PHP :: Bug #71894 :: AddressSanitizer: global-buffer-overflow in zif_cal_from

Bug #71894	AddressSanitizer: global-buffer-overflow in zif_cal_from_jd
Submitted:	2016-03-25 07:19 UTC	Modified:	2016-07-28 23:07 UTC
From:	fernando at null-life dot com	Assigned:	cmb (profile)
Status:	Closed	Package:	Calendar related
PHP Version:	5.6.19	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	fernando at null-life dot com
New email:
PHP Version:		OS:

New Comment:

[2016-03-25 07:19 UTC] fernando at null-life dot com

Description:
------------
Recompile PHP with ASAN enabled and run the test script. 

Test script:
---------------
<?php

cal_from_jd(999, CAL_JEWISH);

Expected result:
----------------
Not crash

Actual result:
--------------
$ /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php test.php 
=================================================================
==12485==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0a188e7c at pc 0x083db7aa bp 0xbfb5d3a8 sp 0xbfb5d398
READ of size 4 at 0x0a188e7c thread T0
    #0 0x83db7a9 in zif_cal_from_jd /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/ext/calendar/calendar.c:426
    #1 0x9804a25 in zend_do_fcall_common_helper_SPEC /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:558
    #2 0x93f0a75 in execute_ex /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:363
    #3 0x959ce43 in zend_execute /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:388
    #4 0x91f35fb in zend_execute_scripts /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend.c:1341
    #5 0x8ef82f5 in php_execute_script /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/main/main.c:2597
    #6 0x9811848 in do_cli /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:994
    #7 0x807f668 in main /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:1378
    #8 0xb6e29645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645)
    #9 0x807fc3b  (/home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php+0x807fc3b)

0x0a188e7c is located 4 bytes to the left of global variable 'monthsPerYear' defined in '/home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/ext/calendar/jewish.c:290:5' (0xa188e80) of size 76
0x0a188e7c is located 36 bytes to the right of global variable 'JewishMonthNameLeap' defined in '/home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/ext/calendar/jewish.c:302:7' (0xa188e20) of size 56
SUMMARY: AddressSanitizer: global-buffer-overflow /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/ext/calendar/calendar.c:426 zif_cal_from_jd
Shadow bytes around the buggy address:
  0x21431170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x21431180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x21431190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x214311a0: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
  0x214311b0: 00 00 00 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 f9
=>0x214311c0: f9 f9 f9 f9 00 00 00 00 00 00 00 f9 f9 f9 f9[f9]
  0x214311d0: 00 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9
  0x214311e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x214311f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x21431200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x21431210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==12485==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-03-25 21:08 UTC] stas@php.net

-Type: Security +Type: Bug

[2016-03-25 21:08 UTC] stas@php.net

ext/calendar/calendar.c:426 is this:

https://github.com/php/php-src/blob/PHP-5.6/ext/calendar/calendar.c#L426

		add_assoc_string(return_value, "abbrevmonth", JEWISH_MONTH_NAME(year)[month], 1);


And month year and day would be 0 there. As far as I can see, the only issue there may be this:

#define JEWISH_MONTH_NAME(year) 	((monthsPerYear[((year)-1) % 19] == 13)?JewishMonthNameLeap:JewishMonthName)

If year is 0, it may access monthsPerYear[-1] which is not right. Would not produce any consequences though as it is used to just choose between two options, each of which would produce "" anyway. Accessing [-1] is not nice, but definitely not a security issue.

[2016-04-04 01:37 UTC] fernando at null-life dot com

The following command also segfaults under ASAN: 

php -r "jdmonthname(6,4);"

==6871==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0a4ad5fc at pc 0x08422429 bp 0xbfffcd08 sp 0xbfffccf8
READ of size 4 at 0x0a4ad5fc thread T0
    #0 0x8422428 in zif_jdmonthname /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/ext/calendar/calendar.c:740
    #1 0x9a92c45 in zend_do_fcall_common_helper_SPEC /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:558
    #2 0x967ec95 in execute_ex /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:363
    #3 0x982b063 in zend_execute /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:388
    #4 0x93ecc33 in zend_eval_stringl /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_execute_API.c:1077
    #5 0x93ed66f in zend_eval_stringl_ex /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_execute_API.c:1124
    #6 0x93ed66f in zend_eval_string_ex /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_execute_API.c:1135
    #7 0x9a9f291 in do_cli /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:1034
    #8 0x8088248 in main /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:1378
    #9 0xb763f645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645)
    #10 0x808881b  (/home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php+0x808881b)



Line 740 includes the same macro, so it's probably the same issue.:

   monthname = JEWISH_MONTH_NAME(year)[month];

[2016-07-28 23:07 UTC] cmb@php.net

-Status: Open +Status: Analyzed -Assigned To: +Assigned To: cmb

[2016-07-28 23:07 UTC] cmb@php.net

The actual problem is that Julian days < 347998, which result in
invalid Jewish dates are not particularly catered to. Simply
fixing this OOB read is possible, but still would yield
nonsentical results from cal_from_jd($jd, CAL_JEWISH) wrt. the
day. Therefore it appears to be reasonable to also adjust the
day related fields.

[2016-07-28 23:34 UTC] cmb@php.net

Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f67ccd4a7b8fb4b9e55796e69b152e2a899ba3cd
Log: Fix #71894: AddressSanitizer: global-buffer-overflow in zif_cal_from_jd

[2016-07-28 23:34 UTC] cmb@php.net

-Status: Analyzed +Status: Closed

[2016-10-17 10:10 UTC] bwoebi@php.net

Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f67ccd4a7b8fb4b9e55796e69b152e2a899ba3cd
Log: Fix #71894: AddressSanitizer: global-buffer-overflow in zif_cal_from_jd

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 13:01:29 2024 UTC