PHP :: Bug #74960 :: Heap buffer overflow via str

Bug #74960

Heap buffer overflow via str_repeat

Submitted:

2017-07-21 04:41 UTC

Modified:

2021-07-21 12:11 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	0 of 1 (0.0%)

From:

zhihua dot yao at dbappsecurity dot com dot cn

Assigned:

cmb (profile)

Status:

Closed

Package:

Reproducible crash

PHP Version:

7.1.7

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	zhihua dot yao at dbappsecurity dot com dot cn
New email:
PHP Version:		OS:

New Comment:

[2017-07-21 04:41 UTC] zhihua dot yao at dbappsecurity dot com dot cn

Description:
------------
I have tested on Ubuntu x86.

Test script:
---------------
<?php
ini_set("memory_limit",-1);
$str=str_repeat("A",0x7fffffff);

$str.=$str;
    
?>


Expected result:
----------------
no crash

Actual result:
--------------
<?php
ini_set("memory_limit",-1);
$str=str_repeat("A",0x7fffffff);

$str.=$str;
    
?>

Patches

Pull Requests

Pull requests:

Fix #74960: Heap buffer overflow via str_repeat (php-src/7294)
Fix #74960: Integer overflow in zend_string_alloc() (php-src/7252)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-07-21 04:58 UTC] zhihua dot yao at dbappsecurity dot com dot cn

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
EAX: 0xb6e5f981 --> 0x0 
EBX: 0xb7a8b000 --> 0x1aada8 
ECX: 0x7ffffff6 
EDX: 0x36e5f980 
ESI: 0x36e5f977 
EDI: 0xb6e5f981 --> 0x0 
EBP: 0xbfffbae8 --> 0xbfffbb38 --> 0xbfffbb48 --> 0xbfffbb68 --> 0xbfffbba8 --> 0xbfffbbd8 (--> ...)
ESP: 0xbfffba60 --> 0xb6e14020 --> 0xb6e7c0fc --> 0x859b7ab (<ZEND_ASSIGN_CONCAT_SPEC_CV_CV_HANDLER>:	push   ebp)
EIP: 0xb7a14f84 (<__memcpy_ssse3_rep+3380>:	movdqu XMMWORD PTR [esi],xmm0)
EFLAGS: 0x210206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xb7a14f77 <__memcpy_ssse3_rep+3367>:	mov    esi,esi
   0xb7a14f79 <__memcpy_ssse3_rep+3369>:	lea    edi,[edi+eiz*1+0x0]
   0xb7a14f80 <__memcpy_ssse3_rep+3376>:	movdqu xmm1,XMMWORD PTR [eax]
=> 0xb7a14f84 <__memcpy_ssse3_rep+3380>:	movdqu XMMWORD PTR [esi],xmm0
   0xb7a14f88 <__memcpy_ssse3_rep+3384>:	movntdq XMMWORD PTR [edx],xmm1
   0xb7a14f8c <__memcpy_ssse3_rep+3388>:	add    eax,0x10
   0xb7a14f8f <__memcpy_ssse3_rep+3391>:	add    edx,0x10
   0xb7a14f92 <__memcpy_ssse3_rep+3394>:	sub    ecx,0x10
[------------------------------------stack-------------------------------------]
0000| 0xbfffba60 --> 0xb6e14020 --> 0xb6e7c0fc --> 0x859b7ab (<ZEND_ASSIGN_CONCAT_SPEC_CV_CV_HANDLER>:	push   ebp)
0004| 0xbfffba64 --> 0xb6e7c0fc --> 0x859b7ab (<ZEND_ASSIGN_CONCAT_SPEC_CV_CV_HANDLER>:	push   ebp)
0008| 0xbfffba68 --> 0x84efff0 (<concat_function>:	push   ebp)
0012| 0xbfffba6c --> 0x84f055d (<concat_function+1389>:	mov    edx,DWORD PTR [ebp-0x4c])
0016| 0xbfffba70 --> 0x36e5f977 
0020| 0xbfffba74 --> 0xb6e5f978 --> 0x0 
0024| 0xbfffba78 --> 0x7fffffff 
0028| 0xbfffba7c --> 0x83a5df6 (<zend_string_safe_alloc+153>:	mov    eax,DWORD PTR [ebp+0x8])
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__memcpy_ssse3_rep () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1269
1269	../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S: No such file or directory.
gdb-peda$ bt
#0  __memcpy_ssse3_rep ()
    at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1269
#1  0x084f055d in concat_function (result=0xb6e14050, op1=0xb6e14050, 
    op2=0xb6e14050) at /home/hjy/Desktop/php-7.1.7/Zend/zend_operators.c:1773
#2  0x0859b599 in zend_binary_assign_op_helper_SPEC_CV_CV (
    binary_op=0x84efff0 <concat_function>)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:44196
#3  0x0859b7bb in ZEND_ASSIGN_CONCAT_SPEC_CV_CV_HANDLER ()
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:44613
#4  0x08548973 in execute_ex (ex=0xb6e14020)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:429
#5  0x08548a36 in zend_execute (op_array=0xb6e6c1e0, return_value=0x0)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:474
#6  0x084f74a1 in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend.c:1476
#7  0x08479d1f in php_execute_script (primary_file=0xbfffdeb4)
    at /home/hjy/Desktop/php-7.1.7/main/main.c:2537
#8  0x085b9dbe in do_cli (argc=0x3, argv=0x8c4d068)
    at /home/hjy/Desktop/php-7.1.7/sapi/cli/php_cli.c:993
#9  0x085bac75 in main (argc=0x3, argv=0x8c4d068)
    at /home/hjy/Desktop/php-7.1.7/sapi/cli/php_cli.c:1381
#10 0xb78f9a83 in __libc_start_main (main=0x85ba68d <main>, argc=0x3, 
    argv=0xbffff154, init=0x85c3cd0 <__libc_csu_init>, 
    fini=0x85c3d40 <__libc_csu_fini>, rtld_fini=0xb7fed180 <_dl_fini>, 
    stack_end=0xbffff14c) at libc-start.c:287
#11 0x08070f21 in _start ()

[2017-07-21 06:04 UTC] zhihua dot yao at dbappsecurity dot com dot cn

-Summary: SIGSEV in concat_function +Summary: Heap buffer overflow via str_repeat

[2017-07-21 06:04 UTC] zhihua dot yao at dbappsecurity dot com dot cn

test script
<?php
ini_set("memory_limit",-1);
$str=str_repeat("A",0x7ffffff2);

$str.=$str;
    
?>
_____________________________
[----------------------------------registers-----------------------------------]
EAX: 0x80201000 ('A' <repeats 200 times>...)
EBX: 0x84efff0 (<concat_function>:	push   ebp)
ECX: 0x36a00000 --> 0x1 
EDX: 0x36a00000 --> 0x1 
ESI: 0xb6e14020 --> 0xb6e7c0fc --> 0x859b7ab (<ZEND_ASSIGN_CONCAT_SPEC_CV_CV_HANDLER>:	push   ebp)
EDI: 0xb6e7c0fc --> 0x859b7ab (<ZEND_ASSIGN_CONCAT_SPEC_CV_CV_HANDLER>:	push   ebp)
EBP: 0xbfffb9f8 --> 0xbfffba38 --> 0xbfffba68 --> 0xbfffbae8 --> 0xbfffbb38 --> 0xbfffbb48 (--> ...)
ESP: 0xbfffb980 --> 0xb6e00040 --> 0x0 
EIP: 0x84c70ed (<zend_mm_realloc_heap+1785>:	mov    eax,DWORD PTR [ebp+0x24])
EFLAGS: 0x200287 (CARRY PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x84c70e1 <zend_mm_realloc_heap+1773>:	mov    eax,DWORD PTR [ebp+0x8]
   0x84c70e4 <zend_mm_realloc_heap+1776>:	mov    eax,DWORD PTR [eax+0x8c]
   0x84c70ea <zend_mm_realloc_heap+1782>:	mov    DWORD PTR [ebp-0x10],eax
=> 0x84c70ed <zend_mm_realloc_heap+1785>:	mov    eax,DWORD PTR [ebp+0x24]
   0x84c70f0 <zend_mm_realloc_heap+1788>:	mov    DWORD PTR [esp+0x14],eax
   0x84c70f4 <zend_mm_realloc_heap+1792>:	mov    eax,DWORD PTR [ebp+0x20]
   0x84c70f7 <zend_mm_realloc_heap+1795>:	mov    DWORD PTR [esp+0x10],eax
   0x84c70fb <zend_mm_realloc_heap+1799>:	mov    eax,DWORD PTR [ebp+0x1c]
[------------------------------------stack-------------------------------------]
0000| 0xbfffb980 --> 0xb6e00040 --> 0x0 
0004| 0xbfffb984 --> 0x36a00000 --> 0x1 
0008| 0xbfffb988 --> 0x8b73aa0 ("/home/hjy/Desktop/php-7.1.7/Zend/zend_string.h")
0012| 0xbfffb98c --> 0xd0 
0016| 0xbfffb990 --> 0x0 
0020| 0xbfffb994 --> 0x0 
0024| 0xbfffb998 --> 0x80001000 ('A' <repeats 200 times>...)
0028| 0xbfffb99c --> 0x80000006 ('A' <repeats 200 times>...)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, zend_mm_realloc_heap (heap=0xb6e00040, ptr=0x36a00000, size=0xc, 
    copy_size=0xfffffff8, 
    __zend_filename=0x8b73aa0 "/home/hjy/Desktop/php-7.1.7/Zend/zend_string.h", __zend_lineno=0xd0, __zend_orig_filename=0x0, __zend_orig_lineno=0x0)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_alloc.c:1610
1610		ret = zend_mm_alloc_heap(heap, size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
gdb-peda$ p/x size
$1 = 0xc
gdb-peda$ n

[----------------------------------registers-----------------------------------]
EAX: 0xb6e5d060 --> 0xb6e5d080 --> 0xb6e5d0a0 --> 0xb6e5d0c0 --> 0xb6e5d0e0 --> 0xb6e5d100 (--> ...)
EBX: 0x84efff0 (<concat_function>:	push   ebp)
ECX: 0x7 
EDX: 0x0 
ESI: 0xb6e14020 --> 0xb6e7c0fc --> 0x859b7ab (<ZEND_ASSIGN_CONCAT_SPEC_CV_CV_HANDLER>:	push   ebp)
EDI: 0xb6e7c0fc --> 0x859b7ab (<ZEND_ASSIGN_CONCAT_SPEC_CV_CV_HANDLER>:	push   ebp)
EBP: 0xbfffb9f8 --> 0xbfffba38 --> 0xbfffba68 --> 0xbfffbae8 --> 0xbfffbb38 --> 0xbfffbb48 (--> ...)
ESP: 0xbfffb980 --> 0xb6e00040 --> 0x0 
EIP: 0x84c711e (<zend_mm_realloc_heap+1834>:	mov    eax,DWORD PTR [ebp-0x58])
EFLAGS: 0x200286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x84c7113 <zend_mm_realloc_heap+1823>:	mov    DWORD PTR [esp],eax
   0x84c7116 <zend_mm_realloc_heap+1826>:	
    call   0x84c6674 <zend_mm_alloc_heap>
   0x84c711b <zend_mm_realloc_heap+1831>:	mov    DWORD PTR [ebp-0xc],eax
=> 0x84c711e <zend_mm_realloc_heap+1834>:	mov    eax,DWORD PTR [ebp-0x58]
   0x84c7121 <zend_mm_realloc_heap+1837>:	cmp    DWORD PTR [ebp+0x14],eax
   0x84c7124 <zend_mm_realloc_heap+1840>:	cmovbe eax,DWORD PTR [ebp+0x14]
   0x84c7128 <zend_mm_realloc_heap+1844>:	mov    DWORD PTR [esp+0x8],eax
   0x84c712c <zend_mm_realloc_heap+1848>:	mov    eax,DWORD PTR [ebp+0xc]
[------------------------------------stack-------------------------------------]
0000| 0xbfffb980 --> 0xb6e00040 --> 0x0 
0004| 0xbfffb984 --> 0x20 (' ')
0008| 0xbfffb988 --> 0x8b73aa0 ("/home/hjy/Desktop/php-7.1.7/Zend/zend_string.h")
0012| 0xbfffb98c --> 0xd0 
0016| 0xbfffb990 --> 0x0 
0020| 0xbfffb994 --> 0x0 
0024| 0xbfffb998 --> 0x80001000 ('A' <repeats 200 times>...)
0028| 0xbfffb99c --> 0x80000006 ('A' <repeats 200 times>...)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
1611		memcpy(ret, ptr, MIN(old_size, copy_size));

gdb-peda$ p/x old_size
$2 = 0x80001000
gdb-peda$ p/x copy_size
$2 = 0xfffffff8
gdb-peda$ n

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
EAX: 0x36ba3020 ('A' <repeats 200 times>...)
EBX: 0xb7a8b000 --> 0x1aada8 
ECX: 0x7fe5df60 ('A' <repeats 200 times>...)
EDX: 0xb7000000 
ESI: 0xb6e14020 --> 0xb6e7c0fc ('A' <repeats 200 times>...)
EDI: 0xb6e7c0fc ('A' <repeats 200 times>...)
EBP: 0xbfffb9f8 --> 0xbfffba38 --> 0xbfffba68 --> 0xbfffbae8 --> 0xbfffbb38 --> 0xbfffbb48 (--> ...)
ESP: 0xbfffb978 --> 0x84efff0 (<concat_function>:	push   ebp)
EIP: 0xb7a14fe9 (<__memcpy_ssse3_rep+3481>:	movntdq XMMWORD PTR [edx],xmm0)
EFLAGS: 0x210206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xb7a14fda <__memcpy_ssse3_rep+3466>:	lea    eax,[eax+0x80]
   0xb7a14fe0 <__memcpy_ssse3_rep+3472>:	lfence 
   0xb7a14fe3 <__memcpy_ssse3_rep+3475>:	sub    ecx,0x80
=> 0xb7a14fe9 <__memcpy_ssse3_rep+3481>:	movntdq XMMWORD PTR [edx],xmm0
   0xb7a14fed <__memcpy_ssse3_rep+3485>:	
    movntdq XMMWORD PTR [edx+0x10],xmm1
   0xb7a14ff2 <__memcpy_ssse3_rep+3490>:	
    movntdq XMMWORD PTR [edx+0x20],xmm2
   0xb7a14ff7 <__memcpy_ssse3_rep+3495>:	
    movntdq XMMWORD PTR [edx+0x30],xmm3
   0xb7a14ffc <__memcpy_ssse3_rep+3500>:	
    movntdq XMMWORD PTR [edx+0x40],xmm4
[------------------------------------stack-------------------------------------]
0000| 0xbfffb978 --> 0x84efff0 (<concat_function>:	push   ebp)
0004| 0xbfffb97c --> 0x84c713e (<zend_mm_realloc_heap+1866>:	mov    eax,DWORD PTR [ebp+0x24])
0008| 0xbfffb980 --> 0xb6e5d060 --> 0x1 
0012| 0xbfffb984 --> 0x36a00000 --> 0x1 
0016| 0xbfffb988 --> 0x80001000 ('A' <repeats 200 times>...)
0020| 0xbfffb98c --> 0xd0 
0024| 0xbfffb990 --> 0x0 
0028| 0xbfffb994 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__memcpy_ssse3_rep () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1294
1294	../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S: No such file or directory.
gdb-peda$ bt
#0  __memcpy_ssse3_rep ()
    at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1294
#1  0x084c713e in zend_mm_realloc_heap (heap=0xb6e00040, ptr=0x36a00000, 
    size=0xc, copy_size=0xfffffff8, 
    __zend_filename=0x8b73aa0 "/home/hjy/Desktop/php-7.1.7/Zend/zend_string.h", __zend_lineno=0xd0, __zend_orig_filename=0x0, __zend_orig_lineno=0x0)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_alloc.c:1611
#2  0x084c8bcd in _erealloc (ptr=0x36a00000, size=0xfffffff8, 
    __zend_filename=0x8b73aa0 "/home/hjy/Desktop/php-7.1.7/Zend/zend_string.h", __zend_lineno=0xd0, __zend_orig_filename=0x0, __zend_orig_lineno=0x0)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_alloc.c:2446
#3  0x084e774f in zend_string_extend (s=0x36a00000, len=0xffffffe4, 
    persistent=0x0) at /home/hjy/Desktop/php-7.1.7/Zend/zend_string.h:208
#4  0x084f04ba in concat_function (result=0xb6e14050, op1=0xb6e14050, 
    op2=0xb6e14050) at /home/hjy/Desktop/php-7.1.7/Zend/zend_operators.c:1759
#5  0x0859b599 in zend_binary_assign_op_helper_SPEC_CV_CV (
    binary_op=0x84efff0 <concat_function>)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:44196
#6  0x0859b7bb in ZEND_ASSIGN_CONCAT_SPEC_CV_CV_HANDLER ()
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:44613
#7  0x08548973 in execute_ex (ex=0xb6e14020)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:429
#8  0x08548a36 in zend_execute (op_array=0xb6e6c1e0, return_value=0x0)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:474
#9  0x084f74a1 in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend.c:1476
#10 0x08479d1f in php_execute_script (primary_file=0xbfffdeb4)
    at /home/hjy/Desktop/php-7.1.7/main/main.c:2537
#11 0x085b9dbe in do_cli (argc=0x3, argv=0x8c4d068)
    at /home/hjy/Desktop/php-7.1.7/sapi/cli/php_cli.c:993
#12 0x085bac75 in main (argc=0x3, argv=0x8c4d068)
    at /home/hjy/Desktop/php-7.1.7/sapi/cli/php_cli.c:1381
#13 0xb78f9a83 in __libc_start_main (main=0x85ba68d <main>, argc=0x3, 
    argv=0xbffff154, init=0x85c3cd0 <__libc_csu_init>, 
    fini=0x85c3d40 <__libc_csu_fini>, rtld_fini=0xb7fed180 <_dl_fini>, 
    stack_end=0xbffff14c) at libc-start.c:287
#14 0x08070f21 in _start ()

The heap size is 0xc.Then old_size and copy_size are bigger than heap size.

[2021-07-16 15:45 UTC] cmb@php.net

-Status: Open +Status: Verified

[2021-07-16 15:45 UTC] cmb@php.net

See <https://bugs.php.net/75934#1524924818>.

[2021-07-16 16:23 UTC] cmb@php.net

-Summary: Heap buffer overflow via str_repeat +Summary: Integer overflow in zend_string_alloc() -Assigned To: +Assigned To: cmb

[2021-07-21 09:51 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #74960: Integer overflow in zend_string_alloc()
On GitHub:  https://github.com/php/php-src/pull/7252
Patch:      https://github.com/php/php-src/pull/7252.patch

[2021-07-21 12:11 UTC] cmb@php.net

-Summary: Integer overflow in zend_string_alloc() +Summary: Heap buffer overflow via str_repeat

[2021-07-21 12:11 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #74960: Heap buffer overflow via str_repeat
On GitHub:  https://github.com/php/php-src/pull/7294
Patch:      https://github.com/php/php-src/pull/7294.patch

[2021-07-21 13:37 UTC] git@php.net

Automatic comment on behalf of cmb69
Revision: https://github.com/php/php-src/commit/760ff841a14160f25348f7969985cb8a2c4da3cc
Log: Fix #74960: Heap buffer overflow via str_repeat

[2021-07-21 13:37 UTC] git@php.net

-Status: Verified +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 17:01:29 2024 UTC