php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #78338 Array cross-border reading/global variable coverage in PCRE
Submitted: 2019-07-28 04:17 UTC Modified: 2019-07-29 22:01 UTC
From: 3556158925 at qq dot com Assigned: stas (profile)
Status: Closed Package: PCRE related
PHP Version: 7.3.8 OS: Ubuntu 18.04.1 LTS
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2019-07-28 04:17 UTC] 3556158925 at qq dot com 
Description:
------------
Get the lastest version of PHP:
git clone https://github.com/php/php-src

Configure PHP:
./configure
PCRE is the default extension in PHP, even if use "./configure --disable-all",
you can still trigger the following bugs.

The test script is very easy:
<?php
$fuzz=file_get_contents($argv[1]);
preg_match($fuzz,$fuzz);

The input file you can download here:
http://47.104.189.187/input.zip
Unzip this file and use the "input_file.txt" as input file

Then
./php-src/sapi/cli/php ./test.php ./input_file.txt
you will see "Segmentation fault (core dumped)"

Use gdb to see the details:
Program received signal SIGSEGV, Segmentation fault.
0x0000555555710367 in do_extuni_no_utf (args=0x7fffffffa110, 
    cc=0x7ffff3a58868 "\377\066\250\250\250\066\066\066zzzz=*\377/\n")
    at /home/daige/Desktop/test/php-src/ext/pcre/pcre2lib/pcre2_jit_compile.c:8546
8546	lgb = UCD_GRAPHBREAK(c);

I analyse this crash,it is caused by array cross-border reading, then I use AFL to fuzz PHP,it reports some global variable coverage,you can see the crash cases in "input.zip".

Test script:
---------------
The test script is very easy:
<?php
$fuzz=file_get_contents($argv[1]);
preg_match($fuzz,$fuzz);

The input file you can download here:
http://47.104.189.187/input.zip
Unzip this file and use the "input_file.txt" as input file

Then
./php-src/sapi/cli/php ./test.php ./input_file.txt
you will see "Segmentation fault (core dumped)"

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000555555710367 in do_extuni_no_utf (args=0x7fffffffa110, 
    cc=0x7ffff3a58868 "\377\066\250\250\250\066\066\066zzzz=*\377/\n")
    at /home/daige/Desktop/test/php-src/ext/pcre/pcre2lib/pcre2_jit_compile.c:8546
8546	lgb = UCD_GRAPHBREAK(c);

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-07-28 04:21 UTC] stas@php.net 
This looks like segfault inside PCRE library. Did you report it to the PCRE maintainers?
 [2019-07-28 07:22 UTC] 3556158925 at qq dot com 
I send this report to PRCE maintainer just now, thanks.
 [2019-07-29 09:12 UTC] cmb@php.net 
> I send this report to PRCE maintainer just now, thanks.

For reference: <https://bugs.exim.org/show_bug.cgi?id=2421>
 [2019-07-29 17:17 UTC] cmb@php.net
-Status: Open +Status: Analyzed -Assigned To: +Assigned To: stas
 [2019-07-29 17:17 UTC] cmb@php.net 
This issue has already been fixed upstream.  Since it is caused by
erroneous treatment of the subject (which may be user supplied),
we should consider to apply the following patch to our bundled
pcre2 (PHP-7.3+):

 ext/pcre/pcre2lib/pcre2_jit_compile.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/pcre/pcre2lib/pcre2_jit_compile.c b/ext/pcre/pcre2lib/pcre2_jit_compile.c
index 1f21bfb6ad..283aeff83c 100644
--- a/ext/pcre/pcre2lib/pcre2_jit_compile.c
+++ b/ext/pcre/pcre2lib/pcre2_jit_compile.c
@@ -8538,7 +8538,7 @@ int lgb, rgb, ricount;
 PCRE2_SPTR bptr;
 uint32_t c;
 
-GETCHARINC(c, cc);
+c = *cc++;
 #if PCRE2_CODE_UNIT_WIDTH == 32
 if (c >= 0x110000)
   return NULL;
 [2019-07-29 17:33 UTC] cmb@php.net 
Formatted patch including regression test:
<https://gist.github.com/cmb69/3878eb568ea5d894f765a2703e5693e2>.
 [2019-07-29 22:01 UTC] stas@php.net
-Status: Analyzed +Status: Closed
 [2019-07-29 22:01 UTC] stas@php.net 
The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test.
Thank you for the report, and for helping us make PHP better.
 [2019-07-29 22:01 UTC] stas@php.net
-PHP Version: 7.4Git-2019-07-28 (Git) +PHP Version: 7.3.8
 [2019-07-30 07:17 UTC] cmb@php.net 
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9f6a5a027035d1fe7171a4fdd9b123cc4f439708
Log: Fix #78338: Array cross-border reading in PCRE
 [2019-08-01 10:35 UTC] cmb@php.net 
Related To: Bug #78358
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Apr 24 04:01:30 2024 UTC