php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73134 stack-buffer-overflow zend_yytnamerr (zend_language_parser.c)
Submitted: 2016-09-21 02:24 UTC Modified: 2017-08-12 16:53 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: brian dot carpenter at gmail dot com Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 5.6.28 OS: Debian 8.5 x64
Private report: No CVE-ID: None
 [2016-09-21 02:24 UTC] brian dot carpenter at gmail dot com
Description:
------------
Found with AFL and ASAN.

Test script:
---------------
https://dl.dropboxusercontent.com/u/6088006/php/stack-buffer-overflow-zend_yytnamerr.gz

Expected result:
----------------
Non-ASAN PHP 5.6.24-0+deb8u1 fails with:

PHP Parse error:  syntax error, unexpected ''0000000000000000000000000'' (T_CONSTANT_ENCAPSED_STRING), expecting \\ (T_NS_SEPARATOR) or ';' or '{' in /root/php-tmp/out/crashes/test00 on line 1

Actual result:
--------------
==16702==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff28181820 at pc 0x7f620bdf6020 bp 0x7fff28181390 sp 0x7fff28180b50
WRITE of size 4 at 0x7fff28181820 thread T0
    #0 0x7f620bdf601f in __interceptor_strcpy (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x2f01f)
    #1 0x16b365d in zend_yytnamerr /root/php-5.6.26/Zend/zend_language_parser.c:6718
    #2 0x16b365d in yysyntax_error /root/php-5.6.26/Zend/zend_language_parser.c:3468
    #3 0x16b598e in zendparse /root/php-5.6.26/Zend/zend_language_parser.c:6499
    #4 0x16c97b1 in compile_file Zend/zend_language_scanner.l:586
    #5 0x10471ef in phar_compile_file /root/php-5.6.26/ext/phar/phar.c:3371
    #6 0x1896f10 in zend_execute_scripts /root/php-5.6.26/Zend/zend.c:1333
    #7 0x15d0eff in php_execute_script /root/php-5.6.26/main/main.c:2613
    #8 0x1e5f0f7 in do_cli /root/php-5.6.26/sapi/cli/php_cli.c:994
    #9 0x456ce2 in main /root/php-5.6.26/sapi/cli/php_cli.c:1378
    #10 0x7f620a963b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #11 0x457a1e (/root/php-5.6.26/sapi/cli/php+0x457a1e)

Address 0x7fff28181820 is located in stack of thread T0 at offset 448 in frame
    #0 0x16b3e3f in zendparse /root/php-5.6.26/Zend/zend_language_parser.c:3559

  This frame has 6 object(s):
    [32, 72) 'zendlval'
    [128, 168) 'yyval'
    [224, 264) 'tmp_znode'
    [320, 448) 'yymsgbuf' <== Memory access at offset 448 overflows this variable
    [480, 880) 'yyssa'
    [928, 8928) 'yyvsa'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 __interceptor_strcpy
Shadow bytes around the buggy address:
  0x1000650282b0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000650282c0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x1000650282d0: 00 00 00 00 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00
  0x1000650282e0: 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 f4 f4 f4
  0x1000650282f0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100065028300: 00 00 00 00[f2]f2 f2 f2 00 00 00 00 00 00 00 00
  0x100065028310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100065028320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100065028330: 00 00 00 00 00 00 00 00 00 00 f4 f4 f2 f2 f2 f2
  0x100065028340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100065028350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==16702==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-21 02:27 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-11-21 20:02 UTC] brian dot carpenter at gmail dot com
-PHP Version: 5.6.26 +PHP Version: 5.6.28
 [2016-11-21 20:02 UTC] brian dot carpenter at gmail dot com
Affects 5.6.28.
 [2017-08-12 16:53 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2017-08-12 16:53 UTC] nikic@php.net
The test case no longer exists, but I'm fairly certain that this is a duplicate of bug #70430, which was fixed in PHP 7.0.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 17:01:29 2024 UTC