php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73190 memcpy negative parameter _bc_new_num_ex
Submitted: 2016-09-28 03:58 UTC Modified: 2017-02-13 01:15 UTC
From: fernando at null-life dot com Assigned: stas
Status: Closed Package: BC math related
PHP Version: 5.6.26 OS: Linux
Private report: No CVE-ID:
 [2016-09-28 03:58 UTC] fernando at null-life dot com
Description:
------------
When scale parameter value in _bc_new_num_ex is large enough ( 0x7fffffff), memset function receive negative size parameter. 

Affected functions bcsub, bcadd 

----------------------------------------------
Source code:
https://github.com/php/php-src/blob/master/ext/bcmath/libbcmath/src/init.c#L47

bc_num
_bc_new_num_ex (length, scale, persistent)
     int length, scale, persistent;
{
...
  temp->n_ptr = (char *) safe_pemalloc (1, length, scale, persistent);
  if (temp->n_ptr == NULL) bc_out_of_memory();
  temp->n_value = temp->n_ptr;
  memset (temp->n_ptr, 0, length+scale);     # 1 + 0x7fffffff = -2147483648
  return temp;
}


GDB output:

gdb -q --args /home/operac/build4/bin/php -n poc.php
No symbol table is loaded.  Use the "file" command.
Breakpoint 1 (__asan_report_error) pending.
Reading symbols from /home/operac/build4/bin/php...done.
gdb-peda$ b _bc_new_num_ex
Breakpoint 2 at 0x7de0a0: _bc_new_num_ex. (4 locations)
gdb-peda$ r
...
Breakpoint 3, _bc_new_num_ex (length=length@entry=0x1, scale=scale@entry=0x7fffffff, persistent=persistent@entry=0x0)
    at /home/operac/build4/php-src/ext/bcmath/libbcmath/src/init.c:72
72	  memset (temp->n_ptr, 0, length+scale);
gdb-peda$ p length
$1 = 0x1
gdb-peda$ p scale
$2 = 0x7fffffff
gdb-peda$ p length+scale
$3 = 0x80000000
gdb-peda$ p/d length+scale
$4 = -2147483648
gdb-peda$ b memset
...
Breakpoint 3, 0x00007ffff6ef6d10 in memset () from /usr/lib/x86_64-linux-gnu/libasan.so.2
gdb-peda$ p/d $rdx
$6 = -2147483648
gdb-peda$ p $rdx
$7 = 0xffffffff80000000

Test script:
---------------
<?php

ini_set('memory_limit', -1);
error_reporting(0);

bcsub("1", "1", 0x7fffffff);

Expected result:
----------------
No crash

Actual result:
--------------
==12357==ERROR: AddressSanitizer: negative-size-param: (size=-2147483648)
    #0 0x7fce87d4dc69 in __asan_memset (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cc69)
    #1 0x7de3ef in memset /usr/include/x86_64-linux-gnu/bits/string3.h:90
    #2 0x7de3ef in _bc_new_num_ex /home/operac/build4/php-src/ext/bcmath/libbcmath/src/init.c:72
    #3 0x7e1f60 in bc_sub /home/operac/build4/php-src/ext/bcmath/libbcmath/src/sub.c:75
    #4 0x7d660e in zif_bcsub /home/operac/build4/php-src/ext/bcmath/bcmath.c:286
    #5 0x1d8a4d8 in ZEND_DO_ICALL_SPEC_HANDLER /home/operac/build4/php-src/Zend/zend_vm_execute.h:586
    #6 0x1b9eb6e in execute_ex /home/operac/build4/php-src/Zend/zend_vm_execute.h:414
    #7 0x1e4f956 in zend_execute /home/operac/build4/php-src/Zend/zend_vm_execute.h:458
    #8 0x199d4bc in zend_execute_scripts /home/operac/build4/php-src/Zend/zend.c:1427
    #9 0x17102a7 in php_execute_script /home/operac/build4/php-src/main/main.c:2494
    #10 0x1e579e2 in do_cli /home/operac/build4/php-src/sapi/cli/php_cli.c:974
    #11 0x46dfd4 in main /home/operac/build4/php-src/sapi/cli/php_cli.c:1344
    #12 0x7fce857a682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x46e6a8 in _start (/home/operac/build4/bin/php+0x46e6a8)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memset
==12357==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-03 07:09 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-10-03 07:09 UTC] stas@php.net
The fix is in security repo as 40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6 and in https://gist.github.com/8d81ffd7128a2b805b6007ce415cd496

please verify
 [2016-10-03 07:10 UTC] stas@php.net
-PHP Version: 7.0.11 +PHP Version: 5.6.26
 [2016-10-11 23:45 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6
Log: Fix bug #73190: memcpy negative parameter _bc_new_num_ex
 [2016-10-11 23:45 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-10-12 18:11 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=74b5662536ccdf9b7b02c495f02a27c64e27fff7
Log: Fix bug #73190: memcpy negative parameter _bc_new_num_ex
 [2016-10-12 18:12 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=74b5662536ccdf9b7b02c495f02a27c64e27fff7
Log: Fix bug #73190: memcpy negative parameter _bc_new_num_ex
 [2016-10-12 23:26 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=85998b2a7ec2424a5dd7ccbfdb328e4c2c38fb31
Log: Fix bug #73190: memcpy negative parameter _bc_new_num_ex
 [2016-10-12 23:35 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6
Log: Fix bug #73190: memcpy negative parameter _bc_new_num_ex
 [2016-10-14 02:22 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=74b5662536ccdf9b7b02c495f02a27c64e27fff7
Log: Fix bug #73190: memcpy negative parameter _bc_new_num_ex
 [2016-10-14 02:23 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6
Log: Fix bug #73190: memcpy negative parameter _bc_new_num_ex
 [2016-10-17 10:07 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=74b5662536ccdf9b7b02c495f02a27c64e27fff7
Log: Fix bug #73190: memcpy negative parameter _bc_new_num_ex
 [2016-10-17 10:07 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6
Log: Fix bug #73190: memcpy negative parameter _bc_new_num_ex
 [2017-02-13 01:15 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Thu Jun 22 18:02:00 2017 UTC