php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #70430 Stack buffer overflow in zend_language_parser()
Submitted: 2015-09-04 14:38 UTC Modified: 2015-10-15 20:00 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: s dot paraschoudis at gmail dot com Assigned: nikic (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.0.0RC2 OS: Ubuntu 14.04 x32
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: s dot paraschoudis at gmail dot com
New email:
PHP Version: OS:

 

 [2015-09-04 14:38 UTC] s dot paraschoudis at gmail dot com 
Description:
------------
Testcase:
==============
<?php

$"*** Testing function() :  ***\n";

?>


Output:
=================================================================
==22228== ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbfaca400 at pc 0x8a1f38c bp 0xbfac98d8 sp 0xbfac98cc
WRITE of size 1 at 0xbfaca400 thread T0
    #0 0x8a1f38b in yysyntax_error zend_language_parser.c:3256
    #1 0x8a34a3b in zendparse zend_language_parser.c:6833
    #2 0x8a39f0b in compile_file zend_language_scanner.l:591
    #3 0x85e17db in phar_compile_file phar.c:3311
    #4 0x8b603e7 in zend_execute_scripts zend.c:1394
    #5 0x899925f in php_execute_script main.c:2471
    #6 0x8f8b802 in do_cli php_cli.c:971
    #7 0x8f8e1c7 in main php_cli.c:1342
    #8 0xb5dd2a82 in __libc_start_main libc-start.c:287
    #9 0x8064560 in _start ??:?
Address 0xbfaca400 is located at offset 1760 in frame <zendparse> of T0's stack:
  This frame has 8 object(s):
    [32, 36) 'yylval'
    [96, 100) 'yyval'
    [160, 164) 'yymsg'
    [224, 228) 'yymsg_alloc'
    [288, 304) 'zv'
    [352, 752) 'yyssa'
    [800, 1600) 'yyvsa'
    [1632, 1760) 'yymsgbuf'


Without ASAN intstrumentation:

gdb-peda$ r testcase.php 
Starting program: /home/user/Desktop/php-7.0.0RC2/sapi/cli/php testcase.php
*** stack smashing detected ***: /home/user/Desktop/php-7.0.0RC2/sapi/cli/php terminated

Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0x1cf1 
ECX: 0x1cf1 
EDX: 0x6 
ESI: 0x59 ('Y')
EDI: 0xb7dc4000 --> 0x1a9da8 
EBP: 0xbfffb178 --> 0xb7d7d61b ("stack smashing detected")
ESP: 0xbfffaf04 --> 0xbfffb178 --> 0xb7d7d61b ("stack smashing detected")
EIP: 0xb7fdd428 (<__kernel_vsyscall+16>:	pop    ebp)
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xb7fdd424 <__kernel_vsyscall+12>:	nop
   0xb7fdd425 <__kernel_vsyscall+13>:	nop
   0xb7fdd426 <__kernel_vsyscall+14>:	int    0x80
=> 0xb7fdd428 <__kernel_vsyscall+16>:	pop    ebp
   0xb7fdd429 <__kernel_vsyscall+17>:	pop    edx
   0xb7fdd42a <__kernel_vsyscall+18>:	pop    ecx
   0xb7fdd42b <__kernel_vsyscall+19>:	ret    
   0xb7fdd42c:	add    BYTE PTR [esi],ch
[------------------------------------stack-------------------------------------]
0000| 0xbfffaf04 --> 0xbfffb178 --> 0xb7d7d61b ("stack smashing detected")
0004| 0xbfffaf08 --> 0x6 
0008| 0xbfffaf0c --> 0x1cf1 
0012| 0xbfffaf10 --> 0xb7c48607 (<raise+71>:	xchg   ebx,edi)
0016| 0xbfffaf14 --> 0xb7dc4000 --> 0x1a9da8 
0020| 0xbfffaf18 --> 0xbfffafb4 --> 0xb7857cf0 --> 0xb7857d20 --> 0xb7857d50 --> 0xb7857d80 --> 0xb7857db0 --> 0xb7857de0 --> 0xb7857e10 --> 0xb7857e40 --> 0xb7857e70 --> 0xb7857ea0 --> 0xb7857ed0 --> 0xb7857f00 --> 0xb7857f30 --> 0xb7857f60 --> 0xb7857f90 --> 0xb7857fc0 --> 0x0 
0024| 0xbfffaf1c --> 0xb7c4ba33 (<abort+323>:	mov    edx,DWORD PTR gs:0x8)
0028| 0xbfffaf20 --> 0x6 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
0xb7fdd428 in __kernel_vsyscall ()
gdb-peda$ bt
#0  0xb7fdd428 in __kernel_vsyscall ()
#1  0xb7c48607 in raise () from /lib/i386-linux-gnu/libc.so.6
#2  0xb7c4ba33 in abort () from /lib/i386-linux-gnu/libc.so.6
#3  0xb7c82e53 in ?? () from /lib/i386-linux-gnu/libc.so.6
#4  0xb7d1585b in __fortify_fail () from /lib/i386-linux-gnu/libc.so.6
#5  0xb7d157ea in __stack_chk_fail () from /lib/i386-linux-gnu/libc.so.6
#6  0x083c9165 in zendparse () at /home/user/Desktop/php-7.0.0RC2/Zend/zend_language_parser.c:7003
#7  0x083caa70 in compile_file (file_handle=0xbfffdd14, type=0x8) at Zend/zend_language_scanner.l:591
#8  0x08289f23 in phar_compile_file (file_handle=0xbfffdd14, type=0x8) at /home/user/Desktop/php-7.0.0RC2/ext/phar/phar.c:3311
#9  0x084133e8 in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3) at /home/user/Desktop/php-7.0.0RC2/Zend/zend.c:1394
#10 0x083976b0 in php_execute_script (primary_file=0xbfffdd14) at /home/user/Desktop/php-7.0.0RC2/main/main.c:2471
#11 0x084b82f0 in do_cli (argc=0x2, argv=0x8a02218) at /home/user/Desktop/php-7.0.0RC2/sapi/cli/php_cli.c:971
#12 0x084b91a9 in main (argc=0x2, argv=0x8a02218) at /home/user/Desktop/php-7.0.0RC2/sapi/cli/php_cli.c:1342
#13 0xb7c33a83 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6
#14 0x08063a71 in _start ()

Please note I couldn't reproduce it on a 64bit machine.

Regards,
Symeon

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-04 15:42 UTC] s dot paraschoudis at gmail dot com 
Update: I can reproduce it on 64bit, here's the output:

=================================================================
==89897==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffa164cff0 at pc 0x0000018bdba5 bp 0x7fffa164c390 sp 0x7fffa164c388
WRITE of size 1 at 0x7fffa164cff0 thread T0
    #0 0x18bdba4 in yysyntax_error /home/symeon/Desktop/php-7.0.0RC2/Zend/zend_language_parser.c:3256:18
    #1 0x18bb113 in zendparse /home/symeon/Desktop/php-7.0.0RC2/Zend/zend_language_parser.c:6833:33
    #2 0x18c7c02 in compile_file /home/symeon/Desktop/php-7.0.0RC2/Zend/zend_language_scanner.l:591:8
    #3 0x114cdfa in phar_compile_file /home/symeon/Desktop/php-7.0.0RC2/ext/phar/phar.c:3311:9
    #4 0x1a91e46 in zend_execute_scripts /home/symeon/Desktop/php-7.0.0RC2/Zend/zend.c:1394:14
    #5 0x1798ef4 in php_execute_script /home/symeon/Desktop/php-7.0.0RC2/main/main.c:2471:14
    #6 0x1f1f06e in do_cli /home/symeon/Desktop/php-7.0.0RC2/sapi/cli/php_cli.c:971:5
    #7 0x1f1ab3e in main /home/symeon/Desktop/php-7.0.0RC2/sapi/cli/php_cli.c:1342:18
    #8 0x7fd6fcae8ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #9 0x45e355 in _start (/home/symeon/Desktop/php-7.0.0RC2/sapi/cli/php+0x45e355)

Address 0x7fffa164cff0 is located in stack of thread T0 at offset 2416 in frame
    #0 0x18a5b4f in zendparse /home/symeon/Desktop/php-7.0.0RC2/Zend/zend_language_parser.c:4023

  This frame has 10 object(s):
    [32, 40) 'yylval'
    [64, 464) 'yyssa'
    [528, 2128) 'yyvsa'
    [2256, 2264) 'yyval'
    [2288, 2416) 'yymsgbuf' <== Memory access at offset 2416 overflows this variable
    [2448, 2456) 'yymsg'
    [2480, 2488) 'yymsg_alloc'
    [2512, 2528) 'zv'
    [2544, 2560) 'zv1105'
    [2576, 2592) 'zv1875'
 [2015-09-04 20:05 UTC] stas@php.net
-Type: Security +Type: Bug
 [2015-10-11 13:43 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2015-10-11 13:43 UTC] felipe@php.net 
I can't reproduce it. Can you try again?
 [2015-10-11 13:54 UTC] s dot paraschoudis at gmail dot com 
Hi, just tested on RC4 release, it still crashes it..
I have more test cases that trigger it but you should be able to reproduce it..
 [2015-10-11 14:04 UTC] s dot paraschoudis at gmail dot com 
Alright, looks like it doesn't crash anymore latest php (rc4) with a non-asan build,
but trying with an asan one you should catch it.
 [2015-10-11 14:14 UTC] nikic@php.net 
Regardless of whether it crashes or not, our yytnamerr implementation is clearly bogus. The !yyerr branch [1] simply returns yystrlen(yystr), which does not account for the additional information we show in the error message.

[1]: http://lxr.php.net/xref/PHP_TRUNK/Zend/zend_language_parser.y#1281
 [2015-10-12 20:08 UTC] nikic@php.net
-Assigned To: +Assigned To: nikic
 [2015-10-12 20:08 UTC] nikic@php.net 
I can't repro this myself, could you please check whether the patch at https://github.com/php/php-src/pull/1571 fixes the issue?
 [2015-10-12 21:24 UTC] s dot paraschoudis at gmail dot com
-Status: Feedback +Status: Assigned
 [2015-10-12 21:24 UTC] s dot paraschoudis at gmail dot com 
Hi, it looks like it's still there but this time on line zend_language_parser.c:3268

while ((*yyp = *yyformat) != '\0') <-- according to asan here is where the overflow occurs.

Output:

==37540==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff12f060d0 at pc 0x000001227dbd bp 0x7fff12f05490 sp 0x7fff12f05488
WRITE of size 1 at 0x7fff12f060d0 thread T0
    #0 0x1227dbc in yysyntax_error /home/symeon/Desktop/php-7.0_fixed/Zend/zend_language_parser.c:3268:18
    #1 0x122636a in zendparse /home/symeon/Desktop/php-7.0_fixed/Zend/zend_language_parser.c:6845:33
    #2 0x122ed0c in compile_file /home/symeon/Desktop/php-7.0_fixed/Zend/zend_language_scanner.l:591:8
    #3 0xd46a25 in phar_compile_file /home/symeon/Desktop/php-7.0_fixed/ext/phar/phar.c:3311:9
    #4 0x13650ea in zend_execute_scripts /home/symeon/Desktop/php-7.0_fixed/Zend/zend.c:1422:14
    #5 0x116f324 in php_execute_script /home/symeon/Desktop/php-7.0_fixed/main/main.c:2471:14
    #6 0x16869ad in do_cli /home/symeon/Desktop/php-7.0_fixed/sapi/cli/php_cli.c:971:5
    #7 0x1684168 in main /home/symeon/Desktop/php-7.0_fixed/sapi/cli/php_cli.c:1342:18
    #8 0x7faeb5d00ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #9 0x45f665 in _start (/home/symeon/Desktop/php-7.0_fixed/sapi/cli/php+0x45f665)

Address 0x7fff12f060d0 is located in stack of thread T0 at offset 2416 in frame
    #0 0x12137af in zendparse /home/symeon/Desktop/php-7.0_fixed/Zend/zend_language_parser.c:4035

  This frame has 10 object(s):
    [32, 40) 'yylval'
    [64, 464) 'yyssa'
    [528, 2128) 'yyvsa'
    [2256, 2264) 'yyval'
    [2288, 2416) 'yymsgbuf' <== Memory access at offset 2416 overflows this variable
    [2448, 2456) 'yymsg'
    [2480, 2488) 'yymsg_alloc'
    [2512, 2528) 'zv'
    [2544, 2560) 'zv2'
    [2576, 2592) 'zv3'


Did you try to build php with AddressSanitizer and you couldn't reproduce it?
 [2015-10-12 21:29 UTC] s dot paraschoudis at gmail dot com 
By the way I don't know why the status has changed, sorry for that!
 [2015-10-15 19:41 UTC] nikic@php.net 
Just did an asan build. I can repro the issue before the patch, but not after the patch. (x64)
 [2015-10-15 20:00 UTC] s dot paraschoudis at gmail dot com 
Hi, my bad I modified the zend_language_parser.c , sorry!
Yeah it fixes this and my other cases. Great!
Cheers
 [2015-10-15 20:16 UTC] nikic@php.net 
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e3e92e96c158c4fc294ead36f9d73941bdbf679e
Log: Fixed bug #70430
 [2015-10-15 20:16 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 [2015-10-25 12:42 UTC] ab@php.net 
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5576aee84faa4ecc4ffb8f2ea4809c73b4601e2d
Log: Fixed bug #70430
 [2016-07-20 11:36 UTC] davey@php.net 
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e3e92e96c158c4fc294ead36f9d73941bdbf679e
Log: Fixed bug #70430
 [2017-08-12 16:53 UTC] nikic@php.net 
Related To: Bug #73134
 [2019-01-30 14:53 UTC] nikic@php.net 
Related To: Bug #77544
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Dec 03 17:01:29 2024 UTC