php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #81738 buffer overflow in hash_update() on long parameter
Submitted: 2022-10-11 18:24 UTC Modified: 2022-10-21 05:55 UTC
From: nicky at mouha dot be Assigned:
Status: Closed Package: hash related
PHP Version: 8.2.0RC3 OS: all 64-bit
Private report: No CVE-ID: 2022-37454
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nicky at mouha dot be
New email:
PHP Version: OS:

 

 [2022-10-11 18:24 UTC] nicky at mouha dot be 
Description:
------------
I would like to inform you of a buffer overflow vulnerability in PHP.

The authors of the upstream repository have a proposed fix, and would like to coordinate a reasonable timeline for public disclosure.

Thanks for confirming receipt of this message, and for establishing a reasonable timeframe for remediation.

Looking forward to your reply!


Test script:
---------------
<?php
$ctx = hash_init("sha3-224");
hash_update($ctx, str_repeat("\x00", 1));
hash_update($ctx, str_repeat("\x00", 4294967295));
echo hash_final($ctx);
?>

Expected result:
----------------
c5bcc3bc73b5ef45e91d2d7c70b64f196fac08eee4e4acf6e6571ebe

Actual result:
--------------
Segmentation fault

Patches

CVE-2022-37454.patch (last revision 2023-01-02 09:16 UTC by psbhagwat at avaya dot com)
CVE-2022-37454 (last revision 2022-10-11 18:24 UTC by nicky at mouha dot be)

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2022-10-11 18:32 UTC] stas@php.net
-Summary: Buffer overflow (CVE-2022-37454) +Summary: buffer overflow in hash_update() on long parameter
 [2022-10-11 18:41 UTC] stas@php.net 
Backtrace: 

#0  0x0000556740d6d61b in KeccakP1600_AddBytesInLane (length=8, offset=<optimized out>, data=<optimized out>, lanePosition=196524, state=0x7fdd858802a0) at ./ext/hash/sha3/generic64lc/KeccakP-1600-opt64.c:120
#1  KeccakP1600_AddBytesInLane (length=8, offset=<optimized out>, data=<optimized out>, lanePosition=196524, state=0x7fdd858802a0) at ./ext/hash/sha3/generic64lc/KeccakP-1600-opt64.c:101
#2  KeccakP1600_AddBytes (state=state@entry=0x7fdd858802a0, data=data@entry=0x7fdc83400018 "", offset=<optimized out>, length=length@entry=4294967295) at ./ext/hash/sha3/generic64lc/KeccakP-1600-opt64.c:197
#3  0x0000556740d7b42a in KeccakWidth1600_SpongeAbsorb (instance=0x7fdd858802a0, data=<optimized out>, dataByteLen=4294967295) at ./ext/hash/sha3/generic64lc/KeccakSponge.inc:197
#4  0x0000556740d5b9ab in zif_hash_update (execute_data=<optimized out>, return_value=0x7ffdb97681e0) at ./ext/hash/hash.c:701
#5  0x0000556740f216eb in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at ./Zend/zend_vm_execute.h:1235
#6  execute_ex (ex=0x7ffdb97680d0) at ./Zend/zend_vm_execute.h:55757
#7  0x0000556740f28a6d in zend_execute (op_array=0x7fdd8588a000, return_value=0x0) at ./Zend/zend_vm_execute.h:60133
#8  0x0000556740ebaf2d in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at ./Zend/zend.c:1799
#9  0x0000556740e56781 in php_execute_script (primary_file=primary_file@entry=0x7ffdb976a770) at ./main/main.c:2541
#10 0x0000556740f9f821 in do_cli (argc=2, argv=0x5567415fbe40) at ./sapi/cli/php_cli.c:965
#11 0x0000556740cff251 in main (argc=2, argv=0x5567415fbe40) at ./sapi/cli/php_cli.c:1367
 [2022-10-11 18:42 UTC] ondrej@php.net 
Nicky, thank you for the patch.

We’ve briefly discussed this internally on the PHP security list and this would not be classified as a security vulnerability in PHP as it falls under:

* requires invocation of specific code, which may be valid but is obviously malicious

See the security guidelines.

However as far as I can see from brief Google search this might be still classified as confidential by Keccak upstream?

Can you confirm what’s the publication date for Keccak upstream?
 [2022-10-11 18:55 UTC] stas@php.net 
Let's see what Keccak people say and if they treat it as security issue we do the same and disclose/patch when they're ready.
 [2022-10-11 19:44 UTC] nicky at mouha dot be 
MITRE considers this to be a security issue, and has assigned it CVE-2022-37454. The Keccak team considers it to be a security issue as well.

There is one large project (Python) that is vulnerable as well, and we hope to give them some time to reply before disclosing and patching. I hope to get a response from the Python security team soon, so that we can coordinate on a patch date.

So I hope to get back to everyone soon with a proposed publication date. In the meanwhile, thanks for keeping this confidential!

Also, thank you all for the incredibly fast response!
 [2022-10-20 12:45 UTC] nicky at mouha dot be 
https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658
 [2022-10-21 01:25 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2022-37454
 [2022-10-21 06:06 UTC] git@php.net 
Automatic comment on behalf of smalyshev
Revision: https://github.com/php/php-src/commit/248f647724e385bfb8d83aa5b5a5ca3c4ee2c7fd
Log: Fix bug #81738 (buffer overflow in hash_update() on long parameter)
 [2022-10-21 06:06 UTC] git@php.net
-Status: Open +Status: Closed
 [2023-01-02 09:16 UTC] psbhagwat at avaya dot com 
The following patch has been added/updated:

Patch Name: CVE-2022-37454.patch
Revision:   1672650982
URL:        https://bugs.php.net/patch-display.php?bug=81738&patch=CVE-2022-37454.patch&revision=1672650982
 [2023-01-02 09:16 UTC] psbhagwat at avaya dot com 
The following patch has been added/updated:

Patch Name: CVE-2022-37454.patch
Revision:   1672651007
URL:        https://bugs.php.net/patch-display.php?bug=81738&patch=CVE-2022-37454.patch&revision=1672651007
 [2023-05-11 15:54 UTC] cesar_delarosa at bhd dot com dot do 
The following pull request has been associated:

Patch Name: Generate correct links for <type> elements
On GitHub:  https://github.com/php/phd/pull/33
Patch:      https://github.com/php/phd/pull/33.patch
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC