PHP :: Bug #81701 :: Memory Corruption vulnerability on Zend_execute

Bug #81701	Memory Corruption vulnerability on Zend_execute_api
Submitted:	2021-12-17 12:56 UTC	Modified:	2021-12-17 18:31 UTC
From:	3ntr0py1337 at gmail dot com	Assigned:	cmb (profile)
Status:	Duplicate	Package:	Reproducible crash
PHP Version:	Next Major Version	OS:	Ubuntu 20.04.3 LTS
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	3ntr0py1337 at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2021-12-17 12:56 UTC] 3ntr0py1337 at gmail dot com

Description:
------------
There is a memory corruption vulnerability which would overwrite the Stack pointer causing a crash. with proper control, can lead to RCE

Test script:
---------------
Sample 1 - source code
--TEST--
ZE2 __toString() in __destruct
--FILE--
<?php

class Test
{
    function __toString()
    {
        return "He echo $this;
    }
}

$o = nello\n";
    }

    function __destruct()
    {
        echo $this;
    }
}

$o = new Test%
$o = NULL;

$o = new Test;

?>
====DONE====
--EXPECT--
Hello
====DONE====
Hello

Expected result:
----------------
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555556342667 <zend_call_function+103>:	je     0x5555563460f0 <zend_call_function+15088>
   0x55555634266d <zend_call_function+109>:	nop    DWORD PTR [rax]
   0x555556342670 <zend_call_function+112>:	lea    rsp,[rsp-0x98]
=> 0x555556342678 <zend_call_function+120>:	mov    QWORD PTR [rsp],rdx
   0x55555634267c <zend_call_function+124>:	mov    QWORD PTR [rsp+0x8],rcx
   0x555556342681 <zend_call_function+129>:	mov    QWORD PTR [rsp+0x10],rax
   0x555556342686 <zend_call_function+134>:	mov    rcx,0x643c
   0x55555634268d <zend_call_function+141>:	call   0x555556351980 <__afl_maybe_log>
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fefe8
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555556342678 in zend_call_function (fci=0x7fffff7ff180, fci_cache=0x7fffff7ff160) at /home/ubuntu/victims/php-src/Zend/zend_execute_API.c:730
730		if (!fci_cache || !fci_cache->function_handler) {

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-12-17 18:09 UTC] stas@php.net

-Type: Security +Type: Bug

[2021-12-17 18:31 UTC] cmb@php.net

-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb

[2021-12-17 18:31 UTC] cmb@php.net

Simpler reproducer:

<?php
class Test
{
    function __toString()
    {
        return $this;
    }
}
echo new Test();
?>

As such, this is a duplicate of bug #64196.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 17:01:32 2024 UTC