php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #77382 heap buffer overflow due to incorrect length in expand_case_fold_string
Submitted: 2018-12-30 22:13 UTC Modified: 2019-02-22 22:09 UTC
From: hugh at allthethings dot co dot nz Assigned: stas (profile)
Status: Closed Package: mbstring related
PHP Version: 5.6.39 OS: Linux
Private report: No CVE-ID: 2019-9023
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: hugh at allthethings dot co dot nz
New email:
PHP Version: OS:

 

 [2018-12-30 22:13 UTC] hugh at allthethings dot co dot nz 
Description:
------------
In expand_case_fold_string the len field is calculated off enclen, and is then used in onig_node_new_str which is passed to xmemcpy later down the line. This length may overshoot the string buffer if the last character is an unfinished multibyte character.

Patch available at https://gist.github.com/hughdavenport/aa428164c8f30d20c178ce0ab2907947

Test script:
---------------
php -r 'var_dump(mb_ereg("(?i)000000000000000000000\xf0",""));'

Expected result:
----------------
no crash

Actual result:
--------------
$ ~/php-5.6.39/sapi/cli/php -r 'var_dump(mb_split("(?i)000000000000000000000\xf0",""));'
=================================================================
==11478==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000001fd8 at pc 0x0000004d67d1 bp 0x7ffcde7b2e90 sp 0x7ffcde7b2640
READ of size 4 at 0x606000001fd8 thread T0
    #0 0x4d67d0 in __asan_memcpy (/home/hugh/php-5.6.39/sapi/cli/php+0x4d67d0)
    #1 0x87e12b in onig_strcpy /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:223:5
    #2 0x87e12b in onig_node_str_cat /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:1456
    #3 0x87ed4e in node_new_str /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:1515:7
    #4 0x87ed4e in onig_node_new_str /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:1525
    #5 0x80e2a3 in expand_case_fold_string_alt /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:3289:11
    #6 0x80e2a3 in expand_case_fold_string /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:3431
    #7 0x80e2a3 in setup_tree /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:3687
    #8 0x8118d7 in setup_tree /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:3810:8
    #9 0x805bd8 in onig_compile /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:5336:7
    #10 0x82e2a9 in onig_new /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:5546:7
    #11 0x9a6975 in php_mbregex_compile_pattern /home/hugh/php-5.6.39/ext/mbstring/php_mbregex.c:458:19
    #12 0x9a5c97 in zif_mb_split /home/hugh/php-5.6.39/ext/mbstring/php_mbregex.c:1076:12
    #13 0x11a18b8 in zend_do_fcall_common_helper_SPEC /home/hugh/php-5.6.39/Zend/zend_vm_execute.h:558:5
    #14 0xffb81d in execute_ex /home/hugh/php-5.6.39/Zend/zend_vm_execute.h:363:14
    #15 0xffd802 in zend_execute /home/hugh/php-5.6.39/Zend/zend_vm_execute.h:388:2
    #16 0xebd637 in zend_eval_stringl /home/hugh/php-5.6.39/Zend/zend_execute_API.c:1080:4
    #17 0xebedb9 in zend_eval_stringl_ex /home/hugh/php-5.6.39/Zend/zend_execute_API.c:1127:11
    #18 0xebedb9 in zend_eval_string_ex /home/hugh/php-5.6.39/Zend/zend_execute_API.c:1138
    #19 0x1259386 in do_cli /home/hugh/php-5.6.39/sapi/cli/php_cli.c:1040:31
    #20 0x1256181 in main /home/hugh/php-5.6.39/sapi/cli/php_cli.c:1386:18
    #21 0x7f66c1fb5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #22 0x436129 in _start (/home/hugh/php-5.6.39/sapi/cli/php+0x436129)

0x606000001fd8 is located 0 bytes to the right of 56-byte region [0x606000001fa0,0x606000001fd8)
allocated by thread T0 here:
    #0 0x4eb780 in malloc (/home/hugh/php-5.6.39/sapi/cli/php+0x4eb780)
    #1 0x888fc3 in node_new /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:1129:18
    #2 0x888fc3 in onig_node_new_alt /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:1266
    #3 0x888fc3 in parse_subexp /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:5505
    #4 0x890c12 in parse_enclose /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:4551:11
    #5 0x890c12 in parse_exp /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:5072
    #6 0x88c561 in parse_branch /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:5460:11
    #7 0x888b22 in parse_subexp /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:5487:7
    #8 0x880655 in parse_regexp /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:5531:7
    #9 0x880655 in onig_parse_make_tree /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:5558
    #10 0x805645 in onig_compile /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:5301:7
    #11 0x82e2a9 in onig_new /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:5546:7

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/hugh/php-5.6.39/sapi/cli/php+0x4d67d0) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c0c7fff83a0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
  0x0c0c7fff83b0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c7fff83c0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff83d0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff83e0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
=>0x0c0c7fff83f0: fa fa fa fa 00 00 00 00 00 00 00[fa]fa fa fa fa
  0x0c0c7fff8400: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8410: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c7fff8420: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff8430: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8440: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11478==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-02 08:43 UTC] stas@php.net 
I've made a common fix for four mbstring regex issues. It's in security repo as 6eb73547f231336d09e42d161ea6756b88832d46 and in https://gist.github.com/smalyshev/d5b79a07341ffdd77dc88860724bd2f5. Please verify.
 [2019-01-02 08:43 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2019-01-02 21:16 UTC] hugh at allthethings dot co dot nz 
Verified on 5.6, 7.0 and 7.1
 [2019-01-07 08:18 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-01-07 08:18 UTC] stas@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

See bug #77381
 [2019-02-22 22:09 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2019-9023
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 14:01:29 2024 UTC