|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull Requests
Pull requests:
HistoryAllCommentsChangesGit/SVN commits
[2019-11-18 22:24 UTC] stas@php.net
-Type: Security
+Type: Bug
-Package: *General Issues
+Package: Strings related
[2019-11-18 22:24 UTC] stas@php.net
[2019-11-19 13:23 UTC] cmb@php.net
[2019-11-26 10:57 UTC] cmb@php.net
-Status: Open
+Status: Verified
[2019-12-02 10:22 UTC] cmb@php.net
[2019-12-02 10:22 UTC] cmb@php.net
-Status: Verified
+Status: Closed
[2019-12-02 10:23 UTC] cmb@php.net
-Assigned To:
+Assigned To: cmb
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Fri Apr 19 00:01:29 2024 UTC |
Description: ------------ There exists an integer overflow in the builtin php function pack, as seen in the code below: case 'E': /* big endian double */ if (arg < 0) { arg = num_args - currentarg; } currentarg += arg; // currentarg (signed int) can be overflowed by chaining multiple positive 'arg' values currentarg is later used by: case 'H': /* ... */ if (arg < 0) { if (!try_convert_to_string(&argv[currentarg])) { efree(formatcodes); efree(formatargs); return; } /* ... */ Causing an out-of-bounds read from argv array. This might lead to sensitive memory leak (although not tested) or DoS. Test script: --------------- <?php pack("E2E2147483647H*", 0x0, 0x0, 0x0); ?> Expected result: ---------------- No segfault Actual result: -------------- Program received signal SIGSEGV, Segmentation fault. 0x000055555584c10e in ?? () $rax : 0x7ff7f521d100 $rbx : 0xf $rcx : 0x48 $rdx : 0x2a $rsp : 0x00007fffffffa510 → 0x0000000000000003 $rbp : 0x2 $rsi : 0x000055555584c208 → test eax, eax $rdi : 0x00005555560a3190 → 0xff7a8f68ff5da44d $rip : 0x000055555584c10e → cmp BYTE PTR [rax+0x8], 0x6 $r8 : 0x00007ffff5202ab8 → "E2E2147483647H*" $r9 : 0x00005555560a2ee4 → 0xff7a8d1cff7a8d3c $r10 : 0x00007ffff5277100 → 0x7fffffff00000002 $r11 : 0x00007ffff5202aa0 → 0x0000004600000001 $r12 : 0x48 $r13 : 0x00007ffff526a040 → 0x00007ffff5264545 → 0x0000000000000000 $r14 : 0xf $r15 : 0x80000001 $eflags: [zero CARRY PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification] $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 ─────────────────────────────────────────────────────── code:x86:64 ──── 0x55555584c102 movsxd rax, r15d 0x55555584c105 shl rax, 0x4 0x55555584c109 add rax, QWORD PTR [rsp+0x10] → 0x55555584c10e cmp BYTE PTR [rax+0x8], 0x6 0x55555584c112 je 0x55555584c14c 0x55555584c114 mov QWORD PTR [rsp+0x28], r10 0x55555584c119 mov rdi, rax 0x55555584c11c mov QWORD PTR [rsp+0x20], r8 0x55555584c121 mov QWORD PTR [rsp+0x18], r11 ─────────────────────────────────────────────────────────── threads ──── [#0] Id 1, Name: "php", stopped, reason: SIGSEGV ───────────────────────────────────────────────────────────── trace ──── [#0] 0x55555584c10e → cmp BYTE PTR [rax+0x8], 0x6 [#1] 0x555555993048 → execute_ex() [#2] 0x555555997d46 → zend_execute() [#3] 0x5555559105eb → zend_execute_scripts() [#4] 0x5555558b2cf9 → php_execute_script() [#5] 0x55555599a33d → lea rax, [rip+0x8951fc] # 0x55555622f540 <executor_globals> [#6] 0x5555556a1fa7 → mov ebp, eax [#7] 0x7ffff74ab153 → __libc_start_main() [#8] 0x5555556a26ce → _start()