php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73134 stack-buffer-overflow zend_yytnamerr (zend_language_parser.c)
Submitted: 2016-09-21 02:24 UTC Modified: 2017-08-12 16:53 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: brian dot carpenter at gmail dot com Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 5.6.28 OS: Debian 8.5 x64
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: brian dot carpenter at gmail dot com
New email:
PHP Version: OS:

 

 [2016-09-21 02:24 UTC] brian dot carpenter at gmail dot com 
Description:
------------
Found with AFL and ASAN.

Test script:
---------------
https://dl.dropboxusercontent.com/u/6088006/php/stack-buffer-overflow-zend_yytnamerr.gz

Expected result:
----------------
Non-ASAN PHP 5.6.24-0+deb8u1 fails with:

PHP Parse error:  syntax error, unexpected ''0000000000000000000000000'' (T_CONSTANT_ENCAPSED_STRING), expecting \\ (T_NS_SEPARATOR) or ';' or '{' in /root/php-tmp/out/crashes/test00 on line 1

Actual result:
--------------
==16702==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff28181820 at pc 0x7f620bdf6020 bp 0x7fff28181390 sp 0x7fff28180b50
WRITE of size 4 at 0x7fff28181820 thread T0
    #0 0x7f620bdf601f in __interceptor_strcpy (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x2f01f)
    #1 0x16b365d in zend_yytnamerr /root/php-5.6.26/Zend/zend_language_parser.c:6718
    #2 0x16b365d in yysyntax_error /root/php-5.6.26/Zend/zend_language_parser.c:3468
    #3 0x16b598e in zendparse /root/php-5.6.26/Zend/zend_language_parser.c:6499
    #4 0x16c97b1 in compile_file Zend/zend_language_scanner.l:586
    #5 0x10471ef in phar_compile_file /root/php-5.6.26/ext/phar/phar.c:3371
    #6 0x1896f10 in zend_execute_scripts /root/php-5.6.26/Zend/zend.c:1333
    #7 0x15d0eff in php_execute_script /root/php-5.6.26/main/main.c:2613
    #8 0x1e5f0f7 in do_cli /root/php-5.6.26/sapi/cli/php_cli.c:994
    #9 0x456ce2 in main /root/php-5.6.26/sapi/cli/php_cli.c:1378
    #10 0x7f620a963b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #11 0x457a1e (/root/php-5.6.26/sapi/cli/php+0x457a1e)

Address 0x7fff28181820 is located in stack of thread T0 at offset 448 in frame
    #0 0x16b3e3f in zendparse /root/php-5.6.26/Zend/zend_language_parser.c:3559

  This frame has 6 object(s):
    [32, 72) 'zendlval'
    [128, 168) 'yyval'
    [224, 264) 'tmp_znode'
    [320, 448) 'yymsgbuf' <== Memory access at offset 448 overflows this variable
    [480, 880) 'yyssa'
    [928, 8928) 'yyvsa'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 __interceptor_strcpy
Shadow bytes around the buggy address:
  0x1000650282b0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000650282c0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x1000650282d0: 00 00 00 00 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00
  0x1000650282e0: 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 f4 f4 f4
  0x1000650282f0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100065028300: 00 00 00 00[f2]f2 f2 f2 00 00 00 00 00 00 00 00
  0x100065028310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100065028320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100065028330: 00 00 00 00 00 00 00 00 00 00 f4 f4 f2 f2 f2 f2
  0x100065028340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100065028350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==16702==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-21 02:27 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-11-21 20:02 UTC] brian dot carpenter at gmail dot com
-PHP Version: 5.6.26 +PHP Version: 5.6.28
 [2016-11-21 20:02 UTC] brian dot carpenter at gmail dot com 
Affects 5.6.28.
 [2017-08-12 16:53 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2017-08-12 16:53 UTC] nikic@php.net 
The test case no longer exists, but I'm fairly certain that this is a duplicate of bug #70430, which was fixed in PHP 7.0.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Apr 20 03:01:28 2024 UTC