php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73022 str_repeat write access violation
Submitted: 2016-09-05 20:40 UTC Modified: 2016-09-18 04:22 UTC
From: fernando at null-life dot com Assigned:
Status: No Feedback Package: Strings related
PHP Version: 7.0.10 OS: Windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2016-09-05 20:40 UTC] fernando at null-life dot com 
Description:
------------
Attached script causes a write access violation when running with the windows.php.com binary when using USE_ZEND_ALLOC=0


PHP_FUNCTION(str_repeat)
{
	zend_string		*input_str;		/* Input string */
	zend_long 		mult;			/* Multiplier */
	zend_string	*result;		/* Resulting string */
	size_t		result_len;		/* Length of the resulting string */

	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Sl", &input_str, &mult) == FAILURE) {
		return;
	}

	if (mult < 0) {
		php_error_docref(NULL, E_WARNING, "Second argument has to be greater than or equal to 0");
		return;
	}

	/* Don't waste our time if it's empty */
	/* ... or if the multiplier is zero */
	if (ZSTR_LEN(input_str) == 0 || mult == 0)
		RETURN_EMPTY_STRING();

	/* Initialize the result string */
-->	result = zend_string_safe_alloc(ZSTR_LEN(input_str), mult, 0, 0);
	result_len = ZSTR_LEN(input_str) * mult;


Test script:
---------------
<?php

$v3=str_repeat("#", 0xffffffff/3);


Expected result:
----------------
No crash

Actual result:
--------------
(2a90.24c0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
php7!zif_str_repeat+0x76:
6263c906 c70601000000    mov     dword ptr [esi],1    ds:002b:00000000=????????
Processing initial command 'r;!exploitable -v'
0:000:x86> r;!exploitable -v
eax=00000000 ebx=55555555 ecx=ad59a3d1 edx=00000000 esi=00000000 edi=55555555
eip=6263c906 esp=0680e49c ebp=0a4a00d0 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
php7!zif_str_repeat+0x76:
6263c906 c70601000000    mov     dword ptr [esi],1    ds:002b:00000000=????????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\SysWOW64\KERNEL32.DLL - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:6263c906 mov dword ptr [esi],1

Basic Block:
    6263c906 mov dword ptr [esi],1
       Tainted Input operands: 'esi'
    6263c90c mov dword ptr [esi+4],6
    6263c913 mov dword ptr [esi+8],0
    6263c91a mov dword ptr [esi+0ch],ebx
    6263c91d mov ecx,dword ptr [esp+0ch]
    6263c921 mov edx,dword ptr [esp+10h]
    6263c925 mov edi,dword ptr [ecx+0ch]
    6263c928 mov eax,edi
    6263c92a imul eax,edx
    6263c92d mov dword ptr [esp+14h],eax
    6263c931 cmp edi,1
    6263c934 jne php7!zif_str_repeat+0xba (6263c94a)

Exception Hash (Major/Minor): 0xde5931c9.0xdf3ae42d

 Hash Usage : Stack Trace:
Major+Minor : php7!zif_str_repeat+0x76
Major+Minor : php7!execute_ex+0xfb
Major+Minor : php7!zend_execute+0x124
Major+Minor : php7!zend_execute_scripts+0xe7
Major+Minor : php7!php_execute_script+0x372
Minor       : php!do_cli+0x3d3
Minor       : php!main+0x2cb
Minor       : php!__scrt_common_main_seh+0xf9
Minor       : KERNEL32!BaseThreadInitThunk+0x24
Excluded    : ntdll_77600000!RtlInitializeExceptionChain+0x8f
Excluded    : ntdll_77600000!RtlInitializeExceptionChain+0x5a
Instruction Address: 0x000000006263c906
Source File: c:\php-sdk\php70dev\vc14\x86\php-7.0.10\ext\standard\string.c
Source Line: 5031

Description: User Mode Write AV near NULL
Short Description: WriteAVNearNull
Exploitability Classification: UNKNOWN
Recommended Bug Title: User Mode Write AV near NULL starting at php7!zif_str_repeat+0x0000000000000076 (Hash=0xde5931c9.0xdf3ae42d)

User mode write access violations that are near NULL are unknown.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-05 21:01 UTC] stas@php.net
-Status: Open +Status: Feedback -Type: Security +Type: Bug
 [2016-09-05 21:01 UTC] stas@php.net 
Unable to reproduce on my machine. Unfortunately, I don't have Windows, so not sure what is going there. Is it reproducible on any Unix system?
 [2016-09-18 04:22 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Apr 24 20:01:32 2024 UTC