php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73371 crash in locale_get_keywords function
Submitted: 2016-10-22 09:58 UTC Modified: 2016-11-14 11:44 UTC
From: nguyenluan dot vnn at gmail dot com Assigned: stas (profile)
Status: Closed Package: intl (PECL)
PHP Version: 7.0.13 OS:
Private report: No CVE-ID: None
 [2016-10-22 09:58 UTC] nguyenluan dot vnn at gmail dot com
Description:
------------
In function locale_get_keywords:

PHP_FUNCTION( locale_get_keywords )
{
    UEnumeration*   e        = NULL;
    UErrorCode      status   = U_ZERO_ERROR;

    ...
    ...

    /* Get the keywords */
    e = uloc_openKeywords( loc_name, &status );  // crash here when loc_name larger than 2Gb
    if( e != NULL )

    ...
    ...
}

If "loc_name" is larger than 2Gb PHP 7 will crash.

Test script:
---------------
<?php
    ini_set('memory_limit', -1);
    
    $str = str_repeat('a', 0x8ff00000);
    locale_get_keywords($str);
?>

Expected result:
----------------
No crash.

Actual result:
--------------
gdb-peda$ r ../test/string/test_collator_sort.php 
Starting program: /home/user/Desktop/php-7.0.12/sapi/cli/php ../test/string/test_collator_sort.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x61 ('a')
RBX: 0x0 
RCX: 0x7fffffffa510 --> 0x7fff5b800018 ('a' <repeats 200 times>...)
RDX: 0x20 (' ')
RSI: 0x0 
RDI: 0x61 ('a')
RBP: 0x0 
RSP: 0x7fffffffa4c0 --> 0x7fff00616161 
RIP: 0x7ffff4351327 (<ulocimp_getLanguage_55+183>:	mov    BYTE PTR [r15],al)
R8 : 0xffff 
R9 : 0x7fffffffa524 --> 0xf42ccd2800000000 
R10: 0x672 
R11: 0x7ffff4351860 (<uloc_openKeywords_55>:	push   r12)
R12: 0x7fffffffa510 --> 0x7fff5b800018 ('a' <repeats 200 times>...)
R13: 0x80000000 
R14: 0x7fffdb800018 ('a' <repeats 200 times>...)
R15: 0x80000000
EFLAGS: 0x10a12 (carry parity ADJUST zero sign trap INTERRUPT direction OVERFLOW)
[-------------------------------------code-------------------------------------]
   0x7ffff435131c <ulocimp_getLanguage_55+172>:	
    jle    0x7ffff43512f0 <ulocimp_getLanguage_55+128>
   0x7ffff435131e <ulocimp_getLanguage_55+174>:	
    call   0x7ffff436b2d0 <uprv_asciitolower_55>
   0x7ffff4351323 <ulocimp_getLanguage_55+179>:	cmp    r13d,0x2
=> 0x7ffff4351327 <ulocimp_getLanguage_55+183>:	mov    BYTE PTR [r15],al
   0x7ffff435132a <ulocimp_getLanguage_55+186>:	
    jg     0x7ffff43512f6 <ulocimp_getLanguage_55+134>
   0x7ffff435132c <ulocimp_getLanguage_55+188>:	movsx  edi,BYTE PTR [r14]
   0x7ffff4351330 <ulocimp_getLanguage_55+192>:	
    call   0x7ffff436b2d0 <uprv_asciitolower_55>
   0x7ffff4351335 <ulocimp_getLanguage_55+197>:	movsxd rdx,r13d
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa4c0 --> 0x7fff00616161 
0008| 0x7fffffffa4c8 --> 0x53debe1001879100 
0016| 0x7fffffffa4d0 --> 0x8b5b800000 
0024| 0x7fffffffa4d8 --> 0x7fff5b800018 ('a' <repeats 200 times>...)
0032| 0x7fffffffa4e0 --> 0x7fffffffa704 --> 0x0 
0040| 0x7fffffffa4e8 --> 0x447580 (<_start>:	xor    ebp,ebp)
0048| 0x7fffffffa4f0 --> 0x7fffffffe1a0 --> 0x2 
0056| 0x7fffffffa4f8 --> 0x7fffebc14030 --> 0x7fffebc82160 --> 0xad8472 (<ZEND_DO_ICALL_SPEC_HANDLER>:	push   rbp)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff4351327 in ulocimp_getLanguage_55 ()
   from /usr/lib/x86_64-linux-gnu/libicuuc.so.55

gdb-peda$ bt
#0  0x00007ffff4351327 in ulocimp_getLanguage_55 ()
   from /usr/lib/x86_64-linux-gnu/libicuuc.so.55
#1  0x00007ffff43518ed in uloc_openKeywords_55 ()
   from /usr/lib/x86_64-linux-gnu/libicuuc.so.55
#2  0x00000000006ee9e3 in zif_locale_get_keywords (
    execute_data=0x7fffebc140e0, return_value=0x7fffebc140d0)
    at /home/user/Desktop/php-7.0.12/ext/intl/locale/locale_methods.c:721
#3  0x0000000000ad8506 in ZEND_DO_ICALL_SPEC_HANDLER ()
    at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:586
#4  0x0000000000ad7f32 in execute_ex (ex=0x7fffebc14030)
    at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:414
#5  0x0000000000ad8043 in zend_execute (op_array=0x7fffebc81000, 
    return_value=0x0)
    at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:458
#6  0x0000000000a78cfc in zend_execute_scripts (type=0x8, retval=0x0, 
    file_count=0x3) at /home/user/Desktop/php-7.0.12/Zend/zend.c:1427
#7  0x00000000009e11d5 in php_execute_script (primary_file=0x7fffffffce20)
    at /home/user/Desktop/php-7.0.12/main/main.c:2494
#8  0x0000000000b412f8 in do_cli (argc=0x2, argv=0x14a6630)
    at /home/user/Desktop/php-7.0.12/sapi/cli/php_cli.c:974
#9  0x0000000000b424c6 in main (argc=0x2, argv=0x14a6630)
    at /home/user/Desktop/php-7.0.12/sapi/cli/php_cli.c:1344
#10 0x00007ffff38b3830 in __libc_start_main (main=0xb41cbb <main>, argc=0x2, 
    argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe198)
    at ../csu/libc-start.c:291
#11 0x00000000004475a9 in _start ()


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-04 03:06 UTC] stas@php.net
-PHP Version: 7.0.12 +PHP Version: 5.6.27
 [2016-11-04 06:01 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2016-11-04 06:01 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2016-11-11 12:50 UTC] nguyenluan dot vnn at gmail dot com
-Status: Closed +Status: Assigned -PHP Version: 5.6.27 +PHP Version: 7.0.13
 [2016-11-11 12:50 UTC] nguyenluan dot vnn at gmail dot com
Still crashes in version 7.0.13. Please check it again.
 [2016-11-11 12:51 UTC] nguyenluan dot vnn at gmail dot com
-Status: Assigned +Status: Open
 [2016-11-11 12:51 UTC] nguyenluan dot vnn at gmail dot com
Open this issue again.
 [2016-11-14 11:44 UTC] nguyenluan dot vnn at gmail dot com
-Status: Open +Status: Closed
 [2016-11-14 11:44 UTC] nguyenluan dot vnn at gmail dot com
Fixed in PHP 7.1.0 RC6. Please close.

Thanks.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 12:01:31 2024 UTC