php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #78833 Integer overflow in pack causes out-of-bound access
Submitted: 2019-11-18 20:47 UTC Modified: 2019-12-02 10:23 UTC
From: thomas dot bouzerar at protonmail dot com Assigned: cmb (profile)
Status: Closed Package: Strings related
PHP Version: 7.3.11 OS: ALL
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: thomas dot bouzerar at protonmail dot com
New email:
PHP Version: OS:

 

 [2019-11-18 20:47 UTC] thomas dot bouzerar at protonmail dot com 
Description:
------------
There exists an integer overflow in the builtin php function pack, as seen in the code below:

case 'E': /* big endian double */
  if (arg < 0) {
    arg = num_args - currentarg;
  }

currentarg += arg; // currentarg (signed int) can be overflowed by chaining multiple positive 'arg' values

currentarg is later used by:
case 'H':
  /* ... */
  if (arg < 0) {
  if (!try_convert_to_string(&argv[currentarg])) {
    efree(formatcodes);
    efree(formatargs);
    return;
  }
/* ... */

Causing an out-of-bounds read from argv array. This might lead to sensitive memory leak (although not tested) or DoS.


Test script:
---------------
<?php
pack("E2E2147483647H*", 0x0, 0x0, 0x0);
?>


Expected result:
----------------
No segfault

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x000055555584c10e in ?? ()

$rax   : 0x7ff7f521d100    
$rbx   : 0xf               
$rcx   : 0x48              
$rdx   : 0x2a              
$rsp   : 0x00007fffffffa510  →  0x0000000000000003
$rbp   : 0x2               
$rsi   : 0x000055555584c208  →   test eax, eax
$rdi   : 0x00005555560a3190  →  0xff7a8f68ff5da44d
$rip   : 0x000055555584c10e  →   cmp BYTE PTR [rax+0x8], 0x6
$r8    : 0x00007ffff5202ab8  →  "E2E2147483647H*"
$r9    : 0x00005555560a2ee4  →  0xff7a8d1cff7a8d3c
$r10   : 0x00007ffff5277100  →  0x7fffffff00000002
$r11   : 0x00007ffff5202aa0  →  0x0000004600000001
$r12   : 0x48              
$r13   : 0x00007ffff526a040  →  0x00007ffff5264545  →  0x0000000000000000
$r14   : 0xf               
$r15   : 0x80000001        
$eflags: [zero CARRY PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 

─────────────────────────────────────────────────────── code:x86:64 ────
   0x55555584c102                  movsxd rax, r15d
   0x55555584c105                  shl    rax, 0x4
   0x55555584c109                  add    rax, QWORD PTR [rsp+0x10]
 → 0x55555584c10e                  cmp    BYTE PTR [rax+0x8], 0x6
   0x55555584c112                  je     0x55555584c14c
   0x55555584c114                  mov    QWORD PTR [rsp+0x28], r10
   0x55555584c119                  mov    rdi, rax
   0x55555584c11c                  mov    QWORD PTR [rsp+0x20], r8
   0x55555584c121                  mov    QWORD PTR [rsp+0x18], r11
─────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "php", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────── trace ────
[#0] 0x55555584c10e → cmp BYTE PTR [rax+0x8], 0x6
[#1] 0x555555993048 → execute_ex()
[#2] 0x555555997d46 → zend_execute()
[#3] 0x5555559105eb → zend_execute_scripts()
[#4] 0x5555558b2cf9 → php_execute_script()
[#5] 0x55555599a33d → lea rax, [rip+0x8951fc]        # 0x55555622f540 <executor_globals>
[#6] 0x5555556a1fa7 → mov ebp, eax
[#7] 0x7ffff74ab153 → __libc_start_main()
[#8] 0x5555556a26ce → _start()

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-11-18 22:24 UTC] stas@php.net
-Type: Security +Type: Bug -Package: *General Issues +Package: Strings related
 [2019-11-18 22:24 UTC] stas@php.net 
Not a security issue, but probably worth adding a check.
 [2019-11-19 13:23 UTC] cmb@php.net 
The following pull request has been associated:

Patch Name: Fix #78833: Integer overflow in pack causes out-of-bound access
On GitHub:  https://github.com/php/php-src/pull/4932
Patch:      https://github.com/php/php-src/pull/4932.patch
 [2019-11-26 10:57 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2019-12-02 10:22 UTC] cmb@php.net 
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=db420cb6a141876b2f7d101051fb01934a28071a
Log: Fix #78833: Integer overflow in pack causes out-of-bound access
 [2019-12-02 10:22 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2019-12-02 10:23 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 13:01:29 2024 UTC