php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73122 Integer Overflow when concatenating strings
Submitted: 2016-09-20 10:06 UTC Modified: 2017-11-13 09:53 UTC
Votes:3
Avg. Score:3.0 ± 1.6
Reproduced:1 of 2 (50.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: tloi at fortinet dot com Assigned:
Status: Open Package: Strings related
PHP Version: master-Git-2016-09-20 (Git) OS:
Private report: No CVE-ID: 2017-8923
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: tloi at fortinet dot com
New email:
PHP Version: OS:

 

 [2016-09-20 10:06 UTC] tloi at fortinet dot com
Description:
------------
Recently I notice php has been patched several times to prevent generating negative-length string to mitigate security issue. But the concat operation can still be used to overflow the length of string.

PoC ran on 32 bit version

This can be patched by checking len in either:

ZEND_CONCAT_*() functions in Zend_vm_execute.h 
or
zend_string_extend() function in Zend_string.h


Test script:
---------------
<?php
ini_set('memory_limit', -1);
$a = str_repeat('a',0x7fffffff)."aa";
print strlen($a);
?>

Expected result:
----------------
zend_throw_error(NULL, "String size overflow");

Actual result:
--------------
➜  bin ./php -v
PHP 7.2.0-dev (cli) (built: Sep 20 2016 16:41:04) ( NTS DEBUG )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.1.0-dev, Copyright (c) 1998-2016 Zend Technologies
➜  bin ./php poc.php
-2147483647#


===================
on another machine with php from ubuntu's official repository:
root@ubuntu-4gb-sgp1-01:~# php -v
PHP 7.0.8-0ubuntu0.16.04.2 (cli) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.8-0ubuntu0.16.04.2, Copyright (c) 1999-2016, by Zend Technologies
root@ubuntu-4gb-sgp1-01:~# php poc.php


mmap() failed: [12] Cannot allocate memory
[1]    16589 segmentation fault (core dumped)  php poc.php

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-20 16:26 UTC] stas@php.net
-Type: Security +Type: Bug
 [2017-11-13 09:53 UTC] kaplan@php.net
-CVE-ID: +CVE-ID: 2017-8923
 [2018-03-02 18:52 UTC] contacto at agora-security dot com
Has this issue been fixed?
I don't see any reference about it in the Changelog:
http://www.php.net/ChangeLog-7.php#7.1.5
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Nov 12 18:01:32 2019 UTC