php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #69248 heap overflow vulnerability in regcomp.c
Submitted: 2015-03-17 12:42 UTC Modified: 2015-03-18 12:08 UTC
From: astieger at suse dot com Assigned: stas (profile)
Status: Closed Package: Regexps related
PHP Version: 5.6.6 OS: SLES/ openSUSE
Private report: No CVE-ID: 2015-2305
 [2015-03-17 12:42 UTC] astieger at suse dot com
Description:
------------
Guido Vranken reported that regular expressions (regex) originally written by Henry Spencer contains a heap overflow vulnerability.

CWE-122: Heap-based Buffer Overflow

https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
http://www.kb.cert.org/vuls/id/695940

The variable len that holds the length of a regular expression string is "enlarged to such an extent that, in the process of enlarging (multiplication and addition), causes the 32 bit register/variable to overflow." It may be possible for an attacker to use this overflow to change data in memory.

Vulnerable function:
> int /* 0 success, otherwise REG_something */
> regcomp(preg, pattern, cflags)
> regex_t *preg;
> const char *pattern;
> int cflags;
> {

Vulnerable code:
> len = strlen((char *)pattern);
> [...]
> p->ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */
> p->strip = (sop *)malloc(p->ssize * sizeof(sop));

32-bit systems are affected. It is highly unlikely that 64-bit operating systems would allow such an overflow. (Read: not impossible.)

The library is known to be contained in many different upstream source projects. The code may not be active or used on our platform, e.g. only be used as fallback code.

PHP seems to be affected:
[   88s] checking which regex library to use... php

ext/ereg/regex/regcomp.c:
	p->ssize = len/(size_t)2*(size_t)3 + (size_t)1;	/* ugh */
	p->strip = (sop *)malloc(p->ssize * sizeof(sop));


also...



case $PHP_REGEX in
  system)
    if test "$PHP_SAPI" = "apache" || test "$PHP_SAPI" = "apache2filter" || test "$PHP_SAPI" = "apache2handler"; then
      REGEX_TYPE=php
    else

So even if 'system' is chosen, for apache module you will get 'php' anyway for whatever -- I believe good -- reason.



The code seems to be removed in git master.

patch is at
https://github.com/garyhouston/regex/commit/70bc2965604b6b8aaf260049e64c708dddf85334

Test script:
---------------
$ cat test.php
<?php
$date = "2015-03-17";
if (ereg (str_repeat("a", 715827882), $date, $regs)) {
    echo "$regs[3].$regs[2].$regs[1]";
} else {
    echo "Invalid date format: $date";
}
?>
$ php test.php
Segmentation fault
$


or


$ php -r 'ereg (str_repeat("a", 715827882), "b", $regs);'
Segmentation fault

Actual result:
--------------
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-03-18 00:12 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2015-03-18 00:12 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2015-03-18 05:09 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fb04dcf6dbb48aecd8d2dc986806cb58c8ae5282
Log: Fix bug #69248 - heap overflow vulnerability in regcomp.c
 [2015-03-18 09:47 UTC] jpauli@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=94e7638d9a04ebb82433147ef65e70a85d988074
Log: Fix bug #69248 - heap overflow vulnerability in regcomp.c
 [2015-03-18 12:08 UTC] kaplan@php.net
-CVE-ID: +CVE-ID: 2015-2305
 [2015-03-19 01:00 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5fd617f2f5afa3a687969e7844864e027f97d964
Log: Fix bug #69248 - heap overflow vulnerability in regcomp.c
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 08 02:01:28 2024 UTC