php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81700 Memory Corruption vulnerability on zen_vm_execute
Submitted: 2021-12-17 12:53 UTC Modified: 2021-12-17 18:41 UTC
From: 3ntr0py1337 at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: Reproducible crash
PHP Version: master-Git-2021-12-17 (Git) OS: Ubuntu 20.04.3 LTS
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: 3ntr0py1337 at gmail dot com
New email:
PHP Version: OS:

 

 [2021-12-17 12:53 UTC] 3ntr0py1337 at gmail dot com
Description:
------------
error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable.

Test script:
---------------
--TEST--
Operatoerloadedproperty reWerence
--FILE--
<?php
class C {
    private $bar;
    function __construct() { $this->ber = str_repeat("1", 2); }
    function &__get($x) { return $this->ar; }
    function __set($x, $v) { $this->bar = $v= new C;
va; }
}
$x = new C;
var_dump(++$x->foo);
$x = ($x->foo++);
$x = new C;
var_dumphhhhhhhhhhhhhhh
?>
-EXPECT--
int(12)
string(2) "11"
int(13)

Expected result:
----------------
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555556666403 <execute_ex+99>:	test   rdi,rdi
   0x555556666406 <execute_ex+102>:	je     0x55555666668b <execute_ex+747>
   0x55555666640c <execute_ex+108>:	lea    rsp,[rsp-0x98]
=> 0x555556666414 <execute_ex+116>:	mov    QWORD PTR [rsp],rdx
   0x555556666418 <execute_ex+120>:	mov    QWORD PTR [rsp+0x8],rcx
   0x55555666641d <execute_ex+125>:	mov    QWORD PTR [rsp+0x10],rax
   0x555556666422 <execute_ex+130>:	mov    rcx,0x9103
   0x555556666429 <execute_ex+137>:	call   0x5555566b0628 <__afl_maybe_log>
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fefb8
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555556666414 in execute_ex (ex=0x7ffff50b4c00) at /home/ubuntu/victims/php-src/Zend/zend_vm_execute.h:51997


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-12-17 18:09 UTC] stas@php.net
-Type: Security +Type: Bug
 [2021-12-17 18:41 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2021-12-17 18:41 UTC] cmb@php.net
Simpler reproducer:

<?php
class C {
    private $bar;
    function __construct() { $this->ber = str_repeat("1", 2); }
    function &__get($x) { return $this->ar; }
    function __set($x, $v) { $this->bar = $v = new C; }
}
$x = new C;
?>

As such, this is a duplicate of bug #64196.

Please do not submit the same bug more than once. An existing
bug report already describes this very problem. Even if you feel
that your issue is somewhat different, the resolution is likely
to be the same.

Thank you for your interest in PHP.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 17:01:32 2024 UTC