php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #72776 Invalid parameter in memcpy function trough openssl_pbkdf2
Submitted: 2016-08-07 14:44 UTC Modified: 2017-02-13 01:45 UTC
From: marceloje at gmail dot com Assigned: bukka (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.6.24 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: marceloje at gmail dot com
New email:
PHP Version: OS:

 

 [2016-08-07 14:44 UTC] marceloje at gmail dot com 
Description:
------------
When key_length parameter is greater than 0x7fffffff, size parameter is interpreted as negative in memcpy, inside PKCS5_PBKDF2_HMAC function (libcrypto.so).

This issue happens only in PHP 5.6 branch. PHP 7.0 avoids this issue trough PHP_OPENSSL_CHECK_NUMBER_CONVERSION macro: https://github.com/php/php-src/blob/PHP-7.0.10/ext/openssl/openssl.c#L541

Test script:
---------------
poc.php

<?php

openssl_pbkdf2("emyei", "beford", 0x100000000 - 1, 0);

Expected result:
----------------
No crash

Actual result:
--------------
ASan output:

USE_ZEND_ALLOC=0 ASAN_OPTIONS=detect_leaks=0 /home/operac/build2/bin/php -n poc.php
=================================================================
==11421==ERROR: AddressSanitizer: negative-size-param: (size=-1)
    #0 0x7f919d1029a1 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c9a1)
    #1 0x7f919b2c87e9 in PKCS5_PBKDF2_HMAC (/lib/x86_64-linux-gnu/libcrypto.so.1.0.0+0x1317e9)
    #2 0x5be33e in zif_openssl_pbkdf2 /home/operac/build2/php-src-56/ext/openssl/openssl.c:4080
    #3 0x1d5b393 in zend_do_fcall_common_helper_SPEC /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:558
    #4 0x1c0463c in execute_ex /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:363
    #5 0x194c382 in zend_execute_scripts /home/operac/build2/php-src-56/Zend/zend.c:1341
    #6 0x169a2df in php_execute_script /home/operac/build2/php-src-56/main/main.c:2613
    #7 0x1d64366 in do_cli /home/operac/build2/php-src-56/sapi/cli/php_cli.c:994
    #8 0x4550a0 in main /home/operac/build2/php-src-56/sapi/cli/php_cli.c:1378
    #9 0x7f919ab4482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x4556b8 in _start (/home/operac/build2/bin/php+0x4556b8)

Address 0x7ffd544616b0 is located in stack of thread T0
SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memcpy
==11421==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-07 21:26 UTC] stas@php.net
-Assigned To: +Assigned To: pajoye
 [2016-08-07 21:26 UTC] stas@php.net 
Doesn't look to me like security issue. Assigning to OpenSSL maintainer.
 [2016-10-30 22:04 UTC] stas@php.net
-Assigned To: pajoye +Assigned To: bukka
 [2016-11-02 19:49 UTC] bukka@php.net 
From the quick check, it would require very high memory limit and the app would have allow user to set key length which has very small probability IMHO. I would consider it as low severity.

If they are no objections, I will commit a fix to the public repo to 5.6 only and leave it on RM to decide if it should be ported to 5.5.
 [2016-11-03 03:40 UTC] stas@php.net 
5.5 is EOL. Please feel free to commit to 5.6 and above.
 [2016-11-06 20:49 UTC] bukka@php.net
-Status: Assigned +Status: Closed
 [2016-11-06 20:49 UTC] bukka@php.net 
Fixed in 5.6
 [2016-11-06 20:50 UTC] bukka@php.net 
Fixed by http://git.php.net/?p=php-src.git;a=commit;h=493b2bff02531b0ead233177a2a0846c75e94777
 [2017-02-13 01:45 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC