php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72093 bcpowmod accepts negative scale and corrupts _one_ definition
Submitted: 2016-04-24 08:05 UTC Modified: 2016-05-06 06:43 UTC
From: fernando at null-life dot com Assigned: stas
Status: Closed Package: BC math related
PHP Version: 5.5.34 OS: Linux
Private report: No CVE-ID: 2016-4537
 [2016-04-24 08:05 UTC] fernando at null-life dot com
Description:
------------
Run with ASAN 

Test script:
---------------
<?php

bcpowmod(1, "A", 128, -200);
bcpowmod(1, 1.2, 1, 1);


Expected result:
----------------
No crash

Actual result:
--------------
bc math warning: non-zero scale in exponent
=================================================================
==15893==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3805f68 at pc 0x083fd271 bp 0xbf91e4d8 sp 0xbf91e4c8
READ of size 1 at 0xb3805f68 thread T0
    #0 0x83fd270 in bc_divide /home/fmunozs/phpgit/php56/ext/bcmath/libbcmath/src/div.c:122
    #1 0x83fff96 in bc_raisemod /home/fmunozs/phpgit/php56/ext/bcmath/libbcmath/src/raisemod.c:69
    #2 0x83f9923 in zif_bcpowmod /home/fmunozs/phpgit/php56/ext/bcmath/bcmath.c:426
    #3 0x9a7c718 in zend_do_fcall_common_helper_SPEC /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:558
    #4 0x9640316 in execute_ex /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:363
    #5 0x9a6c9c8 in zend_execute /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:388
    #6 0x9470b59 in zend_execute_scripts /home/fmunozs/phpgit/php56/Zend/zend.c:1341
    #7 0x91acc6b in php_execute_script /home/fmunozs/phpgit/php56/main/main.c:2613
    #8 0x9a8648a in do_cli /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:994
    #9 0x808a502 in main /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:1378
    #10 0xb6dbe645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645)
    #11 0x808aaba  (/home/fmunozs/phpgit/php56/sapi/cli/php+0x808aaba)

0xb3805f68 is located 8 bytes to the left of 8-byte region [0xb3805f70,0xb3805f78)
freed by thread T0 here:
    #0 0xb726f9f4 in free (/usr/lib/i386-linux-gnu/libasan.so.2+0x969f4)
    #1 0xb334c911  (/usr/lib/i386-linux-gnu/libtasn1.so.6+0xa911)

previously allocated by thread T0 here:
    #0 0xb726fd06 in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96d06)
    #1 0xb334c17e  (/usr/lib/i386-linux-gnu/libtasn1.so.6+0xa17e)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fmunozs/phpgit/php56/ext/bcmath/libbcmath/src/div.c:122 bc_divide
Shadow bytes around the buggy address:
  0x36700b90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x36700ba0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x36700bb0: fa fa fd fa fa fa 00 00 fa fa fd fa fa fa fd fa
  0x36700bc0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x36700bd0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x36700be0: fa fa fd fa fa fa fd fa fa fa fd fa fa[fa]fd fa
  0x36700bf0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x36700c00: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 00 06
  0x36700c10: fa fa 00 03 fa fa 00 05 fa fa 00 06 fa fa 00 07
  0x36700c20: fa fa 00 00 fa fa 00 07 fa fa 00 00 fa fa 00 05
  0x36700c30: fa fa 00 07 fa fa 00 07 fa fa 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==15893==ABORTING


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-04-25 01:31 UTC] stas@php.net
-Summary: AddressSanitizer: heap-buffer-overflow libbcmath/src/div.c:122 bc_divide +Summary: bcpowmod accepts negative scale and corrupts _one_ definition -Assigned To: +Assigned To: stas
 [2016-04-25 01:31 UTC] stas@php.net
Two problems here actually: bcpowmod accepting negative scale and _one_ definition being overridden by scale adjustment.
 [2016-04-25 01:35 UTC] stas@php.net
-PHP Version: 5.6.20 +PHP Version: 5.5.34
 [2016-04-25 01:35 UTC] stas@php.net
Fixed in security repo in d650063a0457aec56364e4005a636dc6c401f9cd and on gist in https://gist.github.com/21c94ad05a2ab960c7631ad9999a1044
. Please verify.
 [2016-04-25 03:51 UTC] fernando at null-life dot com
Patch works OK. Thanks.
 [2016-04-27 05:57 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-04-27 05:57 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2016-04-27 06:49 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d650063a0457aec56364e4005a636dc6c401f9cd
Log: Fix bug #72093: bcpowmod accepts negative scale and corrupts _one_ definition
 [2016-04-27 10:31 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d650063a0457aec56364e4005a636dc6c401f9cd
Log: Fix bug #72093: bcpowmod accepts negative scale and corrupts _one_ definition
 [2016-04-27 11:00 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ed52bcb3dcb2e7dbc009ef8c6579fb1276ca73c1
Log: Fix bug #72093: bcpowmod accepts negative scale and corrupts _one_ definition
 [2016-05-06 06:43 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2016-4537
 [2016-05-06 06:43 UTC] remi@php.net
Use CVE-2016-4537 for "bcpowmod accepting negative scale."

Use CVE-2016-4538 for "_one_ definition being overridden by scale adjustment."
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Feb 24 01:01:37 2017 UTC