php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #77394 Buffer overflow in multibyte case folding - unicode
Submitted: 2019-01-01 21:23 UTC Modified: 2019-02-22 22:09 UTC
From: hugh at allthethings dot co dot nz Assigned: stas (profile)
Status: Closed Package: mbstring related
PHP Version: 5.6.39 OS: Linux
Private report: No CVE-ID: 2019-9023
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: hugh at allthethings dot co dot nz
New email:
PHP Version: OS:

 

 [2019-01-01 21:23 UTC] hugh at allthethings dot co dot nz 
Description:
------------
When using mb regex functions such as mb_ereg and mb_split, with a pattern containing (?i) and a string ending with an incomplete multibyte character, then the case folding function will go past the end of the buffer. This can result in memory corruption and/or leakage.

Reproduced in 5.6.39, 7.0.33, and 7.1.25. Not an issue in 7.2, 7.3 and master.

Patch available at https://gist.github.com/hughdavenport/7f7b78c08aea058eaa955510d1548f12

Test script:
---------------
php -r 'var_dump(mb_ereg("(?i)FFF00000000000000000\xfd",""));'

Expected result:
----------------
no crash

Actual result:
--------------
$ ../php-7.0.33/sapi/cli/php -r 'var_dump(mb_ereg("(?i)FFF00000000000000000\xfd",""));'
=================================================================
==13642==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000003ad8 at pc 0x0000008914cc bp 0x7ffd807c7430 sp 0x7ffd807c7428
READ of size 1 at 0x606000003ad8 thread T0
    #0 0x8914cb in onigenc_unicode_mbc_case_fold /home/hugh/php-7.0.33/ext/mbstring/oniguruma/enc/unicode.c:11026:15
    #1 0x896600 in mbc_case_fold /home/hugh/php-7.0.33/ext/mbstring/oniguruma/enc/utf8.c:219:12
    #2 0x80bbfb in update_string_node_case_fold /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:3208:11
    #3 0x80bbfb in expand_case_fold_make_rem_string /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:3242
    #4 0x7ea7d9 in expand_case_fold_string /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:3465:9
    #5 0x7ea7d9 in setup_tree /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:3688
    #6 0x7e99c7 in setup_tree /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:3811:8
    #7 0x7ddcc8 in onig_compile /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:5337:7
    #8 0x806389 in onig_new /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:5547:7
    #9 0x97e487 in php_mbregex_compile_pattern /home/hugh/php-7.0.33/ext/mbstring/php_mbregex.c:456:19
    #10 0x978bce in _php_mb_regex_ereg_exec /home/hugh/php-7.0.33/ext/mbstring/php_mbregex.c:727:7
    #11 0x1257a45 in ZEND_DO_ICALL_SPEC_HANDLER /home/hugh/php-7.0.33/Zend/zend_vm_execute.h:586:2
    #12 0x10d966d in execute_ex /home/hugh/php-7.0.33/Zend/zend_vm_execute.h:417:7
    #13 0x10da547 in zend_execute /home/hugh/php-7.0.33/Zend/zend_vm_execute.h:458:2
    #14 0xeeec74 in zend_eval_stringl /home/hugh/php-7.0.33/Zend/zend_execute_API.c:1137:4
    #15 0xeef77a in zend_eval_stringl_ex /home/hugh/php-7.0.33/Zend/zend_execute_API.c:1178:11
    #16 0xeef77a in zend_eval_string_ex /home/hugh/php-7.0.33/Zend/zend_execute_API.c:1189
    #17 0x13181f6 in do_cli /home/hugh/php-7.0.33/sapi/cli/php_cli.c:1010:21
    #18 0x13150e5 in main /home/hugh/php-7.0.33/sapi/cli/php_cli.c:1350:18
    #19 0x7fb7612c5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #20 0x4383f9 in _start (/home/hugh/php-7.0.33/sapi/cli/php+0x4383f9)

0x606000003ad8 is located 0 bytes to the right of 56-byte region [0x606000003aa0,0x606000003ad8)
allocated by thread T0 here:
    #0 0x4eda50 in malloc (/home/hugh/php-7.0.33/sapi/cli/php+0x4eda50)
    #1 0x856f6f in node_new /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:1129:18
    #2 0x856f6f in node_new_str /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:1507
    #3 0x856f6f in onig_node_new_str /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:1525
    #4 0x7e94b3 in setup_tree /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:3679:11
    #5 0x7e6d56 in setup_tree /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:3668:6
    #6 0x7ddcc8 in onig_compile /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:5337:7
    #7 0x806389 in onig_new /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:5547:7

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hugh/php-7.0.33/ext/mbstring/oniguruma/enc/unicode.c:11026:15 in onigenc_unicode_mbc_case_fold
Shadow bytes around the buggy address:
  0x0c0c7fff8700: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8710: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c7fff8720: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff8730: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8740: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
=>0x0c0c7fff8750: fa fa fa fa 00 00 00 00 00 00 00[fa]fa fa fa fa
  0x0c0c7fff8760: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8770: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c7fff8780: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff8790: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff87a0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13642==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-02 08:44 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2019-01-02 08:44 UTC] stas@php.net 
I've made a common fix for four mbstring regex issues. It's in security repo as 6eb73547f231336d09e42d161ea6756b88832d46 and in https://gist.github.com/smalyshev/d5b79a07341ffdd77dc88860724bd2f5. Please verify.
 [2019-01-02 21:10 UTC] hugh at allthethings dot co dot nz 
Verified on 5.6, 7.0 and 7.1
 [2019-01-07 08:18 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-01-07 08:18 UTC] stas@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2019-02-22 22:09 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2019-9023
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 13:01:29 2024 UTC