php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #70427 memory courruption (* bytes exhausted)
Submitted: 2015-09-04 11:06 UTC Modified: 2016-07-14 10:37 UTC
From: kontakt at unnex dot de Assigned: dmitry (profile)
Status: Closed Package: Reproducible crash
PHP Version: Irrelevant OS: tested on linux, windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: kontakt at unnex dot de
New email:
PHP Version: OS:

 

 [2015-09-04 11:06 UTC] kontakt at unnex dot de 
Description:
------------
tested on: windows 7 (64bit), windows 10 (64bit), manjaro linux (64bit) using php5.6.12, 5.4.40, 5.3.13 with cli, xamp/wamp, nginx.

an attacker are able to crash php completely by oversizing bytes string/array conversation. php do a error message, then it crash.

i think this vulnerable is a low level. but crashes of php are able. for example: many server programs (for example xamp) include php and not all of them restart php after crashes and not check for crashes (mainly windows). well, it create the chance to put a website down by crashing php.

screenshot (cli): http://unnex.de/phptest-89co-3012jc/ias9zc98sa8cz78as9-cli.png
screenshot (wamp): http://unnex.de/phptest-89co-3012jc/8a98zsc0po10-wamp-apache.png


Test script:
---------------
<?php
$size=(int)(substr(ini_get('memory_limit'), 0, strlen(ini_get('memory_limit'))-1))*1048576;
$b=$size/1.5; if ($b<67108864) { $e=100000; } else { $e=10000000; } $f='a'; $i=0; $d=''; while ($i<$e) { $d.=$f; $xi=1; $i++; }
$i=0; $c=''; $ba=$b-$e; while ($i<$b) { $c.=$d; $i+=$e; } while ($i<$b) { $c.=$f; $i++; }
$a=$c; $c[0]='';
?>

Actual result:
--------------
[test script]
PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 90000001 bytes) in C:\php5612\mem.php on line 5
-then crash by: $c[0]='';

(gdb) r mem.php
Starting program: C:\php5612\php.exe mem.php
[New Thread 4944.0x1088]
PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 90000001 bytes) in C:\php5612\mem.php on line 5

Program received signal SIGSEGV, Segmentation fault.
0x000007fede8c5a2a in php5ts!_zval_dtor_func () from C:\php5612\php5ts.dll
(gdb) bt
#0  0x000007fede8c5a2a in php5ts!_zval_dtor_func () from C:\php5612\php5ts.dll
#1  0x000007fede8c53f6 in php5ts!_zval_ptr_dtor () from C:\php5612\php5ts.dll
#2  0x000007fede8d4e2c in zend_hash_graceful_reverse_destroy () from C:\php5612\php5ts.dll
#3  0x000007fede8d47e2 in zend_shutdown_fpu () from C:\php5612\php5ts.dll
#4  0x000007fede8d7bb4 in zend_deactivate () from C:\php5612\php5ts.dll
#5  0x000007fede8d77d1 in php_request_shutdown () from C:\php5612\php5ts.dll
#6  0x000000013f632bca in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

check authenticity:
#$a=$c; $c[0]=''; #crash
#$c.=$c; $c[0]=''; #no crash
#$a=$c; $a[0]=''; #crash
#$a=$c; $a.=$a; #crash
#$a=$c; $a.=''; #crash

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-18 01:07 UTC] kontakt at unnex dot de 
no answer?
 [2015-09-18 05:11 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-01-15 15:34 UTC] kontakt at unnex dot de 
thx for fixing the bug in 7.0.2 :-)
 [2016-07-14 10:37 UTC] dmitry@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: dmitry
 [2016-07-14 10:37 UTC] dmitry@php.net 
Memory overflow handling in PHP-5.* wasn't graceful, and memory overflow might cause unexpected behaviour on attempt to finish request.
This is fixed in PHP-7.0.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue May 07 12:01:32 2024 UTC