php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #79149 SEGV in mb_convert_encoding with non-string encodings
Submitted: 2020-01-21 14:21 UTC Modified: 2020-01-22 08:45 UTC
From: wxhusst at gmail dot com Assigned: cmb (profile)
Status: Closed Package: mbstring related
PHP Version: PHP 7.4 OS: linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: wxhusst at gmail dot com
New email:
PHP Version: OS:

 

 [2020-01-21 14:21 UTC] wxhusst at gmail dot com 
Description:
------------
AddressSanitizer:DEADLYSIGNAL
=================================================================
==116931==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000019 (pc 0x7fb588144ba5 bp 0x7fffc09a0570 sp 0x7fffc099fd08 T0)
==116931==The signal is caused by a READ memory access.
==116931==Hint: address points to the zero page.
    #0 0x7fb588144ba4  /build/glibc-4WA41p/glibc-2.30/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:62
    #1 0x615eda in strlen /home/buildnode/jenkins/workspace/oss-swift-5.1-package-linux-ubuntu-18_04/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc
    #2 0x1c75c68 in _estrdup /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_alloc.c:2617:11
    #3 0x10c0d10 in zif_mb_convert_encoding /home/raven/fuzz/php-src-php-7.4.2/ext/mbstring/mbstring.c:3377:25
    #4 0x242215d in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:1269:2
    #5 0x2131c97 in execute_ex /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:53611:7
    #6 0x2132d52 in zend_execute /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:57913:2
    #7 0x1eb6d8c in zend_execute_scripts /home/raven/fuzz/php-src-php-7.4.2/Zend/zend.c:1665:4
    #8 0x1a9b754 in php_execute_script /home/raven/fuzz/php-src-php-7.4.2/main/main.c:2617:14
    #9 0x255f9f0 in do_cli /home/raven/fuzz/php-src-php-7.4.2/sapi/cli/php_cli.c:961:5
    #10 0x255c3a7 in main /home/raven/fuzz/php-src-php-7.4.2/sapi/cli/php_cli.c:1352:18
    #11 0x7fb587fe01e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
    #12 0x602b3d in _start (/home/raven/fuzz/php-src-php-7.4.2/sapi/cli/php+0x602b3d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-4WA41p/glibc-2.30/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:62 
==116931==ABORTING

Test script:
---------------
<?php
try { try { mb_convert_encoding(str_repeat(chr(154), 257) + str_repeat(chr(40), 257) + str_repeat(chr(29), 17), str_repeat("A", 0x100), array("a" => 1, "b" => "2", "c" => 3.0)); } catch (Exception $e) { } } catch(Error $e) { }
?>


Expected result:
----------------
normal

Actual result:
--------------
crash

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-01-21 15:55 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2020-01-21 15:55 UTC] cmb@php.net 
I cannot reproduce this.  Does this only affect the master branch?
If so, it wouldn't be a security issue.
 [2020-01-21 16:12 UTC] wxhusst at gmail dot com
-Status: Feedback +Status: Assigned
 [2020-01-21 16:12 UTC] wxhusst at gmail dot com 
https://github.com/php/php-src/commit/264ef4f16300270dd4e92d2510660836a4814579

I build source from this version.

I just test this.
 [2020-01-21 16:28 UTC] nikic@php.net 
I can reproduce this. Here's a reduction:

<?php
mb_convert_encoding("", "UTF-8", [0]);

Presumably non-string encodings are not handled correctly.
 [2020-01-21 16:30 UTC] cmb@php.net 
Then this is likely a duplicate of bug #79150.  I already have a
working patch.
 [2020-01-21 16:31 UTC] nikic@php.net 
In https://github.com/php/php-src/blob/a3e29ba34add1f06089b749802728c30aa70e5e9/ext/mbstring/mbstring.c#L2882 and a few places below we use Z_STRVAL_P(hash_entry), while we should be using encoding_str.

This doesn't seem like a realistic pathway for remote exploitation though.
 [2020-01-21 16:55 UTC] wxhusst at gmail dot com 
I also think this don't seem like a realistic pathway for remote exploitation, :)
 [2020-01-21 17:16 UTC] cmb@php.net 
Suggested fix for PHP 7.4:
<https://gist.github.com/cmb69/080acb60a50d40f76bc7b628b376b5e4>.

For PHP 7.3 we should also replace the convert_to_string_ex()[1],
which can modify passed arguments.

Regarding exploitability:

  mb_convert_encoding($_GET['text'], 'UTF-8', $_GET['encodings'])

would be vulnerable.  However, that would be a userland bug, in my
opionion.

[1] <https://github.com/php/php-src/blob/php-7.3.14/ext/mbstring/mbstring.c#L3236>
 [2020-01-21 17:20 UTC] stas@php.net
-Summary: SEGV caused by zif_mb_convert_encoding +Summary: SEGV caused by zif_mb_convert_encoding with non-string encodings -Type: Security +Type: Bug
 [2020-01-21 17:54 UTC] nikic@php.net 
Patch LGTM.
 [2020-01-22 08:34 UTC] cmb@php.net 
Related To: Bug #79150
 [2020-01-22 08:45 UTC] cmb@php.net
-Summary: SEGV caused by zif_mb_convert_encoding with non-string encodings +Summary: SEGV in mb_convert_encoding with non-string encodings -PHP Version: master-Git-2020-01-21 (Git) +PHP Version: PHP 7.4
 [2020-01-22 08:45 UTC] cmb@php.net 
Thanks for checking Nikita!

To clarify, PHP 7.3 and earlier are not affected by this issue.
 [2020-01-22 08:46 UTC] cmb@php.net 
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=94c9dc498ffdedd9ae91357bd3345ba31f232220
Log: Fix #79149: SEGV in mb_convert_encoding with non-string encodings
 [2020-01-22 08:46 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC