php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #68027 AddressSanitizer reports a global buffer overflow in mkgmtime() function.
Submitted: 2014-09-16 09:42 UTC Modified: 2014-10-14 17:41 UTC
From: s dot paraschoudis at gmail dot com Assigned:
Status: Closed Package: *General Issues
PHP Version: 5.6.0 OS: Ubuntu 14.04.1 LTS 64bit
Private report: No CVE-ID: 2014-3668
 [2014-09-16 09:42 UTC] s dot paraschoudis at gmail dot com
Description:
------------
Please note that I cannot reproduce it without AddressSanitizer enabled


Test script:
---------------
POC1:
===============================
<?php
$d = '6-01-01 20:00:00';
xmlrpc_set_type($d, 'datetime');
?>

Result
===============================

=================================================================
==19848== ERROR: AddressSanitizer: global-buffer-overflow on address 0x000001e91064 at pc 0x11342a7 bp 0x7fffa3772e20 sp 0x7fffa3772e18
READ of size 4 at 0x000001e91064 thread T0
    #0 0x11342a6 in mkgmtime xmlrpc.c:180
    #1 0x11351b7 in date_from_ISO8601 xmlrpc.c:262
    #2 0x1138059 in XMLRPC_SetValueDateTime_ISO8601 xmlrpc.c:1725
    #3 0x1138111 in XMLRPC_CreateValueDateTime_ISO8601 xmlrpc.c:1759
    #4 0x112753b in set_zval_xmlrpc_type xmlrpc-epi-php.c:1367
    #5 0x1127ed4 in zif_xmlrpc_set_type xmlrpc-epi-php.c:1483
    #6 0x147d4a7 in zend_do_fcall_common_helper_SPEC zend_vm_execute.h:558
    #7 0x1492de4 in ZEND_DO_FCALL_SPEC_CONST_HANDLER zend_vm_execute.h:2595
    #8 0x147aca1 in execute_ex zend_vm_execute.h:363
    #9 0x147aedc in zend_execute zend_vm_execute.h:388
    #10 0x13a606f in zend_execute_scripts zend.c:1330
    #11 0x119e3f7 in php_execute_script main.c:2584
    #12 0x15ebe12 in do_cli php_cli.c:994
    #13 0x15eef4d in main php_cli.c:1378
    #14 0x7f59079fcec4 in __libc_start_main libc-start.c:287
    #15 0x4427f8 in _start ??:?
0x000001e91064 is located 17 bytes to the right of global variable '*.LC38 (/home/symeon/Desktop/php-5.6.0/ext/xmlrpc/libxmlrpc/xmlrpc.c)' (0x1e91040) of size 19
  '*.LC38 (/home/symeon/Desktop/php-5.6.0/ext/xmlrpc/libxmlrpc/xmlrpc.c)' is ascii string 'xmlrpc-epi v. 0.51'
0x000001e91064 is located 28 bytes to the left of global variable 'mdays (/home/symeon/Desktop/php-5.6.0/ext/xmlrpc/libxmlrpc/xmlrpc.c)' (0x1e91080) of size 48
==19848== ABORTING


POC2:
===============================
<?php
$datetime = "2001-0-08T21:46:40-0400";

$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
print_r($obj);
?>


=================================================================
==19909== ERROR: AddressSanitizer: global-buffer-overflow on address 0x000001e9107c at pc 0x11342a7 bp 0x7fffa4b10d20 sp 0x7fffa4b10d18
READ of size 4 at 0x000001e9107c thread T0
    #0 0x11342a6 in mkgmtime xmlrpc.c:180
    #1 0x11351b7 in date_from_ISO8601 xmlrpc.c:262
    #2 0x1138059 in XMLRPC_SetValueDateTime_ISO8601 xmlrpc.c:1725
    #3 0x112e56c in xml_element_to_XMLRPC_REQUEST_worker xml_to_xmlrpc.c:138
    #4 0x112e866 in xml_element_to_XMLRPC_REQUEST_worker xml_to_xmlrpc.c:167
    #5 0x112e866 in xml_element_to_XMLRPC_REQUEST_worker xml_to_xmlrpc.c:167
    #6 0x112e866 in xml_element_to_XMLRPC_REQUEST_worker xml_to_xmlrpc.c:167
    #7 0x112e866 in xml_element_to_XMLRPC_REQUEST_worker xml_to_xmlrpc.c:167
    #8 0x112e905 in xml_element_to_XMLRPC_REQUEST xml_to_xmlrpc.c:184
    #9 0x1135f4e in XMLRPC_REQUEST_FromXML xmlrpc.c:819
    #10 0x1123322 in decode_request_worker xmlrpc-epi-php.c:786 (discriminator 3)
    #11 0x112397a in zif_xmlrpc_decode xmlrpc-epi-php.c:848 (discriminator 3)
    #12 0x147d4a7 in zend_do_fcall_common_helper_SPEC zend_vm_execute.h:558
    #13 0x1492de4 in ZEND_DO_FCALL_SPEC_CONST_HANDLER zend_vm_execute.h:2595
    #14 0x147aca1 in execute_ex zend_vm_execute.h:363
    #15 0x147aedc in zend_execute zend_vm_execute.h:388
    #16 0x13a606f in zend_execute_scripts zend.c:1330
    #17 0x119e3f7 in php_execute_script main.c:2584
    #18 0x15ebe12 in do_cli php_cli.c:994
    #19 0x15eef4d in main php_cli.c:1378
    #20 0x7f5b53ea9ec4 in __libc_start_main libc-start.c:287
    #21 0x4427f8 in _start ??:?
0x000001e9107c is located 41 bytes to the right of global variable '*.LC38 (/home/symeon/Desktop/php-5.6.0/ext/xmlrpc/libxmlrpc/xmlrpc.c)' (0x1e91040) of size 19
  '*.LC38 (/home/symeon/Desktop/php-5.6.0/ext/xmlrpc/libxmlrpc/xmlrpc.c)' is ascii string 'xmlrpc-epi v. 0.51'
0x000001e9107c is located 4 bytes to the left of global variable 'mdays (/home/symeon/Desktop/php-5.6.0/ext/xmlrpc/libxmlrpc/xmlrpc.c)' (0x1e91080) of size 48
==19909== ABORTING


Patches

fix-date-parsing (last revision 2014-09-29 23:52 UTC) by stas@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-09-29 00:29 UTC] stas@php.net
Both issues seem to be a product of the same problem. Code in mkgmtime looks like this:

    return ((((((tm->tm_year - 70) * 365) + mdays[tm->tm_mon] + tm->tm_mday-1 +
                  (tm->tm_year-68-1+(tm->tm_mon>=2))/4) * 24) + tm->tm_hour) * 60 +
        tm->tm_min) * 60 + tm->tm_sec;

if tm_mon is outside of mdays array, problems happen. However, in date_from_ISO8601 mon calculated as:

    tm.tm_mon = 0;
    for(i = 0; i < 2; i++) {
       XMLRPC_IS_NUMBER(text[i])
       tm.tm_mon += (text[i+4]-'0')*n;
       n /= 10;
    }

as you can see, the check is for text[i] but the value used is test[i+4]. This leads to tm_mon having values which may be negative or may be more than mdays array's size. 

I will attach a patch shortly.
 [2014-09-29 00:34 UTC] stas@php.net
The following patch has been added/updated:

Patch Name: fix-date-parsing
Revision:   1411950882
URL:        https://bugs.php.net/patch-display.php?bug=68027&patch=fix-date-parsing&revision=1411950882
 [2014-09-29 05:33 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2014-3668
 [2014-09-29 23:52 UTC] stas@php.net
The following patch has been added/updated:

Patch Name: fix-date-parsing
Revision:   1412034756
URL:        https://bugs.php.net/patch-display.php?bug=68027&patch=fix-date-parsing&revision=1412034756
 [2014-10-14 17:42 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=88412772d295ebf7dd34409534507dc9bcac726e
Log: Fix bug #68027 - fix date parsing in XMLRPC lib
 [2014-10-14 17:42 UTC] stas@php.net
-Status: Open +Status: Closed
 [2014-10-14 17:44 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=44035de79f5b9646064d9bdd0329a946b0c5372a
Log: Fix bug #68027 - fix date parsing in XMLRPC lib
 [2014-10-14 17:46 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2142d78281fe093043b50897d8a22f00910dfd0c
Log: Fix bug #68027 - fix date parsing in XMLRPC lib
 [2014-10-14 17:46 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=44035de79f5b9646064d9bdd0329a946b0c5372a
Log: Fix bug #68027 - fix date parsing in XMLRPC lib
 [2014-10-14 17:53 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b261789a6db3d3eb62752f0a2576b3acdd9e3a7
Log: Fix bug #68027 - fix date parsing in XMLRPC lib
 [2014-10-14 17:53 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2142d78281fe093043b50897d8a22f00910dfd0c
Log: Fix bug #68027 - fix date parsing in XMLRPC lib
 [2014-10-14 17:53 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=44035de79f5b9646064d9bdd0329a946b0c5372a
Log: Fix bug #68027 - fix date parsing in XMLRPC lib
 [2014-10-15 10:10 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b261789a6db3d3eb62752f0a2576b3acdd9e3a7
Log: Fix bug #68027 - fix date parsing in XMLRPC lib
 [2014-10-15 10:11 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2142d78281fe093043b50897d8a22f00910dfd0c
Log: Fix bug #68027 - fix date parsing in XMLRPC lib
 [2014-10-15 10:11 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=44035de79f5b9646064d9bdd0329a946b0c5372a
Log: Fix bug #68027 - fix date parsing in XMLRPC lib
 [2014-10-15 12:08 UTC] jpauli@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=886b8efbee605b6e5caa2e8d52475077757175fc
Log: Fix bug #68027 - fix date parsing in XMLRPC lib
 [2014-11-03 19:40 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=88412772d295ebf7dd34409534507dc9bcac726e
Log: Fix bug #68027 - fix date parsing in XMLRPC lib
 [2014-11-12 08:28 UTC] drpaneas at gmail dot com
Can you tell me how can I reproduce it using Address Sanitizer? I am using this PHP script to invoke the bug: http://pastebin.com/5BezBkVe
and the output I've got is: http://pastebin.com/xWXyVt7m

then I patch my PHP to the newer version, but I still get the exact same output. How can I verify that my system is not affected by this bug?
 [2014-11-18 20:35 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=88412772d295ebf7dd34409534507dc9bcac726e
Log: Fix bug #68027 - fix date parsing in XMLRPC lib
 [2016-07-20 11:40 UTC] davey@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b261789a6db3d3eb62752f0a2576b3acdd9e3a7
Log: Fix bug #68027 - fix date parsing in XMLRPC lib
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Apr 28 10:01:38 2017 UTC