php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73276 crash in openssl_random_pseudo_bytes function
Submitted: 2016-10-09 15:38 UTC Modified: 2017-02-13 01:08 UTC
From: nguyenluan dot vnn at gmail dot com Assigned: stas (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.6.26 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nguyenluan dot vnn at gmail dot com
New email:
PHP Version: OS:

 

 [2016-10-09 15:38 UTC] nguyenluan dot vnn at gmail dot com 
Description:
------------
Function openssl_random_pseudo_bytes could produce string larger than 2GB and cause PHP to crash.

Test script:
---------------
<?php
    ini_set('memory_limit', -1);

    $str = openssl_random_pseudo_bytes(0x80001000);
    
    var_dump(strlen($str));
?>

Expected result:
----------------
No string return since output length is larger than 2GB

Actual result:
--------------
gdb-peda$ r ../test/string/test_openssl.php 
Starting program: /home/user/Desktop/php-5.6.26/sapi/cli/php ../test/string/test_openssl.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
int(-2147479552)  // THIS IS THE OUTPUT LENGTH

Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x7ffeed172070 
RBX: 0x0 
RCX: 0x108d538 ("/home/user/Desktop/php-5.6.26/Zend/zend_execute.h")
RDX: 0x7fff6d171070 --> 0x0 
RSI: 0x108d538 ("/home/user/Desktop/php-5.6.26/Zend/zend_execute.h")
RDI: 0x7ffff7fbd598 --> 0x7fff6d171070 --> 0x0 
RBP: 0x7fffffffb9b0 --> 0x7fffffffb9e0 --> 0x7fffffffba10 --> 0x7fffffffba40 --> 0x7fffffffba60 --> 0x7fffffffba80 (--> ...)
RSP: 0x7fffffffb990 --> 0x7 
RIP: 0xa668d9 (<_zval_dtor_func+99>:	movzx  eax,BYTE PTR [rax])
R8 : 0x136 
R9 : 0x108d538 ("/home/user/Desktop/php-5.6.26/Zend/zend_execute.h")
R10: 0x86f 
R11: 0x7ffff3e09730 --> 0xfffda400fffda12f 
R12: 0x43ffe0 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe1a0 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10203 (CARRY parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xa668d1 <_zval_dtor_func+91>:	mov    eax,DWORD PTR [rax+0x8]
   0xa668d4 <_zval_dtor_func+94>:	cdqe   
   0xa668d6 <_zval_dtor_func+96>:	add    rax,rdx
=> 0xa668d9 <_zval_dtor_func+99>:	movzx  eax,BYTE PTR [rax]
   0xa668dc <_zval_dtor_func+102>:	test   al,al
   0xa668de <_zval_dtor_func+104>:	je     0xa6690d <_zval_dtor_func+151>
   0xa668e0 <_zval_dtor_func+106>:	mov    rax,QWORD PTR [rbp-0x8]
   0xa668e4 <_zval_dtor_func+110>:	mov    rax,QWORD PTR [rax]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffb990 --> 0x7 
0008| 0x7fffffffb998 --> 0x4ff7f8a3f8 
0016| 0x7fffffffb9a0 --> 0x108d538 ("/home/user/Desktop/php-5.6.26/Zend/zend_execute.h")
0024| 0x7fffffffb9a8 --> 0x7ffff7fbd598 --> 0x7fff6d171070 --> 0x0 
0032| 0x7fffffffb9b0 --> 0x7fffffffb9e0 --> 0x7fffffffba10 --> 0x7fffffffba40 --> 0x7fffffffba60 --> 0x7fffffffba80 (--> ...)
0040| 0x7fffffffb9b8 --> 0xa51828 (<_zval_dtor+53>:	jmp    0xa5182b <_zval_dtor+56>)
0048| 0x7fffffffb9c0 ("/usr/local/lO")
0056| 0x7fffffffb9c8 --> 0x4f6c2f6c61 ('al/lO')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000a668d9 in _zval_dtor_func (zvalue=0x7ffff7fbd598, 
    __zend_filename=0x108d538 "/home/user/Desktop/php-5.6.26/Zend/zend_execute.h", __zend_lineno=0x4f)
    at /home/user/Desktop/php-5.6.26/Zend/zend_variables.c:36
36				CHECK_ZVAL_STRING_REL(zvalue);

gdb-peda$ bt
#0  0x0000000000a668d9 in _zval_dtor_func (zvalue=0x7ffff7fbd598, 
    __zend_filename=0x108d538 "/home/user/Desktop/php-5.6.26/Zend/zend_execute.h", __zend_lineno=0x4f)
    at /home/user/Desktop/php-5.6.26/Zend/zend_variables.c:36
#1  0x0000000000a51828 in _zval_dtor (zvalue=0x7ffff7fbd598, 
    __zend_filename=0x108d538 "/home/user/Desktop/php-5.6.26/Zend/zend_execute.h", __zend_lineno=0x4f)
    at /home/user/Desktop/php-5.6.26/Zend/zend_variables.h:35
#2  0x0000000000a518f3 in i_zval_ptr_dtor (zval_ptr=0x7ffff7fbd598, 
    __zend_filename=0x108f820 "/home/user/Desktop/php-5.6.26/Zend/zend_variables.c", __zend_lineno=0xbc)
    at /home/user/Desktop/php-5.6.26/Zend/zend_execute.h:79
#3  0x0000000000a52bcc in _zval_ptr_dtor (zval_ptr=0x7ffff7fbec90, 
    __zend_filename=0x108f820 "/home/user/Desktop/php-5.6.26/Zend/zend_variables.c", __zend_lineno=0xbc)
    at /home/user/Desktop/php-5.6.26/Zend/zend_execute_API.c:424
#4  0x0000000000a66e44 in _zval_ptr_dtor_wrapper (zval_ptr=0x7ffff7fbec90)
    at /home/user/Desktop/php-5.6.26/Zend/zend_variables.c:188
#5  0x0000000000a7bb63 in i_zend_hash_bucket_delete (
    ht=0x14167c8 <executor_globals+360>, p=0x7ffff7fbec78)
    at /home/user/Desktop/php-5.6.26/Zend/zend_hash.c:182
#6  0x0000000000a7bc3b in zend_hash_bucket_delete (
    ht=0x14167c8 <executor_globals+360>, p=0x7ffff7fbec78)
    at /home/user/Desktop/php-5.6.26/Zend/zend_hash.c:192
#7  0x0000000000a7d94e in zend_hash_graceful_reverse_destroy (
    ht=0x14167c8 <executor_globals+360>)
    at /home/user/Desktop/php-5.6.26/Zend/zend_hash.c:613
#8  0x0000000000a523c8 in shutdown_executor ()
    at /home/user/Desktop/php-5.6.26/Zend/zend_execute_API.c:244
#9  0x0000000000a69192 in zend_deactivate ()
    at /home/user/Desktop/php-5.6.26/Zend/zend.c:960
#10 0x00000000009ca332 in php_request_shutdown (dummy=0x0)
    at /home/user/Desktop/php-5.6.26/main/main.c:1899
#11 0x0000000000b281fd in do_cli (argc=0x2, argv=0x141b560)
    at /home/user/Desktop/php-5.6.26/sapi/cli/php_cli.c:1177
#12 0x0000000000b28a8f in main (argc=0x2, argv=0x141b560)
    at /home/user/Desktop/php-5.6.26/sapi/cli/php_cli.c:1378
#13 0x00007ffff3c95830 in __libc_start_main (main=0xb28272 <main>, argc=0x2, 
    argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe198)
    at ../csu/libc-start.c:291
#14 0x0000000000440009 in _start ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-09 15:38 UTC] nguyenluan dot vnn at gmail dot com 
This is security issue.
 [2016-10-09 15:39 UTC] nguyenluan dot vnn at gmail dot com
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2016-10-09 15:39 UTC] nguyenluan dot vnn at gmail dot com 
Update bug type
 [2016-10-11 20:39 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-10-11 20:39 UTC] stas@php.net 
The fix is in security repo as 85a22a0af0722ef3a8d49a056a0b2b18be1fb981 and in https://gist.github.com/65444883204af273b707306442c09503

please verify
 [2016-10-11 23:45 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=85a22a0af0722ef3a8d49a056a0b2b18be1fb981
Log: Fix bug #73276 - crash in openssl_random_pseudo_bytes function
 [2016-10-11 23:45 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-10-12 14:26 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7dc8b5e7aefce963a7a222c48ee3506725c4776b
Log: Fix bug #73276 - crash in openssl_random_pseudo_bytes function
 [2016-10-12 23:26 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1c2d486cb13525b376059046e47e0f7c7e44f981
Log: Fix bug #73276 - crash in openssl_random_pseudo_bytes function
 [2016-10-12 23:35 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=85a22a0af0722ef3a8d49a056a0b2b18be1fb981
Log: Fix bug #73276 - crash in openssl_random_pseudo_bytes function
 [2016-10-14 01:02 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fe789b3f7c414954a47ccb6cee17b19f56ab1b98
Log: Fix bug #73276 - crash in openssl_random_pseudo_bytes function
 [2016-10-14 02:22 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7dc8b5e7aefce963a7a222c48ee3506725c4776b
Log: Fix bug #73276 - crash in openssl_random_pseudo_bytes function
 [2016-10-14 02:23 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=85a22a0af0722ef3a8d49a056a0b2b18be1fb981
Log: Fix bug #73276 - crash in openssl_random_pseudo_bytes function
 [2016-10-14 02:23 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fe789b3f7c414954a47ccb6cee17b19f56ab1b98
Log: Fix bug #73276 - crash in openssl_random_pseudo_bytes function
 [2016-10-17 10:06 UTC] bwoebi@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fe789b3f7c414954a47ccb6cee17b19f56ab1b98
Log: Fix bug #73276 - crash in openssl_random_pseudo_bytes function
 [2016-10-17 10:07 UTC] bwoebi@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7dc8b5e7aefce963a7a222c48ee3506725c4776b
Log: Fix bug #73276 - crash in openssl_random_pseudo_bytes function
 [2016-10-17 10:07 UTC] bwoebi@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=85a22a0af0722ef3a8d49a056a0b2b18be1fb981
Log: Fix bug #73276 - crash in openssl_random_pseudo_bytes function
 [2017-02-13 01:08 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 15:01:30 2024 UTC