php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70430 Stack buffer overflow in zend_language_parser()
Submitted: 2015-09-04 14:38 UTC Modified: 2015-10-15 20:00 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: s dot paraschoudis at gmail dot com Assigned: nikic
Status: Closed Package: Reproducible crash
PHP Version: 7.0.0RC2 OS: Ubuntu 14.04 x32
Private report: No CVE-ID:
 [2015-09-04 14:38 UTC] s dot paraschoudis at gmail dot com
Description:
------------
Testcase:
==============
<?php

$"*** Testing function() :  ***\n";

?>


Output:
=================================================================
==22228== ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbfaca400 at pc 0x8a1f38c bp 0xbfac98d8 sp 0xbfac98cc
WRITE of size 1 at 0xbfaca400 thread T0
    #0 0x8a1f38b in yysyntax_error zend_language_parser.c:3256
    #1 0x8a34a3b in zendparse zend_language_parser.c:6833
    #2 0x8a39f0b in compile_file zend_language_scanner.l:591
    #3 0x85e17db in phar_compile_file phar.c:3311
    #4 0x8b603e7 in zend_execute_scripts zend.c:1394
    #5 0x899925f in php_execute_script main.c:2471
    #6 0x8f8b802 in do_cli php_cli.c:971
    #7 0x8f8e1c7 in main php_cli.c:1342
    #8 0xb5dd2a82 in __libc_start_main libc-start.c:287
    #9 0x8064560 in _start ??:?
Address 0xbfaca400 is located at offset 1760 in frame <zendparse> of T0's stack:
  This frame has 8 object(s):
    [32, 36) 'yylval'
    [96, 100) 'yyval'
    [160, 164) 'yymsg'
    [224, 228) 'yymsg_alloc'
    [288, 304) 'zv'
    [352, 752) 'yyssa'
    [800, 1600) 'yyvsa'
    [1632, 1760) 'yymsgbuf'


Without ASAN intstrumentation:

gdb-peda$ r testcase.php 
Starting program: /home/user/Desktop/php-7.0.0RC2/sapi/cli/php testcase.php
*** stack smashing detected ***: /home/user/Desktop/php-7.0.0RC2/sapi/cli/php terminated

Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0x1cf1 
ECX: 0x1cf1 
EDX: 0x6 
ESI: 0x59 ('Y')
EDI: 0xb7dc4000 --> 0x1a9da8 
EBP: 0xbfffb178 --> 0xb7d7d61b ("stack smashing detected")
ESP: 0xbfffaf04 --> 0xbfffb178 --> 0xb7d7d61b ("stack smashing detected")
EIP: 0xb7fdd428 (<__kernel_vsyscall+16>:	pop    ebp)
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xb7fdd424 <__kernel_vsyscall+12>:	nop
   0xb7fdd425 <__kernel_vsyscall+13>:	nop
   0xb7fdd426 <__kernel_vsyscall+14>:	int    0x80
=> 0xb7fdd428 <__kernel_vsyscall+16>:	pop    ebp
   0xb7fdd429 <__kernel_vsyscall+17>:	pop    edx
   0xb7fdd42a <__kernel_vsyscall+18>:	pop    ecx
   0xb7fdd42b <__kernel_vsyscall+19>:	ret    
   0xb7fdd42c:	add    BYTE PTR [esi],ch
[------------------------------------stack-------------------------------------]
0000| 0xbfffaf04 --> 0xbfffb178 --> 0xb7d7d61b ("stack smashing detected")
0004| 0xbfffaf08 --> 0x6 
0008| 0xbfffaf0c --> 0x1cf1 
0012| 0xbfffaf10 --> 0xb7c48607 (<raise+71>:	xchg   ebx,edi)
0016| 0xbfffaf14 --> 0xb7dc4000 --> 0x1a9da8 
0020| 0xbfffaf18 --> 0xbfffafb4 --> 0xb7857cf0 --> 0xb7857d20 --> 0xb7857d50 --> 0xb7857d80 --> 0xb7857db0 --> 0xb7857de0 --> 0xb7857e10 --> 0xb7857e40 --> 0xb7857e70 --> 0xb7857ea0 --> 0xb7857ed0 --> 0xb7857f00 --> 0xb7857f30 --> 0xb7857f60 --> 0xb7857f90 --> 0xb7857fc0 --> 0x0 
0024| 0xbfffaf1c --> 0xb7c4ba33 (<abort+323>:	mov    edx,DWORD PTR gs:0x8)
0028| 0xbfffaf20 --> 0x6 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
0xb7fdd428 in __kernel_vsyscall ()
gdb-peda$ bt
#0  0xb7fdd428 in __kernel_vsyscall ()
#1  0xb7c48607 in raise () from /lib/i386-linux-gnu/libc.so.6
#2  0xb7c4ba33 in abort () from /lib/i386-linux-gnu/libc.so.6
#3  0xb7c82e53 in ?? () from /lib/i386-linux-gnu/libc.so.6
#4  0xb7d1585b in __fortify_fail () from /lib/i386-linux-gnu/libc.so.6
#5  0xb7d157ea in __stack_chk_fail () from /lib/i386-linux-gnu/libc.so.6
#6  0x083c9165 in zendparse () at /home/user/Desktop/php-7.0.0RC2/Zend/zend_language_parser.c:7003
#7  0x083caa70 in compile_file (file_handle=0xbfffdd14, type=0x8) at Zend/zend_language_scanner.l:591
#8  0x08289f23 in phar_compile_file (file_handle=0xbfffdd14, type=0x8) at /home/user/Desktop/php-7.0.0RC2/ext/phar/phar.c:3311
#9  0x084133e8 in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3) at /home/user/Desktop/php-7.0.0RC2/Zend/zend.c:1394
#10 0x083976b0 in php_execute_script (primary_file=0xbfffdd14) at /home/user/Desktop/php-7.0.0RC2/main/main.c:2471
#11 0x084b82f0 in do_cli (argc=0x2, argv=0x8a02218) at /home/user/Desktop/php-7.0.0RC2/sapi/cli/php_cli.c:971
#12 0x084b91a9 in main (argc=0x2, argv=0x8a02218) at /home/user/Desktop/php-7.0.0RC2/sapi/cli/php_cli.c:1342
#13 0xb7c33a83 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6
#14 0x08063a71 in _start ()

Please note I couldn't reproduce it on a 64bit machine.

Regards,
Symeon


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-04 15:42 UTC] s dot paraschoudis at gmail dot com
Update: I can reproduce it on 64bit, here's the output:

=================================================================
==89897==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffa164cff0 at pc 0x0000018bdba5 bp 0x7fffa164c390 sp 0x7fffa164c388
WRITE of size 1 at 0x7fffa164cff0 thread T0
    #0 0x18bdba4 in yysyntax_error /home/symeon/Desktop/php-7.0.0RC2/Zend/zend_language_parser.c:3256:18
    #1 0x18bb113 in zendparse /home/symeon/Desktop/php-7.0.0RC2/Zend/zend_language_parser.c:6833:33
    #2 0x18c7c02 in compile_file /home/symeon/Desktop/php-7.0.0RC2/Zend/zend_language_scanner.l:591:8
    #3 0x114cdfa in phar_compile_file /home/symeon/Desktop/php-7.0.0RC2/ext/phar/phar.c:3311:9
    #4 0x1a91e46 in zend_execute_scripts /home/symeon/Desktop/php-7.0.0RC2/Zend/zend.c:1394:14
    #5 0x1798ef4 in php_execute_script /home/symeon/Desktop/php-7.0.0RC2/main/main.c:2471:14
    #6 0x1f1f06e in do_cli /home/symeon/Desktop/php-7.0.0RC2/sapi/cli/php_cli.c:971:5
    #7 0x1f1ab3e in main /home/symeon/Desktop/php-7.0.0RC2/sapi/cli/php_cli.c:1342:18
    #8 0x7fd6fcae8ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #9 0x45e355 in _start (/home/symeon/Desktop/php-7.0.0RC2/sapi/cli/php+0x45e355)

Address 0x7fffa164cff0 is located in stack of thread T0 at offset 2416 in frame
    #0 0x18a5b4f in zendparse /home/symeon/Desktop/php-7.0.0RC2/Zend/zend_language_parser.c:4023

  This frame has 10 object(s):
    [32, 40) 'yylval'
    [64, 464) 'yyssa'
    [528, 2128) 'yyvsa'
    [2256, 2264) 'yyval'
    [2288, 2416) 'yymsgbuf' <== Memory access at offset 2416 overflows this variable
    [2448, 2456) 'yymsg'
    [2480, 2488) 'yymsg_alloc'
    [2512, 2528) 'zv'
    [2544, 2560) 'zv1105'
    [2576, 2592) 'zv1875'
 [2015-09-04 20:05 UTC] stas@php.net
-Type: Security +Type: Bug
 [2015-10-11 13:43 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2015-10-11 13:43 UTC] felipe@php.net
I can't reproduce it. Can you try again?
 [2015-10-11 13:54 UTC] s dot paraschoudis at gmail dot com
Hi, just tested on RC4 release, it still crashes it..
I have more test cases that trigger it but you should be able to reproduce it..
 [2015-10-11 14:04 UTC] s dot paraschoudis at gmail dot com
Alright, looks like it doesn't crash anymore latest php (rc4) with a non-asan build,
but trying with an asan one you should catch it.
 [2015-10-11 14:14 UTC] nikic@php.net
Regardless of whether it crashes or not, our yytnamerr implementation is clearly bogus. The !yyerr branch [1] simply returns yystrlen(yystr), which does not account for the additional information we show in the error message.

[1]: http://lxr.php.net/xref/PHP_TRUNK/Zend/zend_language_parser.y#1281
 [2015-10-12 20:08 UTC] nikic@php.net
-Assigned To: +Assigned To: nikic
 [2015-10-12 20:08 UTC] nikic@php.net
I can't repro this myself, could you please check whether the patch at https://github.com/php/php-src/pull/1571 fixes the issue?
 [2015-10-12 21:24 UTC] s dot paraschoudis at gmail dot com
-Status: Feedback +Status: Assigned
 [2015-10-12 21:24 UTC] s dot paraschoudis at gmail dot com
Hi, it looks like it's still there but this time on line zend_language_parser.c:3268

while ((*yyp = *yyformat) != '\0') <-- according to asan here is where the overflow occurs.

Output:

==37540==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff12f060d0 at pc 0x000001227dbd bp 0x7fff12f05490 sp 0x7fff12f05488
WRITE of size 1 at 0x7fff12f060d0 thread T0
    #0 0x1227dbc in yysyntax_error /home/symeon/Desktop/php-7.0_fixed/Zend/zend_language_parser.c:3268:18
    #1 0x122636a in zendparse /home/symeon/Desktop/php-7.0_fixed/Zend/zend_language_parser.c:6845:33
    #2 0x122ed0c in compile_file /home/symeon/Desktop/php-7.0_fixed/Zend/zend_language_scanner.l:591:8
    #3 0xd46a25 in phar_compile_file /home/symeon/Desktop/php-7.0_fixed/ext/phar/phar.c:3311:9
    #4 0x13650ea in zend_execute_scripts /home/symeon/Desktop/php-7.0_fixed/Zend/zend.c:1422:14
    #5 0x116f324 in php_execute_script /home/symeon/Desktop/php-7.0_fixed/main/main.c:2471:14
    #6 0x16869ad in do_cli /home/symeon/Desktop/php-7.0_fixed/sapi/cli/php_cli.c:971:5
    #7 0x1684168 in main /home/symeon/Desktop/php-7.0_fixed/sapi/cli/php_cli.c:1342:18
    #8 0x7faeb5d00ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #9 0x45f665 in _start (/home/symeon/Desktop/php-7.0_fixed/sapi/cli/php+0x45f665)

Address 0x7fff12f060d0 is located in stack of thread T0 at offset 2416 in frame
    #0 0x12137af in zendparse /home/symeon/Desktop/php-7.0_fixed/Zend/zend_language_parser.c:4035

  This frame has 10 object(s):
    [32, 40) 'yylval'
    [64, 464) 'yyssa'
    [528, 2128) 'yyvsa'
    [2256, 2264) 'yyval'
    [2288, 2416) 'yymsgbuf' <== Memory access at offset 2416 overflows this variable
    [2448, 2456) 'yymsg'
    [2480, 2488) 'yymsg_alloc'
    [2512, 2528) 'zv'
    [2544, 2560) 'zv2'
    [2576, 2592) 'zv3'


Did you try to build php with AddressSanitizer and you couldn't reproduce it?
 [2015-10-12 21:29 UTC] s dot paraschoudis at gmail dot com
By the way I don't know why the status has changed, sorry for that!
 [2015-10-15 19:41 UTC] nikic@php.net
Just did an asan build. I can repro the issue before the patch, but not after the patch. (x64)
 [2015-10-15 20:00 UTC] s dot paraschoudis at gmail dot com
Hi, my bad I modified the zend_language_parser.c , sorry!
Yeah it fixes this and my other cases. Great!
Cheers
 [2015-10-15 20:16 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e3e92e96c158c4fc294ead36f9d73941bdbf679e
Log: Fixed bug #70430
 [2015-10-15 20:16 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 [2015-10-25 12:42 UTC] ab@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5576aee84faa4ecc4ffb8f2ea4809c73b4601e2d
Log: Fixed bug #70430
 [2016-07-20 11:36 UTC] davey@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e3e92e96c158c4fc294ead36f9d73941bdbf679e
Log: Fixed bug #70430
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Feb 28 14:01:40 2017 UTC