fixed as of PHP 7.1.10: <https://3v4l.org/oP9cC>.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 16:01:28 2024 UTC