|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2019-06-13 06:49 UTC] stas@php.net
-Status: Open
+Status: Feedback
-Type: Security
+Type: Bug
[2019-06-13 06:49 UTC] stas@php.net
[2019-06-13 08:40 UTC] sjon@php.net
[2019-06-13 08:41 UTC] sjon@php.net
-Status: Feedback
+Status: Verified
[2019-06-13 08:48 UTC] nikic@php.net
-Status: Verified
+Status: Assigned
-Assigned To:
+Assigned To: nikic
[2019-06-13 08:53 UTC] chinaxiaozhouzhou at gmail dot com
[2019-06-13 08:57 UTC] chinaxiaozhouzhou at gmail dot com
[2019-06-13 08:57 UTC] nikic@php.net
-Summary: php similar_text zval type confusion vulnerability
+Summary: SEND_VAR_NO_REF does not always send reference
[2019-06-13 08:59 UTC] nikic@php.net
[2019-06-13 08:59 UTC] nikic@php.net
-Status: Assigned
+Status: Closed
[2019-06-13 09:54 UTC] nikic@php.net
[2020-12-09 11:48 UTC] nikic@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Nov 01 23:00:01 2025 UTC |
Description: ------------ The crash is in similar_text function which is implemented in ext/standard/string.c:3489. We can fake a zval object. Test script: --------------- poc.php <?php similar_text('a', 'a', $c=0x44444444); ?> Expected result: ---------------- no crash Actual result: -------------- ./php poc.php asan output AddressSanitizer:DEADLYSIGNAL ================================================================= ==14691==ERROR: AddressSanitizer: SEGV on unknown address 0x00004444445c (pc 0x00000106a452 bp 0x7ffe2f6eb250 sp 0x7ffe2f6eadc0 T0) ==14691==The signal is caused by a READ memory access. #0 0x106a451 (/home/xzz/WorkSpace/tmp/php-src/out/bin/php+0x106a451) #1 0x18f52da (/home/xzz/WorkSpace/tmp/php-src/out/bin/php+0x18f52da) #2 0x16cf58d (/home/xzz/WorkSpace/tmp/php-src/out/bin/php+0x16cf58d) #3 0x16d0a76 (/home/xzz/WorkSpace/tmp/php-src/out/bin/php+0x16d0a76) #4 0x14ba157 (/home/xzz/WorkSpace/tmp/php-src/out/bin/php+0x14ba157) #5 0x1235b88 (/home/xzz/WorkSpace/tmp/php-src/out/bin/php+0x1235b88) #6 0x1b45c7f (/home/xzz/WorkSpace/tmp/php-src/out/bin/php+0x1b45c7f) #7 0x1b42d9b (/home/xzz/WorkSpace/tmp/php-src/out/bin/php+0x1b42d9b) #8 0x7f09d8301b96 (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #9 0x43f039 (/home/xzz/WorkSpace/tmp/php-src/out/bin/php+0x43f039) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/home/xzz/WorkSpace/tmp/php-src/out/bin/php+0x106a451) ==14691==ABORTING lldb output * thread #1, name = 'php', stop reason = signal SIGSEGV: invalid address (fault address: 0x4444445c) frame #0: 0x000000000106a452 php`zif_similar_text(execute_data=0x00007ffff0c120a0, return_value=0x00007fffffff9000) at string.c:3514 3511 sim = php_similar_char(ZSTR_VAL(t1), ZSTR_LEN(t1), ZSTR_VAL(t2), ZSTR_LEN(t2)); 3512 3513 if (ac > 2) { -> 3514 ZEND_TRY_ASSIGN_REF_DOUBLE(percent, sim * 200.0 / (ZSTR_LEN(t1) + ZSTR_LEN(t2))); 3515 } 3516 3517 RETURN_LONG(sim); (lldb) bt * thread #1, name = 'php', stop reason = signal SIGSEGV: invalid address (fault address: 0x4444445c) * frame #0: 0x000000000106a452 php`zif_similar_text(execute_data=0x00007ffff0c120a0, return_value=0x00007fffffff9000) at string.c:3514 frame #1: 0x00000000018f52db php`ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER(execute_data=0x00007ffff0c12020) at zend_vm_execute.h:981 frame #2: 0x00000000016cf58e php`execute_ex(ex=0x00007ffff0c12020) at zend_vm_execute.h:57134 frame #3: 0x00000000016d0a77 php`zend_execute(op_array=0x00007ffff0c78380, return_value=0x0000000000000000) at zend_vm_execute.h:62631 frame #4: 0x00000000014ba158 php`zend_execute_scripts(type=8, retval=0x0000000000000000, file_count=3) at zend.c:1625 frame #5: 0x0000000001235b89 php`php_execute_script(primary_file=0x00007fffffffc820) at main.c:2650 frame #6: 0x0000000001b45c80 php`do_cli(argc=2, argv=0x00006030000003a0) at php_cli.c:985 frame #7: 0x0000000001b42d9c php`main(argc=2, argv=0x00006030000003a0) at php_cli.c:1375 frame #8: 0x00007ffff60edb97 libc.so.6`__libc_start_main(main=(php`main at php_cli.c:1176), argc=2, argv=0x00007fffffffe338, init=<unavailable>, fini=<unavailable>, rtld_fini=<unavailable>, stack_end=0x00007fffffffe328) at libc-start.c:310 frame #9: 0x000000000043f03a php`_start + 42 (lldb)