php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71894 AddressSanitizer: global-buffer-overflow in zif_cal_from_jd
Submitted: 2016-03-25 07:19 UTC Modified: 2016-07-28 23:07 UTC
From: fernando at null-life dot com Assigned: cmb
Status: Closed Package: Calendar related
PHP Version: 5.6.19 OS: Linux
Private report: No CVE-ID:
 [2016-03-25 07:19 UTC] fernando at null-life dot com
Description:
------------
Recompile PHP with ASAN enabled and run the test script. 

Test script:
---------------
<?php

cal_from_jd(999, CAL_JEWISH);

Expected result:
----------------
Not crash

Actual result:
--------------
$ /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php test.php 
=================================================================
==12485==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0a188e7c at pc 0x083db7aa bp 0xbfb5d3a8 sp 0xbfb5d398
READ of size 4 at 0x0a188e7c thread T0
    #0 0x83db7a9 in zif_cal_from_jd /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/ext/calendar/calendar.c:426
    #1 0x9804a25 in zend_do_fcall_common_helper_SPEC /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:558
    #2 0x93f0a75 in execute_ex /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:363
    #3 0x959ce43 in zend_execute /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:388
    #4 0x91f35fb in zend_execute_scripts /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend.c:1341
    #5 0x8ef82f5 in php_execute_script /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/main/main.c:2597
    #6 0x9811848 in do_cli /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:994
    #7 0x807f668 in main /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:1378
    #8 0xb6e29645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645)
    #9 0x807fc3b  (/home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php+0x807fc3b)

0x0a188e7c is located 4 bytes to the left of global variable 'monthsPerYear' defined in '/home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/ext/calendar/jewish.c:290:5' (0xa188e80) of size 76
0x0a188e7c is located 36 bytes to the right of global variable 'JewishMonthNameLeap' defined in '/home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/ext/calendar/jewish.c:302:7' (0xa188e20) of size 56
SUMMARY: AddressSanitizer: global-buffer-overflow /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/ext/calendar/calendar.c:426 zif_cal_from_jd
Shadow bytes around the buggy address:
  0x21431170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x21431180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x21431190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x214311a0: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
  0x214311b0: 00 00 00 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 f9
=>0x214311c0: f9 f9 f9 f9 00 00 00 00 00 00 00 f9 f9 f9 f9[f9]
  0x214311d0: 00 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9
  0x214311e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x214311f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x21431200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x21431210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==12485==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-03-25 21:08 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-03-25 21:08 UTC] stas@php.net
ext/calendar/calendar.c:426 is this:

https://github.com/php/php-src/blob/PHP-5.6/ext/calendar/calendar.c#L426

		add_assoc_string(return_value, "abbrevmonth", JEWISH_MONTH_NAME(year)[month], 1);


And month year and day would be 0 there. As far as I can see, the only issue there may be this:

#define JEWISH_MONTH_NAME(year) 	((monthsPerYear[((year)-1) % 19] == 13)?JewishMonthNameLeap:JewishMonthName)

If year is 0, it may access monthsPerYear[-1] which is not right. Would not produce any consequences though as it is used to just choose between two options, each of which would produce "" anyway. Accessing [-1] is not nice, but definitely not a security issue.
 [2016-04-04 01:37 UTC] fernando at null-life dot com
The following command also segfaults under ASAN: 

php -r "jdmonthname(6,4);"

==6871==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0a4ad5fc at pc 0x08422429 bp 0xbfffcd08 sp 0xbfffccf8
READ of size 4 at 0x0a4ad5fc thread T0
    #0 0x8422428 in zif_jdmonthname /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/ext/calendar/calendar.c:740
    #1 0x9a92c45 in zend_do_fcall_common_helper_SPEC /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:558
    #2 0x967ec95 in execute_ex /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:363
    #3 0x982b063 in zend_execute /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:388
    #4 0x93ecc33 in zend_eval_stringl /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_execute_API.c:1077
    #5 0x93ed66f in zend_eval_stringl_ex /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_execute_API.c:1124
    #6 0x93ed66f in zend_eval_string_ex /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_execute_API.c:1135
    #7 0x9a9f291 in do_cli /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:1034
    #8 0x8088248 in main /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:1378
    #9 0xb763f645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645)
    #10 0x808881b  (/home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php+0x808881b)



Line 740 includes the same macro, so it's probably the same issue.:

   monthname = JEWISH_MONTH_NAME(year)[month];
 [2016-07-28 23:07 UTC] cmb@php.net
-Status: Open +Status: Analyzed -Assigned To: +Assigned To: cmb
 [2016-07-28 23:07 UTC] cmb@php.net
The actual problem is that Julian days < 347998, which result in
invalid Jewish dates are not particularly catered to. Simply
fixing this OOB read is possible, but still would yield
nonsentical results from cal_from_jd($jd, CAL_JEWISH) wrt. the
day. Therefore it appears to be reasonable to also adjust the
day related fields.
 [2016-07-28 23:34 UTC] cmb@php.net
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f67ccd4a7b8fb4b9e55796e69b152e2a899ba3cd
Log: Fix #71894: AddressSanitizer: global-buffer-overflow in zif_cal_from_jd
 [2016-07-28 23:34 UTC] cmb@php.net
-Status: Analyzed +Status: Closed
 [2016-10-17 10:10 UTC] bwoebi@php.net
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f67ccd4a7b8fb4b9e55796e69b152e2a899ba3cd
Log: Fix #71894: AddressSanitizer: global-buffer-overflow in zif_cal_from_jd
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Apr 30 01:01:34 2017 UTC