|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2019-08-01 20:18 UTC] iamliketohack at gmail dot com
Description:
------------
I have found a potential Global Buffer Overflow in PHP 7.3.7, other versions may also be effected. I build PHP with ASAN support and fuzzed PHP using AFL which revealed the below information:
Test script:
---------------
I have a testcase which reproduces this bug, how can I send it?
Actual result:
--------------
==1572==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000002fc6e48 at pc 0x0000004eda9b bp 0x7ffd2bae3870 sp 0x7ffd2bae3020
READ of size 13 at 0x000002fc6e48 thread T0
#0 0x4eda9a in __interceptor_memcmp.part.283 (/home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/sapi/cli/php+0x4eda9a)
#1 0x1e507ce in zend_yytnamerr /home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/Zend/zend_language_parser.c:7088:4
#2 0x1e4e143 in yysyntax_error /home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/Zend/zend_language_parser.c:3168:22
#3 0x1e42b06 in zendparse /home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/Zend/zend_language_parser.c:6885:33
#4 0x1e54b92 in zend_compile /home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/Zend/zend_language_scanner.l:586:7
#5 0x1e54720 in compile_file /home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/Zend/zend_language_scanner.l:636:14
#6 0x17512ec in phar_compile_file /home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/ext/phar/phar.c:3347:9
#7 0x1f9d75d in zend_execute_scripts /home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/Zend/zend.c:1562:14
#8 0x1da0f4f in php_execute_script /home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/main/main.c:2630:14
#9 0x23ec780 in do_cli /home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/sapi/cli/php_cli.c:997:5
#10 0x23e98bb in main /home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/sapi/cli/php_cli.c:1389:18
#11 0x7f1ee158eb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#12 0x4546b9 in _start (/home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/sapi/cli/php+0x4546b9)
0x000002fc6e48 is located 56 bytes to the left of global variable '<string literal>' defined in '/home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/Zend/zend_language_parser.c:873:38' (0x2fc6e80) of size 4
'<string literal>' is ascii string ''(''
0x000002fc6e48 is located 0 bytes to the right of global variable '<string literal>' defined in '/home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/Zend/zend_language_parser.c:873:27' (0x2fc6e40) of size 8
'<string literal>' is ascii string 'T_ERROR'
SUMMARY: AddressSanitizer: global-buffer-overflow (/home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/sapi/cli/php+0x4eda9a) in __interceptor_memcmp.part.283
Shadow bytes around the buggy address:
0x0000805f0d70: 00 00 00 04 f9 f9 f9 f9 00 00 00 00 02 f9 f9 f9
0x0000805f0d80: f9 f9 f9 f9 00 00 00 06 f9 f9 f9 f9 00 00 00 00
0x0000805f0d90: 02 f9 f9 f9 f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9
0x0000805f0da0: 00 00 00 06 f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9
0x0000805f0db0: 00 00 00 01 f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9
=>0x0000805f0dc0: 00 00 03 f9 f9 f9 f9 f9 00[f9]f9 f9 f9 f9 f9 f9
0x0000805f0dd0: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0000805f0de0: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0000805f0df0: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0000805f0e00: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0000805f0e10: 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1572==ABORTING
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Thu Jan 30 06:01:32 2025 UTC |
Not getting errors under valgrind, just: Parse error: Invalid body indentation level (expecting an indentation level of at least 1) in /home/nikic/php-7.3/t022.php on line 3 There is a somewhat suspicious memcmp(yystr, "\"end of file\"", sizeof("\"end of file\"") - 1) == 0 comparison in the yytnamerr implementation though... possibly that should be using strcmp.