php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #77721 Heap-use-after-free (READ of size 8) in match_at()
Submitted: 2019-03-10 20:04 UTC Modified: 2019-08-25 07:26 UTC
From: geeknik at protonmail dot ch Assigned: stas (profile)
Status: Closed Package: mbstring related
PHP Version: 7.3.3 OS: Fedora 29 x64
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: geeknik at protonmail dot ch
New email:
PHP Version: OS:

 

 [2019-03-10 20:04 UTC] geeknik at protonmail dot ch 
Description:
------------
This heap-use-after-free was discovered while fuzzing 7.3.2 with AFL and verified in 7.3.3.

Test script:
---------------
php -r '$file=file_get_contents("test0011"); print_r(mbreg($file, 0);'


echo "KCg/KAApMCspKysrKCgoMFxnPDA+KTApfCgpKSsrKysoKD8oMSkoMFxnPDA+KSkrKysrKyswKigp
KSsrKysoKD8oMSkoMFxnPDE+KSspKysrKysrKysrKyooKSkrKysrKCg/KDEpKCgwKVxnPDA+KSsp
KysoKSkrMCsrKisrKygoKDBcZzwwPikpKigpKSsrKysoKD8oMSkoMFxnPDA+KSspKysrKysrKysr
Kyp8KSsrKysqKysrKCg/KDEpKCgwKVxnPDA+KSspKysrKysrKysrKCkpKysqfCkrKysrKCg/KAAp
MCkpfA==" | base64 -d | tee test0011

sha256sum test0011
d2cf6b02cca2e840688fde31615732602888926dc537a1da65321882ce0f2341


Expected result:
----------------
No crash.

Actual result:
--------------
==29451==ERROR: AddressSanitizer: heap-use-after-free on address 0x62600000bbf8 at pc 0x00000117cc7f bp 0x7ffc6692dcd0 sp 0x7ffc6692dcc8
READ of size 8 at 0x62600000bbf8 thread T0
    #0 0x117cc7e in match_at /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c
    #1 0x117eaff in onig_search_with_param /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c:4855:7
    #2 0x117dbaf in onig_search /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c:4614:7
    #3 0x1292c42 in _php_mb_regex_ereg_exec /root/php-7.3.3/ext/mbstring/php_mbregex.c:912:6
    #4 0x1c0c821 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /root/php-7.3.3/Zend/zend_vm_execute.h:690:2
    #5 0x1a56533 in execute_ex /root/php-7.3.3/Zend/zend_vm_execute.h:55334:7
    #6 0x1a56cb0 in zend_execute /root/php-7.3.3/Zend/zend_vm_execute.h:60881:2
    #7 0x18c1514 in zend_eval_stringl /root/php-7.3.3/Zend/zend_execute_API.c:1018:4
    #8 0x18c1bdb in zend_eval_stringl_ex /root/php-7.3.3/Zend/zend_execute_API.c:1059:11
    #9 0x18c1bdb in zend_eval_string_ex /root/php-7.3.3/Zend/zend_execute_API.c:1070
    #10 0x1d05e68 in do_cli /root/php-7.3.3/sapi/cli/php_cli.c:1028:8
    #11 0x1d03c08 in main /root/php-7.3.3/sapi/cli/php_cli.c:1389:18
    #12 0x7f4c300592e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #13 0x448109 in _start (/root/php-7.3.3/sapi/cli/php+0x448109)

0x62600000bbf8 is located 11000 bytes inside of 11056-byte region [0x626000009100,0x62600000bc30)
freed by thread T0 here:
    #0 0x4f426f in realloc /b/swarming/w/ir/k/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:164:3
    #1 0x1189f47 in stack_double /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c:1446:30
    #2 0x116ea54 in match_at /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c:3248:7
    #3 0x117eaff in onig_search_with_param /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c:4855:7
    #4 0x117dbaf in onig_search /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c:4614:7
    #5 0x1292c42 in _php_mb_regex_ereg_exec /root/php-7.3.3/ext/mbstring/php_mbregex.c:912:6
    #6 0x1c0c821 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /root/php-7.3.3/Zend/zend_vm_execute.h:690:2
    #7 0x1a56533 in execute_ex /root/php-7.3.3/Zend/zend_vm_execute.h:55334:7
    #8 0x1a56cb0 in zend_execute /root/php-7.3.3/Zend/zend_vm_execute.h:60881:2
    #9 0x18c1514 in zend_eval_stringl /root/php-7.3.3/Zend/zend_execute_API.c:1018:4
    #10 0x18c1bdb in zend_eval_stringl_ex /root/php-7.3.3/Zend/zend_execute_API.c:1059:11
    #11 0x18c1bdb in zend_eval_string_ex /root/php-7.3.3/Zend/zend_execute_API.c:1070
    #12 0x1d05e68 in do_cli /root/php-7.3.3/sapi/cli/php_cli.c:1028:8
    #13 0x1d03c08 in main /root/php-7.3.3/sapi/cli/php_cli.c:1389:18
    #14 0x7f4c300592e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

previously allocated by thread T0 here:
    #0 0x4f426f in realloc /b/swarming/w/ir/k/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:164:3
    #1 0x1189f47 in stack_double /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c:1446:30
    #2 0x116e672 in match_at /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c:3487:7
    #3 0x117eaff in onig_search_with_param /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c:4855:7
    #4 0x117dbaf in onig_search /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c:4614:7
    #5 0x1292c42 in _php_mb_regex_ereg_exec /root/php-7.3.3/ext/mbstring/php_mbregex.c:912:6
    #6 0x1c0c821 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /root/php-7.3.3/Zend/zend_vm_execute.h:690:2
    #7 0x1a56533 in execute_ex /root/php-7.3.3/Zend/zend_vm_execute.h:55334:7
    #8 0x1a56cb0 in zend_execute /root/php-7.3.3/Zend/zend_vm_execute.h:60881:2
    #9 0x18c1514 in zend_eval_stringl /root/php-7.3.3/Zend/zend_execute_API.c:1018:4
    #10 0x18c1bdb in zend_eval_stringl_ex /root/php-7.3.3/Zend/zend_execute_API.c:1059:11
    #11 0x18c1bdb in zend_eval_string_ex /root/php-7.3.3/Zend/zend_execute_API.c:1070
    #12 0x1d05e68 in do_cli /root/php-7.3.3/sapi/cli/php_cli.c:1028:8
    #13 0x1d03c08 in main /root/php-7.3.3/sapi/cli/php_cli.c:1389:18
    #14 0x7f4c300592e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-use-after-free /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c in match_at

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-03-11 03:20 UTC] geeknik at protonmail dot ch 
Test script is actually:

php -r '$file=file_get_contents("test0011"); print_r(mb_ereg($file, 0);'
 [2019-03-11 10:59 UTC] cmb@php.net
-Package: *Regular Expressions +Package: mbstring related
 [2019-03-31 06:53 UTC] stas@php.net 
Since we're moving away from bundling oniguruma, maybe it should be reported to oniguruma maintainers - https://github.com/kkos/oniguruma
 [2019-04-06 00:00 UTC] geeknik at protonmail dot ch 
Someone else reported a similar UAF back in 2017 that is still unpatched, so this one is now public at https://github.com/kkos/oniguruma/issues/139.
 [2019-04-18 08:42 UTC] cmb@php.net 
With PHP-7.3 on Windows (bundled oniguruma 6.9.0) I get a somewhat
different ASAN report:

=================================================================
==7000==ERROR: AddressSanitizer: heap-use-after-free on address 0x11805420b8d8 at pc 0x7ff805b0c066 bp 0x001a2e9fae80 sp 0x001a2e9faec8
READ of size 8 at 0x11805420b8d8 thread T0
    #0 0x7ff805b0c065 in onig_match_with_param+0x12e55 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x18072c065)
    #1 0x7ff805b111e3 in onig_search_with_param+0x1193 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x1807311e3)
    #2 0x7ff805b5c494 in onig_unicode_define_user_property+0x5c54 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x18077c494)
    #3 0x7ff805620667 in zend_execute+0x13bcd7 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180240667)
    #4 0x7ff8054e47f9 in execute_ex+0xf9 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x1801047f9)
    #5 0x7ff8054e4d4c in zend_execute+0x3bc (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180104d4c)
    #6 0x7ff8053e937e in zend_execute_scripts+0x1be (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x18000937e)
    #7 0x7ff805807755 in php_execute_script+0x845 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180427755)
    #8 0x7ff76687407b in sapi_cli_single_write+0x306b (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php.exe+0x14000407b)
    #9 0x7ff766871ae3 in sapi_cli_single_write+0xad3 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php.exe+0x140001ae3)
    #10 0x7ff766890ad3 in sapi_cli_single_write+0x1fac3 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php.exe+0x140020ad3)
    #11 0x7ff84b6c7973 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017973)
    #12 0x7ff84d72a270 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x18006a270)

0x11805420b8d8 is located 10200 bytes inside of 10672-byte region [0x118054209100,0x11805420bab0)
freed by thread T0 here:
    #0 0x7ff804a847d5 in _asan_memmove+0x5d5 (C:\Program Files\LLVM\lib\clang\8.0.0\lib\windows\clang_rt.asan_dynamic-x86_64.dll+0x1800347d5)
    #1 0x7ff805b19a27 in onig_setup_builtin_monitors_by_ascii_encoded_name+0x1947 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180739a27)
    #2 0x7ff805b01b40 in onig_match_with_param+0x8930 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180721b40)
    #3 0x7ff805b111e3 in onig_search_with_param+0x1193 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x1807311e3)
    #4 0x7ff805b5c494 in onig_unicode_define_user_property+0x5c54 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x18077c494)
    #5 0x7ff805620667 in zend_execute+0x13bcd7 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180240667)
    #6 0x7ff8054e47f9 in execute_ex+0xf9 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x1801047f9)
    #7 0x7ff8054e4d4c in zend_execute+0x3bc (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180104d4c)
    #8 0x7ff8053e937e in zend_execute_scripts+0x1be (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x18000937e)
    #9 0x7ff805807755 in php_execute_script+0x845 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180427755)
    #10 0x7ff76687407b in sapi_cli_single_write+0x306b (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php.exe+0x14000407b)
    #11 0x7ff766871ae3 in sapi_cli_single_write+0xad3 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php.exe+0x140001ae3)
    #12 0x7ff766890ad3 in sapi_cli_single_write+0x1fac3 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php.exe+0x140020ad3)
    #13 0x7ff84b6c7973 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017973)
    #14 0x7ff84d72a270 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x18006a270)

previously allocated by thread T0 here:
    #0 0x7ff804a847d5 in _asan_memmove+0x5d5 (C:\Program Files\LLVM\lib\clang\8.0.0\lib\windows\clang_rt.asan_dynamic-x86_64.dll+0x1800347d5)
    #1 0x7ff805b19a27 in onig_setup_builtin_monitors_by_ascii_encoded_name+0x1947 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180739a27)
    #2 0x7ff805afb96e in onig_match_with_param+0x275e (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x18071b96e)
    #3 0x7ff805b111e3 in onig_search_with_param+0x1193 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x1807311e3)
    #4 0x7ff805b5c494 in onig_unicode_define_user_property+0x5c54 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x18077c494)
    #5 0x7ff805620667 in zend_execute+0x13bcd7 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180240667)
    #6 0x7ff8054e47f9 in execute_ex+0xf9 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x1801047f9)
    #7 0x7ff8054e4d4c in zend_execute+0x3bc (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180104d4c)
    #8 0x7ff8053e937e in zend_execute_scripts+0x1be (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x18000937e)
    #9 0x7ff805807755 in php_execute_script+0x845 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180427755)
    #10 0x7ff76687407b in sapi_cli_single_write+0x306b (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php.exe+0x14000407b)
    #11 0x7ff766871ae3 in sapi_cli_single_write+0xad3 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php.exe+0x140001ae3)
    #12 0x7ff766890ad3 in sapi_cli_single_write+0x1fac3 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php.exe+0x140020ad3)
    #13 0x7ff84b6c7973 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017973)
    #14 0x7ff84d72a270 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x18006a270)

SUMMARY: AddressSanitizer: heap-use-after-free (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x18072c065) in onig_match_with_param+0x12e55
Shadow bytes around the buggy address:
  0x03645ea416c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x03645ea416d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x03645ea416e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x03645ea416f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x03645ea41700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x03645ea41710: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
  0x03645ea41720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x03645ea41730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x03645ea41740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x03645ea41750: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
  0x03645ea41760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==7000==ABORTING

With PHP-7.4 on Windows using oniguruma 6.9.1, ASAN does not
complain.  I assume the issue has been fixed with 6.9.1, but still
we need to patch our bundled onigurumas.
 [2019-08-25 07:26 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2019-08-25 07:26 UTC] stas@php.net 
Upgraded to 6.9.1, should have fixed it.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Dec 22 01:01:30 2024 UTC