php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #77385 buffer overflow in fetch_token
Submitted: 2018-12-31 01:27 UTC Modified: 2019-02-22 22:09 UTC
From: hugh at allthethings dot co dot nz Assigned: stas (profile)
Status: Closed Package: mbstring related
PHP Version: 5.6.39 OS: Linux
Private report: No CVE-ID: 2019-9023
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: hugh at allthethings dot co dot nz
New email:
PHP Version: OS:

 

 [2018-12-31 01:27 UTC] hugh at allthethings dot co dot nz 
Description:
------------
Similar to #77370, using enclen on an incomplete multibyte character will return a pointer after the end of the buffer. This will cause memory corruption and/or leakage.

Patch available at https://gist.github.com/hughdavenport/09b48d4b20a28bcd7afaa530e2ec6731

Reproduced on 5.6.39, 7.0.33, 7.1.25, but not on 7.2, 7.3 and master.

Test script:
---------------
php -r 'var_dump(mb_ereg("0000\\"."\xf5","0"));'


Expected result:
----------------
no crash

Actual result:
--------------
$ ~/php-7.0.33/sapi/cli/php -r 'var_dump(mb_ereg("0000\\"."\xf5","0"));'
=================================================================
==27833==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300001a430 at pc 0x0000004d8aa1 bp 0x7ffe531d6220 sp 0x7ffe531d59d0
READ of size 4 at 0x60300001a430 thread T0
    #0 0x4d8aa0 in __asan_memcpy (/home/hugh/php-7.0.33/sapi/cli/php+0x4d8aa0)
    #1 0x85644b in onig_strcpy /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:223:5
    #2 0x85644b in onig_node_str_cat /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:1456
    #3 0x8667eb in parse_exp /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:5109:6
    #4 0x864525 in parse_branch /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:5450:7
    #5 0x860e42 in parse_subexp /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:5487:7
    #6 0x858975 in parse_regexp /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:5531:7
    #7 0x858975 in onig_parse_make_tree /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:5558
    #8 0x7dd735 in onig_compile /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:5302:7
    #9 0x806389 in onig_new /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:5547:7
    #10 0x97e487 in php_mbregex_compile_pattern /home/hugh/php-7.0.33/ext/mbstring/php_mbregex.c:456:19
    #11 0x978bce in _php_mb_regex_ereg_exec /home/hugh/php-7.0.33/ext/mbstring/php_mbregex.c:727:7
    #12 0x1257a45 in ZEND_DO_ICALL_SPEC_HANDLER /home/hugh/php-7.0.33/Zend/zend_vm_execute.h:586:2
    #13 0x10d966d in execute_ex /home/hugh/php-7.0.33/Zend/zend_vm_execute.h:417:7
    #14 0x10da547 in zend_execute /home/hugh/php-7.0.33/Zend/zend_vm_execute.h:458:2
    #15 0xeeec74 in zend_eval_stringl /home/hugh/php-7.0.33/Zend/zend_execute_API.c:1137:4
    #16 0xeef77a in zend_eval_stringl_ex /home/hugh/php-7.0.33/Zend/zend_execute_API.c:1178:11
    #17 0xeef77a in zend_eval_string_ex /home/hugh/php-7.0.33/Zend/zend_execute_API.c:1189
    #18 0x13181f6 in do_cli /home/hugh/php-7.0.33/sapi/cli/php_cli.c:1010:21
    #19 0x13150e5 in main /home/hugh/php-7.0.33/sapi/cli/php_cli.c:1350:18
    #20 0x7f239ba07b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #21 0x4383f9 in _start (/home/hugh/php-7.0.33/sapi/cli/php+0x4383f9)

0x60300001a430 is located 0 bytes to the right of 32-byte region [0x60300001a410,0x60300001a430)
allocated by thread T0 here:
    #0 0x4eda50 in malloc (/home/hugh/php-7.0.33/sapi/cli/php+0x4eda50)
    #1 0xe29d1c in __zend_malloc /home/hugh/php-7.0.33/Zend/zend_alloc.c:2882:14
    #2 0xeabfb5 in zend_try_ct_eval_binary_op /home/hugh/php-7.0.33/Zend/zend_compile.c:5881:2
    #3 0xeabfb5 in zend_compile_binary_op /home/hugh/php-7.0.33/Zend/zend_compile.c:5992
    #4 0xe411a6 in zend_compile_expr /home/hugh/php-7.0.33/Zend/zend_compile.c:7232:4
    #5 0xe59afd in zend_compile_args /home/hugh/php-7.0.33/Zend/zend_compile.c:2785:4
    #6 0xe5bcb0 in zend_compile_call_common /home/hugh/php-7.0.33/Zend/zend_compile.c:2873:14

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/hugh/php-7.0.33/sapi/cli/php+0x4d8aa0) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c067fffb430: 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x0c067fffb440: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fffb450: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fffb460: 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd fa fa
  0x0c067fffb470: fd fd fd fd fa fa fd fd fd fd fa fa 00 00 00 00
=>0x0c067fffb480: fa fa 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
  0x0c067fffb490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffb4a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffb4b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffb4c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffb4d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27833==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-02 08:44 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2019-01-02 08:44 UTC] stas@php.net 
I've made a common fix for four mbstring regex issues. It's in security repo as 6eb73547f231336d09e42d161ea6756b88832d46 and in https://gist.github.com/smalyshev/d5b79a07341ffdd77dc88860724bd2f5. Please verify.
 [2019-01-02 21:14 UTC] hugh at allthethings dot co dot nz 
Verified on 5.6, 7.0 and 7.1
 [2019-01-07 08:18 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-01-07 08:18 UTC] stas@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2019-02-22 22:09 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2019-9023
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC