php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73190 memcpy negative parameter _bc_new_num_ex
Submitted: 2016-09-28 03:58 UTC Modified: 2017-02-13 01:15 UTC
From: fernando at null-life dot com Assigned: stas (profile)
Status: Closed Package: BC math related
PHP Version: 5.6.26 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2016-09-28 03:58 UTC] fernando at null-life dot com
Description:
------------
When scale parameter value in _bc_new_num_ex is large enough ( 0x7fffffff), memset function receive negative size parameter. 

Affected functions bcsub, bcadd 

----------------------------------------------
Source code:
https://github.com/php/php-src/blob/master/ext/bcmath/libbcmath/src/init.c#L47

bc_num
_bc_new_num_ex (length, scale, persistent)
     int length, scale, persistent;
{
...
  temp->n_ptr = (char *) safe_pemalloc (1, length, scale, persistent);
  if (temp->n_ptr == NULL) bc_out_of_memory();
  temp->n_value = temp->n_ptr;
  memset (temp->n_ptr, 0, length+scale);     # 1 + 0x7fffffff = -2147483648
  return temp;
}


GDB output:

gdb -q --args /home/operac/build4/bin/php -n poc.php
No symbol table is loaded.  Use the "file" command.
Breakpoint 1 (__asan_report_error) pending.
Reading symbols from /home/operac/build4/bin/php...done.
gdb-peda$ b _bc_new_num_ex
Breakpoint 2 at 0x7de0a0: _bc_new_num_ex. (4 locations)
gdb-peda$ r
...
Breakpoint 3, _bc_new_num_ex (length=length@entry=0x1, scale=scale@entry=0x7fffffff, persistent=persistent@entry=0x0)
    at /home/operac/build4/php-src/ext/bcmath/libbcmath/src/init.c:72
72	  memset (temp->n_ptr, 0, length+scale);
gdb-peda$ p length
$1 = 0x1
gdb-peda$ p scale
$2 = 0x7fffffff
gdb-peda$ p length+scale
$3 = 0x80000000
gdb-peda$ p/d length+scale
$4 = -2147483648
gdb-peda$ b memset
...
Breakpoint 3, 0x00007ffff6ef6d10 in memset () from /usr/lib/x86_64-linux-gnu/libasan.so.2
gdb-peda$ p/d $rdx
$6 = -2147483648
gdb-peda$ p $rdx
$7 = 0xffffffff80000000

Test script:
---------------
<?php

ini_set('memory_limit', -1);
error_reporting(0);

bcsub("1", "1", 0x7fffffff);

Expected result:
----------------
No crash

Actual result:
--------------
==12357==ERROR: AddressSanitizer: negative-size-param: (size=-2147483648)
    #0 0x7fce87d4dc69 in __asan_memset (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cc69)
    #1 0x7de3ef in memset /usr/include/x86_64-linux-gnu/bits/string3.h:90
    #2 0x7de3ef in _bc_new_num_ex /home/operac/build4/php-src/ext/bcmath/libbcmath/src/init.c:72
    #3 0x7e1f60 in bc_sub /home/operac/build4/php-src/ext/bcmath/libbcmath/src/sub.c:75
    #4 0x7d660e in zif_bcsub /home/operac/build4/php-src/ext/bcmath/bcmath.c:286
    #5 0x1d8a4d8 in ZEND_DO_ICALL_SPEC_HANDLER /home/operac/build4/php-src/Zend/zend_vm_execute.h:586
    #6 0x1b9eb6e in execute_ex /home/operac/build4/php-src/Zend/zend_vm_execute.h:414
    #7 0x1e4f956 in zend_execute /home/operac/build4/php-src/Zend/zend_vm_execute.h:458
    #8 0x199d4bc in zend_execute_scripts /home/operac/build4/php-src/Zend/zend.c:1427
    #9 0x17102a7 in php_execute_script /home/operac/build4/php-src/main/main.c:2494
    #10 0x1e579e2 in do_cli /home/operac/build4/php-src/sapi/cli/php_cli.c:974
    #11 0x46dfd4 in main /home/operac/build4/php-src/sapi/cli/php_cli.c:1344
    #12 0x7fce857a682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x46e6a8 in _start (/home/operac/build4/bin/php+0x46e6a8)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memset
==12357==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-03 07:09 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-10-03 07:09 UTC] stas@php.net
The fix is in security repo as 40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6 and in https://gist.github.com/8d81ffd7128a2b805b6007ce415cd496

please verify
 [2016-10-03 07:10 UTC] stas@php.net
-PHP Version: 7.0.11 +PHP Version: 5.6.26
 [2016-10-11 23:45 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6
Log: Fix bug #73190: memcpy negative parameter _bc_new_num_ex
 [2016-10-11 23:45 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-10-12 18:11 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=74b5662536ccdf9b7b02c495f02a27c64e27fff7
Log: Fix bug #73190: memcpy negative parameter _bc_new_num_ex
 [2016-10-12 18:12 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=74b5662536ccdf9b7b02c495f02a27c64e27fff7
Log: Fix bug #73190: memcpy negative parameter _bc_new_num_ex
 [2016-10-12 23:26 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=85998b2a7ec2424a5dd7ccbfdb328e4c2c38fb31
Log: Fix bug #73190: memcpy negative parameter _bc_new_num_ex
 [2016-10-12 23:35 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6
Log: Fix bug #73190: memcpy negative parameter _bc_new_num_ex
 [2016-10-14 02:22 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=74b5662536ccdf9b7b02c495f02a27c64e27fff7
Log: Fix bug #73190: memcpy negative parameter _bc_new_num_ex
 [2016-10-14 02:23 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6
Log: Fix bug #73190: memcpy negative parameter _bc_new_num_ex
 [2016-10-17 10:07 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=74b5662536ccdf9b7b02c495f02a27c64e27fff7
Log: Fix bug #73190: memcpy negative parameter _bc_new_num_ex
 [2016-10-17 10:07 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6
Log: Fix bug #73190: memcpy negative parameter _bc_new_num_ex
 [2017-02-13 01:15 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Oct 11 05:01:27 2024 UTC