php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65564 stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer
Submitted: 2013-08-27 04:34 UTC Modified: 2013-08-30 07:49 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: dhiru dot kholia at gmail dot com Assigned: remi
Status: Closed Package: Date/time related
PHP Version: 5.5.3 OS: Fedora 19
Private report: No CVE-ID:
 [2013-08-27 04:34 UTC] dhiru dot kholia at gmail dot com
Description:
------------
Summary : stack-buffer-overflow exists in DateTimeZone stuff which was caught by AddressSanitizer.

I am using Fedora 19's GCC which supports AddressSanitizer.

1. Download and extract php-5.5.3.tar.xz

2. Configure build flags,

   export CFLAGS="-fsanitize=address -O2 -ggdb"

   export LDFLAGS="-fsanitize=address"

3. Build PHP as usual using "make".

4. Running ./sapi/cli/php ext/date/tests/DateTimeZone_clone_basic1.php crashes with,

    *** Testing clone on DateTime objects ***
    =================================================================
    ==4551== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff0209a9d7 ...
    READ of size 1 at 0x7fff0209a9d7 thread T0
        #0 0xba7a1d in _zend_hash_add_or_update /scratch/php-5.5.3/Zend/zend_hash.c:261
        #1 0x43bcb8 in date_object_get_properties_timezone /scratch/php-5.5.3/ext/date/php_date.c:2308
        #2 0x9d8594 in php_var_dump /scratch/php-5.5.3/ext/standard/var.c:129 (discriminator 1)
        #3 0x9d8f1b in zif_var_dump /scratch/php-5.5.3/ext/standard/var.c:183 (discriminator 2)
        #4 0xdf048c in zend_do_fcall_common_helper_SPEC /scratch/php-5.5.3/Zend/zend_vm_execute.h:543
        #5 0xc01a9f in execute_ex /scratch/php-5.5.3/Zend/zend_vm_execute.h:356
        #6 0xb8394e in zend_execute_scripts /scratch/php-5.5.3/Zend/zend.c:1316
        #7 0xa5b2d4 in php_execute_script /scratch/php-5.5.3/main/main.c:2484
        #8 0xdf4ff1 in do_cli /scratch/php-5.5.3/sapi/cli/php_cli.c:994
        #9 0x434deb in main /scratch/php-5.5.3/sapi/cli/php_cli.c:1378
        #10 0x386b021b74 in ?? ??:0
        #11 0x435388 in _start ??:?



Test script:
---------------
$ ./sapi/cli/php ext/date/tests/DateTimeZone_clone_basic1.php 


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-08-30 05:59 UTC] remi@php.net
Reproduced php5.5-201308300430 snapshot.

This issue make 62 failed tests, all in date extension.

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
date_isodate_set() tests [ext/date/tests/012.phpt]
date_date_set() tests [ext/date/tests/013.phpt]
timezone_offset_get() tests [ext/date/tests/014.phpt]
Test clone on DateTimeZone objects [ext/date/tests/DateTimeZone_clone_basic1.phpt]
Testing clone on objects whoose class derived from DateTimeZone class [ext/date/tests/DateTimeZone_clone_basic2.phpt]
Test clone of DateTimeZOne objects [ext/date/tests/DateTimeZone_clone_basic3.phpt]
Test new DateTimeZone() : basic functionality [ext/date/tests/DateTimeZone_construct_basic.phpt]
Test serialization of DateTimeZone objects [ext/date/tests/DateTimeZone_serialize_type_1.phpt]
Test serialization of DateTimeZone objects [ext/date/tests/DateTimeZone_serialize_type_2.phpt]
Test serialization of DateTimeZone objects [ext/date/tests/DateTimeZone_serialize_type_3.phpt]
Test clone of objects whoose class derived from DateTime class [ext/date/tests/DateTime_clone_basic2.phpt]
Test clone of DateTime objects [ext/date/tests/DateTime_clone_basic3.phpt]
Test new DateTime() : basic functionality [ext/date/tests/DateTime_construct_basic1.phpt]
Test new DateTime() function : usage variation - Passing unexpected values to first argument $time. [ext/date/tests/DateTime_construct_variation1.phpt]
Test new DateTime() function : usage variation - Passing unexpected values to second argument $timezone. [ext/date/tests/DateTime_construct_variation2.phpt]
Test DateTime::modify() function : usage variation - Passing unexpected values to first argument $modify. [ext/date/tests/DateTime_modify_variation1.phpt]
Test serialization of DateTime objects [ext/date/tests/DateTime_serialize.phpt]
Test DateTime::setDate() function : usage variation - Passing unexpected values to first argument $year. [ext/date/tests/DateTime_setDate_variation1.phpt]
Test DateTime::setDate() function : usage variation - Passing unexpected values to second argument $month. [ext/date/tests/DateTime_setDate_variation2.phpt]
Test DateTime::setDate() function : usage variation - Passing unexpected values to third argument $day. [ext/date/tests/DateTime_setDate_variation3.phpt]
Test DateTime::setISODate() function : usage variation - Passing unexpected values to first argument $year. [ext/date/tests/DateTime_setISODate_variation1.phpt]
Test DateTime::setISODate() function : usage variation - Passing unexpected values to second argument $week. [ext/date/tests/DateTime_setISODate_variation2.phpt]
Test DateTime::setISODate() function : usage variation - Passing unexpected values to third argument $day. [ext/date/tests/DateTime_setISODate_variation3.phpt]
Test DateTime::setTime() function : usage variation - Passing unexpected values to first argument $hour. [ext/date/tests/DateTime_setTime_variation1.phpt]
Test DateTime::setTime() function : usage variation - Passing unexpected values to second argument $minute. [ext/date/tests/DateTime_setTime_variation2.phpt]
Test DateTime::setTime() function : usage variation - Passing unexpected values to third argument $second. [ext/date/tests/DateTime_setTime_variation3.phpt]
Bug #41523 (strtotime('0000-00-00 00:00:00') is parsed as 1999-11-30) (64 bit) [ext/date/tests/bug41523-64bit.phpt]
Bug #45682 (Unable to var_dump(DateInterval)) [ext/date/tests/bug45682.phpt]
Bug #46108 (DateTime - Memory leak when unserializing) [ext/date/tests/bug46108.phpt]
Bug #48097 (date_timezone_set function produces wrong datetime result) [ext/date/tests/bug48097.phpt]
Bug #48678 (DateInterval segfaults when unserialising) [ext/date/tests/bug48678.phpt]
Bug #49081 (DateTime::diff() mistake if start in January and interval > 28 days) [ext/date/tests/bug49081.phpt]
Bug #49778 (DateInterval::format("%a") is always zero when an interval is created from an ISO string) [ext/date/tests/bug49778.phpt]
Bug #51866 (Lenient parsing with parseFromFormat) [ext/date/tests/bug51866.phpt]
Bug #52113 (Seg fault while creating (by unserialization) DatePeriod) [ext/date/tests/bug52113.phpt]
Bug #52738 (Can't use new properties in class extended from DateInterval) [ext/date/tests/bug52738.phpt]
Bug #52808 (Segfault when specifying interval as two dates) [ext/date/tests/bug52808.phpt]
Bug #53437 (Crash when using unserialized DatePeriod instance), variation 1 [ext/date/tests/bug53437.phpt]
Bug #53437 DateInterval basic serialization [ext/date/tests/bug53437_var2.phpt]
Bug #53437 (Check that var_dump out is the same using the whole object or it's single properties), variation 4 [ext/date/tests/bug53437_var4.phpt]
Bug #53437 DateInterval unserialize bad data, 64 bit [ext/date/tests/bug53437_var5.phpt]
Bug #54316 (DateTime::createFromFormat does not handle trailing '|' correctly) [ext/date/tests/bug54316.phpt]
Bug #54340 (DateTime::add() method bug) [ext/date/tests/bug54340.phpt]
Bug #60236 (TLA timezone dates are not converted properly from timestamp) [ext/date/tests/bug60236.phpt]
Bug #60774 (DateInterval::format("%a") is always zero when an interval is created using the createFromDateString method) [ext/date/tests/bug60774.phpt]
Test for + character in date format [ext/date/tests/date-lenient-create.phpt]
Test date_create() function : basic functionality [ext/date/tests/date_create_basic.phpt]
Test date_create() function : usage variation - Passing unexpected values to first argument $time. [ext/date/tests/date_create_variation1.phpt]
Test date_create() function : usage variation - Passing unexpected values to second argument $timezone. [ext/date/tests/date_create_variation2.phpt]
Test date_date_set() function : usage variation - Passing unexpected values to second argument $year. [ext/date/tests/date_date_set_variation2.phpt]
Test date_date_set() function : usage variation - Passing unexpected values to third argument $month. [ext/date/tests/date_date_set_variation3.phpt]
Test date_date_set() function : usage variation - Passing unexpected values to forth argument $day. [ext/date/tests/date_date_set_variation4.phpt]
Test for date_diff with timezone abbreviations. [ext/date/tests/date_diff1.phpt]
Test date_isodate_set() function : usage variation - Passing unexpected values to second argument $year. [ext/date/tests/date_isodate_set_variation2.phpt]
Test date_isodate_set() function : usage variation - Passing unexpected values to third argument $week. [ext/date/tests/date_isodate_set_variation3.phpt]
Test date_isodate_set() function : usage variation - Passing unexpected values to forth argument $day. [ext/date/tests/date_isodate_set_variation4.phpt]
Test date_modify() function : usage variation - Passing unexpected values to second argument $format. [ext/date/tests/date_modify_variation2.phpt]
Test date_time_set() function : usage variation - Passing unexpected values to second argument $hour. [ext/date/tests/date_time_set_variation2.phpt]
Test date_time_set() function : usage variation - Passing unexpected values to third argument $minute. [ext/date/tests/date_time_set_variation3.phpt]
Test date_time_set() function : usage variation - Passing unexpected values to forth argument $sec. [ext/date/tests/date_time_set_variation4.phpt]
date_create_from_format() and date_parse_from_format(). [ext/date/tests/test-parse-from-format.phpt]
Test timezone_open() function : basic functionality [ext/date/tests/timezone_open_basic1.phpt]
=====================================================================
 [2013-08-30 06:01 UTC] remi@php.net
-Package: Reproducible crash +Package: Date/time related
 [2013-08-30 06:01 UTC] remi@php.net
Reaffecting as Date/Time related as only this extension is affected.
 [2013-08-30 07:49 UTC] remi@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: remi
 [2013-08-30 07:49 UTC] remi@php.net
Found:
-zend_hash_update(props, "days", 5, &zv, sizeof(zval), NULL);
+zend_hash_update(props, "days", 5, &zv, sizeof(zv), NULL);

Will run some more tests and will commit the fix.
 [2013-08-30 08:46 UTC] remi@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d69513afecf3d82c6bfba35ef1634b3b7c377d87
Log: Fixed Bug #65564 stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer
 [2013-08-30 08:46 UTC] remi@php.net
-Status: Assigned +Status: Closed
 [2013-08-30 08:46 UTC] remi@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6fab1caa4100cf05fcf485ef0917830ae9f57563
Log: Fixed bug #65564 stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer
 [2013-11-17 09:30 UTC] laruence@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6fab1caa4100cf05fcf485ef0917830ae9f57563
Log: Fixed bug #65564 stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 17:01:54 2014 UTC