php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #71906 AddressSanitizer: negative-size-param (-1) in mbfl_strcut
Submitted: 2016-03-26 23:29 UTC Modified: 2016-04-25 17:06 UTC
From: fernando at null-life dot com Assigned: stas
Status: Closed Package: mbstring related
PHP Version: 5.5.33 OS:
Private report: No CVE-ID: 2016-4073
 [2016-03-26 23:29 UTC] fernando at null-life dot com
Description:
------------
1. Compile PHP with ASAN enabled.
2. Run attached test case on 32 bits.

php5-5.6.17+dfsg.orig/ext/mbstring/mbstring.c:2858
2858            if (len < 0) {
(gdb) print len
$64 = 2147483647 
This value will later set the sz value to -1, and that value is used inside memcpy.

php5-5.6.17+dfsg.orig/ext/mbstring/libmbfl/mbfl/mbfilter.c:1542
1560    sz = end - start;
...
1568    memcpy(w, start, sz);



Test script:
---------------
<?php

$var1="AAAA";
$var2=1;
$var3=2147483647; //max int


mb_strcut($var1, $var2, $var3);
 


Expected result:
----------------
Not crash

Actual result:
--------------
=================================================================
==415==ERROR: AddressSanitizer: negative-size-param: (size=-1)
    #0 0xb7ae5b04 in __asan_memcpy (/usr/lib/i386-linux-gnu/libasan.so.2+0x8ab04)
    #1 0xb7ae5c2f in memcpy (/usr/lib/i386-linux-gnu/libasan.so.2+0x8ac2f)
    #2 0x87cb167 in memcpy /usr/include/i386-linux-gnu/bits/string3.h:53
    #3 0x87cb167 in mbfl_strcut /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/ext/mbstring/libmbfl/mbfl/mbfilter.c:1568
    #4 0x87fcb5e in zif_mb_strcut /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/ext/mbstring/mbstring.c:2869
    #5 0x9a3a625 in zend_do_fcall_common_helper_SPEC /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:558
    #6 0x9626675 in execute_ex /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:363
    #7 0x97d2a43 in zend_execute /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:388
    #8 0x94291fb in zend_execute_scripts /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend.c:1341
    #9 0x912def5 in php_execute_script /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/main/main.c:2597
    #10 0x9a47448 in do_cli /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:994
    #11 0x8087418 in main /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:1378
    #12 0xb7640645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645)
    #13 0x80879eb  (/home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php+0x80879eb)

0xb3017411 is located 97297 bytes inside of 1048576-byte region [0xb2fff800,0xb30ff800)
allocated by thread T0 here:
    #0 0xb7af1d06 in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96d06)
    #1 0x954157e in zend_interned_strings_init /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_string.c:48

SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memcpy


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-03-28 08:22 UTC] stas@php.net
-PHP Version: 5.6.19 +PHP Version: 5.5.33
 [2016-03-28 08:22 UTC] stas@php.net
This should fix it: https://gist.github.com/smalyshev/d8355c96a657cc5dba70

Please verify.
 [2016-03-28 08:27 UTC] stas@php.net
In security repo as 64f42c73efc58e88671ad76b6b6bc8e2b62713e1
 [2016-03-29 00:29 UTC] fernando at null-life dot com
Patch works, I don't get any warning now
 [2016-03-29 06:47 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-03-29 06:55 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f8dd10508bd66b6eefb18d319577b443fb1e0c55
Log: Fixed bug #71906: AddressSanitizer: negative-size-param (-1) in mbfl_strcut
 [2016-03-29 06:55 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-03-29 06:55 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=64f42c73efc58e88671ad76b6b6bc8e2b62713e1
Log: Fixed bug #71906: AddressSanitizer: negative-size-param (-1) in mbfl_strcut
 [2016-03-29 09:30 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f8dd10508bd66b6eefb18d319577b443fb1e0c55
Log: Fixed bug #71906: AddressSanitizer: negative-size-param (-1) in mbfl_strcut
 [2016-03-29 09:30 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=64f42c73efc58e88671ad76b6b6bc8e2b62713e1
Log: Fixed bug #71906: AddressSanitizer: negative-size-param (-1) in mbfl_strcut
 [2016-04-25 17:06 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2016-4073
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Apr 30 01:01:34 2017 UTC