|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #60262 multiple flaws memory_limit bypass, dos, code exec
Submitted: 2011-11-11 11:46 UTC Modified: 2018-12-18 01:27 UTC
From: max at cxib dot net Assigned: stas (profile)
Status: Closed Package: *General Issues
PHP Version: 5.4.0RC1 OS:
Private report: No CVE-ID: None
 [2011-11-11 11:46 UTC] max at cxib dot net
/*poc memory_limit bypass */





Test script:
tests regcomp. version in php. 
original based code

cx@cx64:/cxib/source/php-5.4.0RC1/bin/bin$ ulimit -v 1000000
cx@cx64:/cxib/source/php-5.4.0RC1/bin/bin$ ulimit -m 1000000

then run it with result

Program received signal SIGSEGV, Segmentation fault.
memcpy () at ../sysdeps/x86_64/memcpy.S:432
432	../sysdeps/x86_64/memcpy.S: No such file or directory.
	in ../sysdeps/x86_64/memcpy.S

(gdb) x/i $rip
=> 0x7ffff6a7fc69 <memcpy+777>:	mov    %rax,(%rdi)
(gdb) x/x $rax
0x28000002:	Cannot access memory at address 0x28000002
(gdb) x/x $rdi
0x7fffdd79c000:	Cannot access memory at address 0x7fffdd79c000


function patterns($len){
return array(
"(".str_repeat("\(",$len).")", // for p_bre recursion (crash has been fixed)
"(".str_repeat("\(",60).str_repeat("(.*)",$len).")", // for p_bre recursion (problematic for p_bre len>70000)

function execc($patt){
	return 0;

if(isset($argv[1]) and isset($argv[2])){
	echo $patts[$argv[1]];
	for($fl=0;$fl<count($currpat);$fl++) execc($currpat[$fl]);



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2011-11-21 07:44 UTC]
Note ereg is deprecated since 5.3. Also we probably can't just lift patch from 
NetBSD, will have to port it.
 [2011-11-22 00:54 UTC] max at cxib dot net
that what i know, eregi() will be able in 5.4. safe_mode will be also removed but not in 5.4. in anyway, PHP should be guaranty safety. they are people what uses safe_mode and there are people what bypass it. suphp is also not safe with symlinks. Is there any alternative for safe mode? anyway i may try fix grep() in php54. allowing to bypass memory_limit and code exec in line 54, is not good idea.
 [2011-11-22 01:00 UTC]
Safe mode is actually gone in 5.4 (see UPGRADING in the source), but ereg is 
still available, so I do not deny this needs to be fixed. I just note that the 
use of this function is strongly discouraged in all current PHP versions.
 [2011-11-23 05:19 UTC] max at cxib dot net
you are right . safe_mode is removed. but we have still problem with open_basedir. in 540rc1 is possible to bypass by
 [2012-05-13 15:10 UTC]
-Private report: No +Private report: Yes
 [2017-08-26 12:22 UTC]
-Assigned To: +Assigned To: stas
 [2017-08-26 12:22 UTC]
Since ereg() and friends finally have been removed, I think this
ticket can be (dis)closed. Stas?
 [2018-12-18 01:27 UTC]
-Status: Assigned +Status: Closed
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Fri Jan 27 12:04:13 2023 UTC