php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #76244 A stack overflow vulnerability exist (most likely) in the isSet function
Submitted: 2018-04-20 11:12 UTC Modified: 2021-05-28 14:53 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: daniel dot teuchert at rub dot de Assigned: cmb (profile)
Status: Wont fix Package: Scripting Engine problem
PHP Version: 7.2.4 OS: Linux 4.6.2
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: daniel dot teuchert at rub dot de
New email:
PHP Version: OS:

 

 [2018-04-20 11:12 UTC] daniel dot teuchert at rub dot de 
Description:
------------
Calling isSet with too many parameters causes a stack overflow.
Executing the test script results in a stack overflow.
The produced ASAN output can be found here: https://github.com/pnoltof/php_bug/blob/master/ASAN_output.txt
An attacker can possibly use this flaw to execute arbitrary code.

Steps to reproduce:
Build latest php version (compile with ASAN)
Donwload PoC file called "stack_overflow" (see Test script)
Execute binary file in $WORKDIR/php-7.2.4/sapi/cli/:
$WORKDIR/php-7.2.4/sapi/cli/php stack_overflow

I was not able to reproduce this behavior when debugging with gdb.

Test script:
---------------
PoC file can be found here: https://github.com/pnoltof/php_bug/blob/master/stack_overflow

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-04-22 22:16 UTC] cmb@php.net 
This does not look like a security issue, since checking so many
variables in a single isset() does not appear to be of any
practical purpose.
 [2018-04-23 03:34 UTC] stas@php.net
-Type: Security +Type: Bug
 [2018-04-23 03:34 UTC] stas@php.net 
Not a security issue, please see https://wiki.php.net/security
 [2021-05-28 14:53 UTC] cmb@php.net
-Status: Open +Status: Wont fix -Package: *Programming Data Structures +Package: Scripting Engine problem -Assigned To: +Assigned To: cmb
 [2021-05-28 14:53 UTC] cmb@php.net 
Actually, this looks like a recursion issue during parsing; I
don't think we want to "improve" the parser to handle such
pathological code.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon Nov 25 03:01:31 2024 UTC