php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #72093 bcpowmod accepts negative scale and corrupts _one_ definition
Submitted: 2016-04-24 08:05 UTC Modified: 2016-05-06 06:43 UTC
From: fernando at null-life dot com Assigned: stas (profile)
Status: Closed Package: BC math related
PHP Version: 5.5.34 OS: Linux
Private report: No CVE-ID: 2016-4537
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2016-04-24 08:05 UTC] fernando at null-life dot com 
Description:
------------
Run with ASAN 

Test script:
---------------
<?php

bcpowmod(1, "A", 128, -200);
bcpowmod(1, 1.2, 1, 1);


Expected result:
----------------
No crash

Actual result:
--------------
bc math warning: non-zero scale in exponent
=================================================================
==15893==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3805f68 at pc 0x083fd271 bp 0xbf91e4d8 sp 0xbf91e4c8
READ of size 1 at 0xb3805f68 thread T0
    #0 0x83fd270 in bc_divide /home/fmunozs/phpgit/php56/ext/bcmath/libbcmath/src/div.c:122
    #1 0x83fff96 in bc_raisemod /home/fmunozs/phpgit/php56/ext/bcmath/libbcmath/src/raisemod.c:69
    #2 0x83f9923 in zif_bcpowmod /home/fmunozs/phpgit/php56/ext/bcmath/bcmath.c:426
    #3 0x9a7c718 in zend_do_fcall_common_helper_SPEC /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:558
    #4 0x9640316 in execute_ex /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:363
    #5 0x9a6c9c8 in zend_execute /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:388
    #6 0x9470b59 in zend_execute_scripts /home/fmunozs/phpgit/php56/Zend/zend.c:1341
    #7 0x91acc6b in php_execute_script /home/fmunozs/phpgit/php56/main/main.c:2613
    #8 0x9a8648a in do_cli /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:994
    #9 0x808a502 in main /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:1378
    #10 0xb6dbe645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645)
    #11 0x808aaba  (/home/fmunozs/phpgit/php56/sapi/cli/php+0x808aaba)

0xb3805f68 is located 8 bytes to the left of 8-byte region [0xb3805f70,0xb3805f78)
freed by thread T0 here:
    #0 0xb726f9f4 in free (/usr/lib/i386-linux-gnu/libasan.so.2+0x969f4)
    #1 0xb334c911  (/usr/lib/i386-linux-gnu/libtasn1.so.6+0xa911)

previously allocated by thread T0 here:
    #0 0xb726fd06 in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96d06)
    #1 0xb334c17e  (/usr/lib/i386-linux-gnu/libtasn1.so.6+0xa17e)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fmunozs/phpgit/php56/ext/bcmath/libbcmath/src/div.c:122 bc_divide
Shadow bytes around the buggy address:
  0x36700b90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x36700ba0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x36700bb0: fa fa fd fa fa fa 00 00 fa fa fd fa fa fa fd fa
  0x36700bc0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x36700bd0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x36700be0: fa fa fd fa fa fa fd fa fa fa fd fa fa[fa]fd fa
  0x36700bf0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x36700c00: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 00 06
  0x36700c10: fa fa 00 03 fa fa 00 05 fa fa 00 06 fa fa 00 07
  0x36700c20: fa fa 00 00 fa fa 00 07 fa fa 00 00 fa fa 00 05
  0x36700c30: fa fa 00 07 fa fa 00 07 fa fa 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==15893==ABORTING

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-04-25 01:31 UTC] stas@php.net
-Summary: AddressSanitizer: heap-buffer-overflow libbcmath/src/div.c:122 bc_divide +Summary: bcpowmod accepts negative scale and corrupts _one_ definition -Assigned To: +Assigned To: stas
 [2016-04-25 01:31 UTC] stas@php.net 
Two problems here actually: bcpowmod accepting negative scale and _one_ definition being overridden by scale adjustment.
 [2016-04-25 01:35 UTC] stas@php.net
-PHP Version: 5.6.20 +PHP Version: 5.5.34
 [2016-04-25 01:35 UTC] stas@php.net 
Fixed in security repo in d650063a0457aec56364e4005a636dc6c401f9cd and on gist in https://gist.github.com/21c94ad05a2ab960c7631ad9999a1044
. Please verify.
 [2016-04-25 03:51 UTC] fernando at null-life dot com 
Patch works OK. Thanks.
 [2016-04-27 05:57 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-04-27 05:57 UTC] stas@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2016-04-27 06:49 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d650063a0457aec56364e4005a636dc6c401f9cd
Log: Fix bug #72093: bcpowmod accepts negative scale and corrupts _one_ definition
 [2016-04-27 10:31 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d650063a0457aec56364e4005a636dc6c401f9cd
Log: Fix bug #72093: bcpowmod accepts negative scale and corrupts _one_ definition
 [2016-04-27 11:00 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ed52bcb3dcb2e7dbc009ef8c6579fb1276ca73c1
Log: Fix bug #72093: bcpowmod accepts negative scale and corrupts _one_ definition
 [2016-05-06 06:43 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2016-4537
 [2016-05-06 06:43 UTC] remi@php.net 
Use CVE-2016-4537 for "bcpowmod accepting negative scale."

Use CVE-2016-4538 for "_one_ definition being overridden by scale adjustment."
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC