php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72910 Out of bounds heap read in mbc_to_code() / triggered by mb_ereg_match()
Submitted: 2016-08-21 05:52 UTC Modified: 2016-09-02 06:30 UTC
From: hanno at hboeck dot de Assigned:
Status: Closed Package: mbstring related
PHP Version: 7.0.10 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: hanno at hboeck dot de
New email:
PHP Version: OS:

 

 [2016-08-21 05:52 UTC] hanno at hboeck dot de
Description:
------------
Passing certain inputs to mb_ereg_match() as a regular expression will cause an out of bounds heap read access in the function mbc_to_code(). This code belongs to oniguruma, therefore it may be that the bug is in there (I'll try to reproduce it with "plain" oniguruma later).

To see this bug one needs to compile php with address sanitizer (-fsanitize=address in CFLAGS/LDFLAGS) and disable zend memory allocation (USE_ZEND_ALLOC=0). I'll post a short example PHP code that triggers this bug below.

Note: I saw the open bug #72405 which seems very similar, but not the same (stack oob, not heap, but same function). I can't reproduce #72405 however, maybe it has already been silently fixed.


Full Address Sanitizer stack trace:
==15625==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000027fc0 at pc 0x10a251b bp 0x7fffe51d98b0 sp 0x7fffe51d98a0
READ of size 1 at 0x603000027fc0 thread T0
    #0 0x10a251a in mbc_to_code /f/php/php-7.0.10/ext/mbstring/oniguruma/enc/utf8.c:105
    #1 0x106332d in fetch_token /f/php/php-7.0.10/ext/mbstring/oniguruma/regparse.c:3146
    #2 0x1070b0d in parse_exp /f/php/php-7.0.10/ext/mbstring/oniguruma/regparse.c:5090
    #3 0x107f55c in parse_branch /f/php/php-7.0.10/ext/mbstring/oniguruma/regparse.c:5435
    #4 0x107ffde in parse_subexp /f/php/php-7.0.10/ext/mbstring/oniguruma/regparse.c:5472
    #5 0x10814de in parse_regexp /f/php/php-7.0.10/ext/mbstring/oniguruma/regparse.c:5516
    #6 0x10814de in onig_parse_make_tree /f/php/php-7.0.10/ext/mbstring/oniguruma/regparse.c:5543
    #7 0xff7b5c in onig_compile /f/php/php-7.0.10/ext/mbstring/oniguruma/regcomp.c:5300
    #8 0xffe6ea in onig_new /f/php/php-7.0.10/ext/mbstring/oniguruma/regcomp.c:5545
    #9 0x11e9c35 in php_mbregex_compile_pattern /f/php/php-7.0.10/ext/mbstring/php_mbregex.c:456
    #10 0x11e9c35 in zif_mb_ereg_match /f/php/php-7.0.10/ext/mbstring/php_mbregex.c:1172
    #11 0x1f358dc in ZEND_DO_ICALL_SPEC_HANDLER /f/php/php-7.0.10/Zend/zend_vm_execute.h:586
    #12 0x1e96595 in execute_ex /f/php/php-7.0.10/Zend/zend_vm_execute.h:414
    #13 0x22bf5ae in zend_execute /f/php/php-7.0.10/Zend/zend_vm_execute.h:458
    #14 0x1c661db in zend_execute_scripts /f/php/php-7.0.10/Zend/zend.c:1427
    #15 0x198c06f in php_execute_script /f/php/php-7.0.10/main/main.c:2494
    #16 0x22ca6dc in do_cli /f/php/php-7.0.10/sapi/cli/php_cli.c:974
    #17 0x4713b8 in main /f/php/php-7.0.10/sapi/cli/php_cli.c:1344
    #18 0x7f103b8b078f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #19 0x4723f8 in _start (/mnt/ram/php/php+0x4723f8)

0x603000027fc0 is located 0 bytes to the right of 32-byte region [0x603000027fa0,0x603000027fc0)
allocated by thread T0 here:
    #0 0x7f103cf6b707 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x57707)
    #1 0x1fb9f87 in zend_string_alloc /f/php/php-7.0.10/Zend/zend_string.h:121
    #2 0x1fb9f87 in ZEND_CONCAT_SPEC_CONST_TMPVAR_HANDLER /f/php/php-7.0.10/Zend/zend_vm_execute.h:10404

SUMMARY: AddressSanitizer: heap-buffer-overflow /f/php/php-7.0.10/ext/mbstring/oniguruma/enc/utf8.c:105 mbc_to_code
Shadow bytes around the buggy address:
  0x0c067fffcfa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffcfb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffcfc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffcfd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffcfe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fffcff0: fa fa fa fa 00 00 00 00[fa]fa fd fd fd fd fa fa
  0x0c067fffd000: fd fd fd fd fa fa fd fd fd fd fa fa 00 00 00 00
  0x0c067fffd010: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fffd020: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c067fffd030: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x0c067fffd040: fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==15625==ABORTING


Test script:
---------------
<?php mb_ereg_match("0000".chr(0xfb), "");


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-21 07:52 UTC] hanno at hboeck dot de
Reported to oniguruma upstream as well:
https://github.com/kkos/oniguruma/issues/16
 [2016-08-21 09:26 UTC] hanno at hboeck dot de
Upstream fix:
https://github.com/kkos/oniguruma/commit/65bdf2a0d160d06556415e5f396a75f6b11bad5c
 [2016-09-02 06:24 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-09-02 06:24 UTC] stas@php.net
The fix is in security repo as 0f1eb74e92191e817b4198ceda4e8f093699da62 and in https://gist.github.com/39b697c75a0502e091a1191f83029034
please verify
 [2016-09-02 06:25 UTC] stas@php.net
-Assigned To: stas +Assigned To: \
 [2016-09-02 06:25 UTC] stas@php.net
Oops, wrong bug, disregard that.
 [2016-09-02 06:30 UTC] stas@php.net
-Type: Security +Type: Bug -Assigned To: \ +Assigned To:
 [2016-09-02 06:30 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e576714f6b4829763b797c552217a14e6d30ca59
Log: Fix bug #72910
 [2016-09-02 06:30 UTC] stas@php.net
-Status: Open +Status: Closed
 [2016-09-15 09:30 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=486056b2153f7177cd8a7c78d93968726ee8fa65
Log: Fix bug #72910
 [2016-10-17 10:08 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e576714f6b4829763b797c552217a14e6d30ca59
Log: Fix bug #72910
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 09:01:31 2024 UTC