PHP :: Sec Bug #77381 :: heap buffer overflow in multibyte match

Sec Bug #77381	heap buffer overflow in multibyte match_at
Submitted:	2018-12-30 21:44 UTC	Modified:	2019-02-22 22:09 UTC
From:	hugh at allthethings dot co dot nz	Assigned:	stas (profile)
Status:	Closed	Package:	mbstring related
PHP Version:	5.6.39	OS:	Linux
Private report:	No	CVE-ID:	2019-9023

View Developer Edit

[2018-12-30 21:44 UTC] hugh at allthethings dot co dot nz

Description:
------------
Caused by an incomplete multibyte char at end of $pattern in mb_split and mb_ereg. Leads to memory corruption and/or leakage.

Reproduced on 5.6.39, 7.0.33, and 7.1.25, not reproduced on 7.2, 7.3 and master.

Patch to fix available at https://gist.github.com/hughdavenport/3cb40fcf956085de44bf4443c25c58fe. Fixed by checking the length properly in compile_length_string_node.



Test script:
---------------
php -r 'var_dump(mb_ereg("000||0\xfa","0"));'


Expected result:
----------------
no crash

Actual result:
--------------
21:38 $ ~/src/php-src/sapi/cli/php -r 'var_dump(mb_ereg("000||0\xfa","0"));'
=================================================================
==32334==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300001c478 at pc 0x000000851e3e bp 0x7ffd64536450 sp 0x7ffd64536448
READ of size 1 at 0x60300001c478 thread T0
    #0 0x851e3d in match_at /home/hugh/src/php-src/ext/mbstring/oniguruma/regexec.c:1315:13
    #1 0x85424e in onig_search /home/hugh/src/php-src/ext/mbstring/oniguruma/regexec.c:3638:7
    #2 0x984949 in _php_mb_regex_ereg_exec /home/hugh/src/php-src/ext/mbstring/php_mbregex.c:753:6
    #3 0x12b1e72 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/hugh/src/php-src/Zend/zend_vm_execute.h:675:2
    #4 0x111aa0d in execute_ex /home/hugh/src/php-src/Zend/zend_vm_execute.h:432:7
    #5 0x111b9eb in zend_execute /home/hugh/src/php-src/Zend/zend_vm_execute.h:474:2
    #6 0xf1d950 in zend_eval_stringl /home/hugh/src/php-src/Zend/zend_execute_API.c:1120:4
    #7 0xf1e48a in zend_eval_stringl_ex /home/hugh/src/php-src/Zend/zend_execute_API.c:1161:11
    #8 0xf1e48a in zend_eval_string_ex /home/hugh/src/php-src/Zend/zend_execute_API.c:1172
    #9 0x13efbe8 in do_cli /home/hugh/src/php-src/sapi/cli/php_cli.c:1024:8
    #10 0x13ecba5 in main /home/hugh/src/php-src/sapi/cli/php_cli.c:1381:18
    #11 0x7f7d890f0b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x438cc9 in _start (/home/hugh/src/php-src/sapi/cli/php+0x438cc9)

0x60300001c478 is located 8 bytes to the left of 32-byte region [0x60300001c480,0x60300001c4a0)
allocated by thread T0 here:
    #0 0x4ee320 in malloc (/home/hugh/src/php-src/sapi/cli/php+0x4ee320)
    #1 0xe53fdc in __zend_malloc /home/hugh/src/php-src/Zend/zend_alloc.c:2838:14

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hugh/src/php-src/ext/mbstring/oniguruma/regexec.c:1315:13 in match_at
Shadow bytes around the buggy address:
  0x0c067fffb830: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fffb840: fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00
  0x0c067fffb850: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa
  0x0c067fffb860: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fffb870: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd
=>0x0c067fffb880: fd fd fa fa 00 00 00 00 fa fa 00 00 00 04 fa[fa]
  0x0c067fffb890: 00 00 00 00 fa fa 00 00 00 00 fa fa fa fa fa fa
  0x0c067fffb8a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffb8b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffb8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffb8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32334==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-01-02 08:43 UTC] stas@php.net

I've made a common fix for four mbstring regex issues. It's in security repo as 6eb73547f231336d09e42d161ea6756b88832d46 and in https://gist.github.com/smalyshev/d5b79a07341ffdd77dc88860724bd2f5. Please verify.

[2019-01-02 08:43 UTC] stas@php.net

-Assigned To: +Assigned To: stas

[2019-01-02 21:16 UTC] hugh at allthethings dot co dot nz

Verified on 5.6, 7.0 and 7.1

[2019-01-07 08:17 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2019-01-07 08:17 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2019-01-07 08:18 UTC] stas@php.net

Related To: Bug #77382

[2019-02-22 22:09 UTC] stas@php.net

-CVE-ID: +CVE-ID: 2019-9023

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 09:01:32 2024 UTC