|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-09-20 16:26 UTC] stas@php.net
-Type: Security
+Type: Bug
[2017-11-13 09:53 UTC] kaplan@php.net
-CVE-ID:
+CVE-ID: 2017-8923
[2018-03-02 18:52 UTC] contacto at agora-security dot com
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2021 The PHP GroupAll rights reserved. |
Last updated: Mon Mar 01 20:01:24 2021 UTC |
Description: ------------ Recently I notice php has been patched several times to prevent generating negative-length string to mitigate security issue. But the concat operation can still be used to overflow the length of string. PoC ran on 32 bit version This can be patched by checking len in either: ZEND_CONCAT_*() functions in Zend_vm_execute.h or zend_string_extend() function in Zend_string.h Test script: --------------- <?php ini_set('memory_limit', -1); $a = str_repeat('a',0x7fffffff)."aa"; print strlen($a); ?> Expected result: ---------------- zend_throw_error(NULL, "String size overflow"); Actual result: -------------- ➜ bin ./php -v PHP 7.2.0-dev (cli) (built: Sep 20 2016 16:41:04) ( NTS DEBUG ) Copyright (c) 1997-2016 The PHP Group Zend Engine v3.1.0-dev, Copyright (c) 1998-2016 Zend Technologies ➜ bin ./php poc.php -2147483647# =================== on another machine with php from ubuntu's official repository: root@ubuntu-4gb-sgp1-01:~# php -v PHP 7.0.8-0ubuntu0.16.04.2 (cli) ( NTS ) Copyright (c) 1997-2016 The PHP Group Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies with Zend OPcache v7.0.8-0ubuntu0.16.04.2, Copyright (c) 1999-2016, by Zend Technologies root@ubuntu-4gb-sgp1-01:~# php poc.php mmap() failed: [12] Cannot allocate memory [1] 16589 segmentation fault (core dumped) php poc.php