PHP :: Bug #73540 :: Invalid memory access in zif_create

Bug #73540

Invalid memory access in zif_create_function

Submitted:

2016-11-16 11:12 UTC

Modified:

2021-04-28 12:51 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

ahihibughunter at gmail dot com

Assigned:

cmb (profile)

Status:

Wont fix

Package:

Unknown/Other Function

PHP Version:

5.6.28

OS:

ALL

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ahihibughunter at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2016-11-16 11:12 UTC] ahihibughunter at gmail dot com

Description:
------------
In function zif_create_function
ZEND_FUNCTION(create_function)
{
....
	eval_code[eval_code_length++] = ')';
	eval_code[eval_code_length++] = '{';

	memcpy(eval_code + eval_code_length, function_code, function_code_len);
	eval_code_length += function_code_len;

	eval_code[eval_code_length++] = '}';  <- crashed here
	eval_code[eval_code_length] = '\0';
.....
}
length of eval_code increate without check it value cause php5 crash



Test script:
---------------
<?php
ini_set('memory_limit', -1);
$z  = str_repeat('a',0x7fffffff);
var_dump( uasort($array_arg, create_function('x, x',$z) ) );
?>


Expected result:
----------------
No crash

Actual result:
--------------
$ gdb ../../../php5new/php-src-PHP-5.6.28/sapi/cli/php 
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
.................
(gdb) r test.php 
Starting program: /home/zx/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000adff8e in zif_create_function (ht=2, return_value=0x7ffff7fb5bc0, return_value_ptr=0x7ffff7f7a238, this_ptr=0x0, return_value_used=1)
    at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_builtin_functions.c:1826
1826		eval_code[eval_code_length++] = '}';
(gdb) bt
#0  0x0000000000adff8e in zif_create_function (ht=2, return_value=0x7ffff7fb5bc0, return_value_ptr=0x7ffff7f7a238, this_ptr=0x0, return_value_used=1)
    at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_builtin_functions.c:1826
#1  0x0000000000b0bbaa in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f7a2b0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_vm_execute.h:558
#2  0x0000000000b116d5 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f7a2b0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_vm_execute.h:2602
#3  0x0000000000b0b212 in execute_ex (execute_data=0x7ffff7f7a2b0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_vm_execute.h:363
#4  0x0000000000b0b299 in zend_execute (op_array=0x7ffff7fb5348) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_vm_execute.h:388
#5  0x0000000000ac3c49 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend.c:1341
#6  0x0000000000a24d6c in php_execute_script (primary_file=0x7fffffffc9f0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/main/main.c:2613
#7  0x0000000000b80a61 in do_cli (argc=2, argv=0x147a670) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php_cli.c:998
#8  0x0000000000b81dc4 in main (argc=2, argv=0x147a670) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php_cli.c:1382
(gdb) print eval_code_length
$1 = -2147483619
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-11-16 22:01 UTC] stas@php.net

-Type: Security +Type: Bug

[2016-11-16 22:01 UTC] stas@php.net

Not a security issue.

[2016-11-16 22:01 UTC] stas@php.net

Not a security issue.

[2021-04-28 12:51 UTC] cmb@php.net

-Status: Open +Status: Wont fix -Assigned To: +Assigned To: cmb

[2021-04-28 12:51 UTC] cmb@php.net

create_function() is deprecated as of PHP 7.2.0, and removed as of
PHP 8.0.0, and I consider it to be highly unlikely that anybody
would try to create a function with a resulting length of SIZE_MAX
(note that eval_code_length is changed from `int` to `size_t` as
of PHP 7.0.0).

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 16:01:28 2024 UTC