php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #74793 Out of bounds heap read access in bundled oniguruma library
Submitted: 2017-06-21 14:22 UTC Modified: 2020-10-13 14:13 UTC
From: hanno at hboeck dot de Assigned: nikic (profile)
Status: Closed Package: mbstring related
PHP Version: 7.1.6 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: hanno at hboeck dot de
New email:
PHP Version: OS:

 

 [2017-06-21 14:22 UTC] hanno at hboeck dot de 
Description:
------------
With malformed regular expressions one can trigger an out of bounds memory read in the oniguruma library bundled with mbstring.

I have fuzzed and reported several of those issues to oniguruma itself. However they don't show up exactly for the same inputs in php (I don't know why, maybe due to different string handling).

Yet some of them can be reproduced. The first command below will trigger an out of bounds read in onig_strcpy(). This is equivalent to oniguruma issue #17 [1].

When applying the fix for that another bug appears in add_bytes (second command below), this is oniguruma issue #19 [2].

Several other issues have been fixed in oniguruma:
https://github.com/kkos/oniguruma/issues/16
https://github.com/kkos/oniguruma/issues/18
https://github.com/kkos/oniguruma/issues/29

I recommend updating the bundled code of oniguruma with all the upstream fixes.

[1] https://github.com/kkos/oniguruma/issues/17
[2] https://github.com/kkos/oniguruma/issues/19

Test script:
---------------
<?php

mb_ereg("000\xfd","");

mb_ereg("000000000000000000000\xf3","");

Actual result:
--------------
==4293==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300002a6f0 at pc 0x0000004dc855 bp 0x7ffc175b7180 sp 0x7ffc175b6930
READ of size 6 at 0x60300002a6f0 thread T0
    #0 0x4dc854 in __asan_memcpy (/home/hanno/Desktop/php-fuzzing-oniguruma/php+0x4dc854)
    #1 0x10d512b in onig_strcpy /mnt/ram/x/php-7.1.6/ext/mbstring/oniguruma/regparse.c:223:5
    #2 0x10d512b in onig_node_str_cat /mnt/ram/x/php-7.1.6/ext/mbstring/oniguruma/regparse.c:1447
    #3 0x10e5b7e in parse_exp /mnt/ram/x/php-7.1.6/ext/mbstring/oniguruma/regparse.c:5094:6
    #4 0x10e3885 in parse_branch /mnt/ram/x/php-7.1.6/ext/mbstring/oniguruma/regparse.c:5435:7
    #5 0x10e07a2 in parse_subexp /mnt/ram/x/php-7.1.6/ext/mbstring/oniguruma/regparse.c:5472:7
    #6 0x10d7635 in parse_regexp /mnt/ram/x/php-7.1.6/ext/mbstring/oniguruma/regparse.c:5516:7
    #7 0x10d7635 in onig_parse_make_tree /mnt/ram/x/php-7.1.6/ext/mbstring/oniguruma/regparse.c:5543
    #8 0x105c915 in onig_compile /mnt/ram/x/php-7.1.6/ext/mbstring/oniguruma/regcomp.c:5300:7
    #9 0x1085219 in onig_new /mnt/ram/x/php-7.1.6/ext/mbstring/oniguruma/regcomp.c:5545:7
    #10 0x11ff5d7 in php_mbregex_compile_pattern /mnt/ram/x/php-7.1.6/ext/mbstring/php_mbregex.c:456:19
    #11 0x11f91e8 in _php_mb_regex_ereg_exec /mnt/ram/x/php-7.1.6/ext/mbstring/php_mbregex.c:744:7
    #12 0x1cd1dc6 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /mnt/ram/x/php-7.1.6/Zend/zend_vm_execute.h:628:2
    #13 0x1b3b75d in execute_ex /mnt/ram/x/php-7.1.6/Zend/zend_vm_execute.h:432:7
    #14 0x1b3c73b in zend_execute /mnt/ram/x/php-7.1.6/Zend/zend_vm_execute.h:474:2
    #15 0x199e389 in zend_execute_scripts /mnt/ram/x/php-7.1.6/Zend/zend.c:1476:4
    #16 0x17365e2 in php_execute_script /mnt/ram/x/php-7.1.6/main/main.c:2537:14
    #17 0x1e114fd in do_cli /mnt/ram/x/php-7.1.6/sapi/cli/php_cli.c:993:5
    #18 0x1e0dd75 in main /mnt/ram/x/php-7.1.6/sapi/cli/php_cli.c:1381:18
    #19 0x7f3c345171e0 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.24-r3/work/glibc-2.24/csu/../csu/libc-start.c:289
    #20 0x43c6a9 in _start (/home/hanno/Desktop/php-fuzzing-oniguruma/php+0x43c6a9)

0x60300002a6f0 is located 0 bytes to the right of 32-byte region [0x60300002a6d0,0x60300002a6f0)
allocated by thread T0 here:
    #0 0x4f30f8 in __interceptor_malloc (/home/hanno/Desktop/php-fuzzing-oniguruma/php+0x4f30f8)
    #1 0x187827c in __zend_malloc /mnt/ram/x/php-7.1.6/Zend/zend_alloc.c:2820:14
    #2 0x1820529 in lex_scan /mnt/ram/x/php-7.1.6/Zend/zend_language_scanner.l:2043:5
    #3 0x18888e6 in zendlex /mnt/ram/x/php-7.1.6/Zend/zend_compile.c:1703:11
    #4 0x17eb2d9 in zendparse /mnt/ram/x/php-7.1.6/Zend/zend_language_parser.c:4450:16
    #5 0x1800057 in zend_compile /mnt/ram/x/php-7.1.6/Zend/zend_language_scanner.l:585:7
    #6 0x17ffbc3 in compile_file /mnt/ram/x/php-7.1.6/Zend/zend_language_scanner.l:635:14
    #7 0x12d6e05 in phar_compile_file /mnt/ram/x/php-7.1.6/ext/phar/phar.c:3320:9
    #8 0x199e2b8 in zend_execute_scripts /mnt/ram/x/php-7.1.6/Zend/zend.c:1470:14
    #9 0x17365e2 in php_execute_script /mnt/ram/x/php-7.1.6/main/main.c:2537:14
    #10 0x1e114fd in do_cli /mnt/ram/x/php-7.1.6/sapi/cli/php_cli.c:993:5
    #11 0x1e0dd75 in main /mnt/ram/x/php-7.1.6/sapi/cli/php_cli.c:1381:18
    #12 0x7f3c345171e0 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.24-r3/work/glibc-2.24/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/hanno/Desktop/php-fuzzing-oniguruma/php+0x4dc854) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c067fffd480: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fffd490: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fffd4a0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x0c067fffd4b0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fffd4c0: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
=>0x0c067fffd4d0: 00 00 fa fa fd fd fd fd fa fa 00 00 00 00[fa]fa
  0x0c067fffd4e0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd4f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4293==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-23 08:51 UTC] nikic@php.net 
This has been fixed in PHP 7.2, but still exists in PHP 7.0 and 7.1.
 [2020-10-13 14:13 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2020-10-13 14:13 UTC] nikic@php.net 
Closing this per above comment, as 7.0/7.1 are no longer supported.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Dec 22 10:01:28 2024 UTC