|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2016-12-03 17:48 UTC] fernando at null-life dot com
Description: ------------ When a string is built with str_repeat and invalid length, a null pointer dereference happens in mb_ereg search _init function. ----------------------------- Source code: https://github.com/php/php-src/blob/PHP-7.1/ext/mbstring/php_mbregex.c#L1384 PHP_FUNCTION(mb_ereg_search_init) { size_t argc = ZEND_NUM_ARGS(); zval *arg_str; char *arg_pattern = NULL, *arg_options = NULL; size_t arg_pattern_len = 0, arg_options_len = 0; OnigSyntaxType *syntax = NULL; OnigOptionType option; ... ZVAL_DUP(&MBREX(search_str), arg_str); if (php_mb_check_encoding( Z_STRVAL_P(arg_str), Z_STRLEN_P(arg_str), _php_mb_regex_mbctype2name(MBREX(current_mbctype)) // Null pointer dereference )) { MBREX(search_pos) = 0; RETVAL_TRUE; } else { MBREX(search_pos) = Z_STRLEN_P(arg_str); RETVAL_FALSE; } ... GDB output: gdb -q --args /home/user/build2/bin/php -n poc.php Reading symbols from /home/user/build2/bin/php...done. (gdb) r Starting program: /home/user/build2/bin/php -n poc.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". Warning: str_repeat(): Second argument has to be greater than or equal to 0 in /home/user/crashes/mb_ereg_search/poc.php on line 5 Program received signal SIGSEGV, Segmentation fault. 0x08566b05 in zif_mb_ereg_search_init (execute_data=0xf1014090, return_value=0xffff9a00) at /home/user/build2/php-src/ext/mbstring/php_mbregex.c:1384 1384 if (php_mb_check_encoding( (gdb) l 1379 zval_ptr_dtor(&MBREX(search_str)); 1380 } 1381 1382 ZVAL_DUP(&MBREX(search_str), arg_str); 1383 1384 if (php_mb_check_encoding( 1385 Z_STRVAL_P(arg_str), 1386 Z_STRLEN_P(arg_str), 1387 _php_mb_regex_mbctype2name(MBREX(current_mbctype)) 1388 )) { Test script: --------------- <?php $v1=str_repeat("#", -1); mb_ereg_search_init($v1); Expected result: ---------------- No crash Actual result: -------------- Warning: str_repeat(): Second argument has to be greater than or equal to 0 in /home/user/crashes/mb_ereg_search/poc.php on line 5 ASAN:SIGSEGV ================================================================= ==19448==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000c (pc 0x08566b05 bp 0xffdfc2b8 sp 0xffdfc080 T0) #0 0x8566b04 in zif_mb_ereg_search_init /home/user/build2/php-src/ext/mbstring/php_mbregex.c:1384 #1 0x8cb669e in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/user/build2/php-src/Zend/zend_vm_execute.h:628 #2 0x8cb4ed1 in execute_ex /home/user/build2/php-src/Zend/zend_vm_execute.h:429 #3 0x8cb51e4 in zend_execute /home/user/build2/php-src/Zend/zend_vm_execute.h:474 #4 0x8baf604 in zend_execute_scripts /home/user/build2/php-src/Zend/zend.c:1474 #5 0x8a47247 in php_execute_script /home/user/build2/php-src/main/main.c:2533 #6 0x8eaec77 in do_cli /home/user/build2/php-src/sapi/cli/php_cli.c:990 #7 0x8eb1239 in main /home/user/build2/php-src/sapi/cli/php_cli.c:1378 #8 0xf6953636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #9 0x806f240 (/home/user/build2/bin/php+0x806f240) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/user/build2/php-src/ext/mbstring/php_mbregex.c:1384 zif_mb_ereg_search_init ==19448==ABORTING PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Feb 02 13:01:29 2025 UTC |
I think it's the same root cause, but if I supply a different value, there is a illegal memory access trying to read memory address that I can control, and I consider it should be handled as a security bug, for example: <?php mb_ereg_search_init(-0x4523500e); output: ASAN:SIGSEGV ================================================================= ==5243==ERROR: AddressSanitizer: SEGV on unknown address 0xbadcaffe (pc 0x08566b05 bp 0xff86d9d8 sp 0xff86d7a0 T0) #0 0x8566b04 in zif_mb_ereg_search_init /home/user/build2/php-src/ext/mbstring/php_mbregex.c:1384 #1 0x8cb669e in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/user/build2/php-src/Zend/zend_vm_execute.h:628 #2 0x8cb4ed1 in execute_ex /home/user/build2/php-src/Zend/zend_vm_execute.h:429 #3 0x8cb51e4 in zend_execute /home/user/build2/php-src/Zend/zend_vm_execute.h:474 #4 0x8baf604 in zend_execute_scripts /home/user/build2/php-src/Zend/zend.c:1474 #5 0x8a47247 in php_execute_script /home/user/build2/php-src/main/main.c:2533 #6 0x8eaec77 in do_cli /home/user/build2/php-src/sapi/cli/php_cli.c:990 #7 0x8eb1239 in main /home/user/build2/php-src/sapi/cli/php_cli.c:1378 #8 0xf6973636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #9 0x806f240 (/home/user/build2/bin/php+0x806f240) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/user/build2/php-src/ext/mbstring/php_mbregex.c:1384 zif_mb_ereg_search_init ==5243==ABORTING