php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72776 Invalid parameter in memcpy function trough openssl_pbkdf2
Submitted: 2016-08-07 14:44 UTC Modified: 2017-02-13 01:45 UTC
From: marceloje at gmail dot com Assigned: bukka (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.6.24 OS: Linux
Private report: No CVE-ID: None
 [2016-08-07 14:44 UTC] marceloje at gmail dot com
Description:
------------
When key_length parameter is greater than 0x7fffffff, size parameter is interpreted as negative in memcpy, inside PKCS5_PBKDF2_HMAC function (libcrypto.so).

This issue happens only in PHP 5.6 branch. PHP 7.0 avoids this issue trough PHP_OPENSSL_CHECK_NUMBER_CONVERSION macro: https://github.com/php/php-src/blob/PHP-7.0.10/ext/openssl/openssl.c#L541

Test script:
---------------
poc.php

<?php

openssl_pbkdf2("emyei", "beford", 0x100000000 - 1, 0);

Expected result:
----------------
No crash

Actual result:
--------------
ASan output:

USE_ZEND_ALLOC=0 ASAN_OPTIONS=detect_leaks=0 /home/operac/build2/bin/php -n poc.php
=================================================================
==11421==ERROR: AddressSanitizer: negative-size-param: (size=-1)
    #0 0x7f919d1029a1 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c9a1)
    #1 0x7f919b2c87e9 in PKCS5_PBKDF2_HMAC (/lib/x86_64-linux-gnu/libcrypto.so.1.0.0+0x1317e9)
    #2 0x5be33e in zif_openssl_pbkdf2 /home/operac/build2/php-src-56/ext/openssl/openssl.c:4080
    #3 0x1d5b393 in zend_do_fcall_common_helper_SPEC /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:558
    #4 0x1c0463c in execute_ex /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:363
    #5 0x194c382 in zend_execute_scripts /home/operac/build2/php-src-56/Zend/zend.c:1341
    #6 0x169a2df in php_execute_script /home/operac/build2/php-src-56/main/main.c:2613
    #7 0x1d64366 in do_cli /home/operac/build2/php-src-56/sapi/cli/php_cli.c:994
    #8 0x4550a0 in main /home/operac/build2/php-src-56/sapi/cli/php_cli.c:1378
    #9 0x7f919ab4482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x4556b8 in _start (/home/operac/build2/bin/php+0x4556b8)

Address 0x7ffd544616b0 is located in stack of thread T0
SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memcpy
==11421==ABORTING


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-07 21:26 UTC] stas@php.net
-Assigned To: +Assigned To: pajoye
 [2016-08-07 21:26 UTC] stas@php.net
Doesn't look to me like security issue. Assigning to OpenSSL maintainer.
 [2016-10-30 22:04 UTC] stas@php.net
-Assigned To: pajoye +Assigned To: bukka
 [2016-11-02 19:49 UTC] bukka@php.net
From the quick check, it would require very high memory limit and the app would have allow user to set key length which has very small probability IMHO. I would consider it as low severity.

If they are no objections, I will commit a fix to the public repo to 5.6 only and leave it on RM to decide if it should be ported to 5.5.
 [2016-11-03 03:40 UTC] stas@php.net
5.5 is EOL. Please feel free to commit to 5.6 and above.
 [2016-11-06 20:49 UTC] bukka@php.net
-Status: Assigned +Status: Closed
 [2016-11-06 20:49 UTC] bukka@php.net
Fixed in 5.6
 [2017-02-13 01:45 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC