php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73275 crash in openssl_encrypt function
Submitted: 2016-10-09 15:19 UTC Modified: 2017-02-13 01:08 UTC
From: nguyenluan dot vnn at gmail dot com Assigned: stas (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.6.26 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nguyenluan dot vnn at gmail dot com
New email:
PHP Version: OS:

 

 [2016-10-09 15:19 UTC] nguyenluan dot vnn at gmail dot com
Description:
------------
Function openssl_encrypt() could produce output string larger than 2Gb and cause PHP to crash. Please refer to the test script and GDB output.

Test script:
---------------
<?php
    ini_set('memory_limit', -1);
    $encryption_key = openssl_random_pseudo_bytes(32);
    $iv = openssl_random_pseudo_bytes(16);
    $str = str_repeat('a', 0x7fffffe0);
    
    $str1 = openssl_encrypt($str, 'aes-256-cbc', $encryption_key, OPENSSL_ZERO_PADDING, $iv);
    
    var_dump(strlen($str1));
?>

Expected result:
----------------
No string return since output length is larger than 2Gb.

Actual result:
--------------
gdb-peda$ r ../test/string/test_openssl.php 
Starting program: /home/user/Desktop/php-5.6.26/sapi/cli/php ../test/string/test_openssl.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Warning: openssl_encrypt(): String too long, maximum is 536870911 in /home/user/Desktop/test/string/test_openssl.php on line 7
int(-134483248) // THIS IS OUTPUT LENGTH

Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0xfffffffff7fbf2d0 
RBX: 0x0 
RCX: 0x108d538 ("/home/user/Desktop/php-5.6.26/Zend/zend_execute.h")
RDX: 0x0 
RSI: 0x108d538 ("/home/user/Desktop/php-5.6.26/Zend/zend_execute.h")
RDI: 0x7ffff7fbf320 --> 0x0 
RBP: 0x7fffffffb9b0 --> 0x7fffffffb9e0 --> 0x7fffffffba10 --> 0x7fffffffba40 --> 0x7fffffffba60 --> 0x7fffffffba80 (--> ...)
RSP: 0x7fffffffb990 --> 0x7 
RIP: 0xa668d9 (<_zval_dtor_func+99>:	movzx  eax,BYTE PTR [rax])
R8 : 0x16c1f00 --> 0x0 
R9 : 0x108d500 ("9223372036854775808")
R10: 0xdb4 
R11: 0x7ffff3e09730 --> 0xfffda400fffda12f 
R12: 0x43ffe0 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe1a0 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xa668d1 <_zval_dtor_func+91>:	mov    eax,DWORD PTR [rax+0x8]
   0xa668d4 <_zval_dtor_func+94>:	cdqe   
   0xa668d6 <_zval_dtor_func+96>:	add    rax,rdx
=> 0xa668d9 <_zval_dtor_func+99>:	movzx  eax,BYTE PTR [rax]
   0xa668dc <_zval_dtor_func+102>:	test   al,al
   0xa668de <_zval_dtor_func+104>:	je     0xa6690d <_zval_dtor_func+151>
   0xa668e0 <_zval_dtor_func+106>:	mov    rax,QWORD PTR [rbp-0x8]
   0xa668e4 <_zval_dtor_func+110>:	mov    rax,QWORD PTR [rax]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffb990 --> 0x7 
0008| 0x7fffffffb998 --> 0x4ff7f8a3f8 
0016| 0x7fffffffb9a0 --> 0x108d538 ("/home/user/Desktop/php-5.6.26/Zend/zend_execute.h")
0024| 0x7fffffffb9a8 --> 0x7ffff7fbf320 --> 0x0 
0032| 0x7fffffffb9b0 --> 0x7fffffffb9e0 --> 0x7fffffffba10 --> 0x7fffffffba40 --> 0x7fffffffba60 --> 0x7fffffffba80 (--> ...)
0040| 0x7fffffffb9b8 --> 0xa51828 (<_zval_dtor+53>:	jmp    0xa5182b <_zval_dtor+56>)
0048| 0x7fffffffb9c0 ("/usr/local/lO")
0056| 0x7fffffffb9c8 --> 0x4f6c2f6c61 ('al/lO')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000a668d9 in _zval_dtor_func (zvalue=0x7ffff7fbf320, 
    __zend_filename=0x108d538 "/home/user/Desktop/php-5.6.26/Zend/zend_execute.h", __zend_lineno=0x4f)
    at /home/user/Desktop/php-5.6.26/Zend/zend_variables.c:36
36				CHECK_ZVAL_STRING_REL(zvalue);

gdb-peda$ bt
#0  0x0000000000a668d9 in _zval_dtor_func (zvalue=0x7ffff7fbf320, 
    __zend_filename=0x108d538 "/home/user/Desktop/php-5.6.26/Zend/zend_execute.h", __zend_lineno=0x4f)
    at /home/user/Desktop/php-5.6.26/Zend/zend_variables.c:36
#1  0x0000000000a51828 in _zval_dtor (zvalue=0x7ffff7fbf320, 
    __zend_filename=0x108d538 "/home/user/Desktop/php-5.6.26/Zend/zend_execute.h", __zend_lineno=0x4f)
    at /home/user/Desktop/php-5.6.26/Zend/zend_variables.h:35
#2  0x0000000000a518f3 in i_zval_ptr_dtor (zval_ptr=0x7ffff7fbf320, 
    __zend_filename=0x108f820 "/home/user/Desktop/php-5.6.26/Zend/zend_variables.c", __zend_lineno=0xbc)
    at /home/user/Desktop/php-5.6.26/Zend/zend_execute.h:79
#3  0x0000000000a52bcc in _zval_ptr_dtor (zval_ptr=0x7ffff7fc0818, 
    __zend_filename=0x108f820 "/home/user/Desktop/php-5.6.26/Zend/zend_variables.c", __zend_lineno=0xbc)
    at /home/user/Desktop/php-5.6.26/Zend/zend_execute_API.c:424
#4  0x0000000000a66e44 in _zval_ptr_dtor_wrapper (zval_ptr=0x7ffff7fc0818)
    at /home/user/Desktop/php-5.6.26/Zend/zend_variables.c:188
#5  0x0000000000a7bb63 in i_zend_hash_bucket_delete (
    ht=0x14167c8 <executor_globals+360>, p=0x7ffff7fc0800)
    at /home/user/Desktop/php-5.6.26/Zend/zend_hash.c:182
#6  0x0000000000a7bc3b in zend_hash_bucket_delete (
    ht=0x14167c8 <executor_globals+360>, p=0x7ffff7fc0800)
    at /home/user/Desktop/php-5.6.26/Zend/zend_hash.c:192
#7  0x0000000000a7d94e in zend_hash_graceful_reverse_destroy (
    ht=0x14167c8 <executor_globals+360>)
    at /home/user/Desktop/php-5.6.26/Zend/zend_hash.c:613
#8  0x0000000000a523c8 in shutdown_executor ()
    at /home/user/Desktop/php-5.6.26/Zend/zend_execute_API.c:244
#9  0x0000000000a69192 in zend_deactivate ()
    at /home/user/Desktop/php-5.6.26/Zend/zend.c:960
#10 0x00000000009ca332 in php_request_shutdown (dummy=0x0)
    at /home/user/Desktop/php-5.6.26/main/main.c:1899
#11 0x0000000000b281fd in do_cli (argc=0x2, argv=0x141b560)
    at /home/user/Desktop/php-5.6.26/sapi/cli/php_cli.c:1177
#12 0x0000000000b28a8f in main (argc=0x2, argv=0x141b560)
    at /home/user/Desktop/php-5.6.26/sapi/cli/php_cli.c:1378
#13 0x00007ffff3c95830 in __libc_start_main (main=0xb28272 <main>, argc=0x2, 
    argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe198)
    at ../csu/libc-start.c:291
#14 0x0000000000440009 in _start ()


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-11 20:20 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-10-11 20:20 UTC] stas@php.net
The fix is in security repo as 8822f7c9f0be2f591f8fa58834c5e1bc529b24dc and in https://gist.github.com/0019e9036c13ac48e17de155c51614c7

please verify
 [2016-10-11 23:45 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8822f7c9f0be2f591f8fa58834c5e1bc529b24dc
Log: fix bug #73275 - crash in openssl_encrypt function
 [2016-10-11 23:45 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-10-12 23:35 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8822f7c9f0be2f591f8fa58834c5e1bc529b24dc
Log: fix bug #73275 - crash in openssl_encrypt function
 [2016-10-14 02:23 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8822f7c9f0be2f591f8fa58834c5e1bc529b24dc
Log: fix bug #73275 - crash in openssl_encrypt function
 [2016-10-17 10:07 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8822f7c9f0be2f591f8fa58834c5e1bc529b24dc
Log: fix bug #73275 - crash in openssl_encrypt function
 [2017-02-13 01:08 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 10:01:29 2024 UTC