php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73473 Stack Buffer Overflow in msgfmt_parse_message
Submitted: 2016-11-07 10:40 UTC Modified: 2017-07-18 05:39 UTC
From: emmanuel dot law at gmail dot com Assigned: stas
Status: Closed Package: intl (PECL)
PHP Version: 7.0.12 OS: *
Private report: No CVE-ID:
 [2016-11-07 10:40 UTC] emmanuel dot law at gmail dot com
Description:
------------
There exist a stack overflow when parsing locale in msgfmt_parse_message(). The vulnerability is being triggered in line 142 where an overtly long slocale is being passed into libicu's umsg_open().

//php-7.0.12/ext/intl/msgformat/msgformat_parse.c
90 PHP_FUNCTION( msgfmt_parse_message )
91 {
92     UChar      *spattern = NULL;
93     int         spattern_len = 0
....
141     /* Create an ICU message formatter. */
142     MSG_FORMAT_OBJECT(mfo) = umsg_open(spattern, spattern_len, slocale, NULL, &INTL_DATA_ERROR_CODE(mfo));





Test script:
---------------
<?php
 ini_set('memory_limit', -1);
 
 $boom  = str_repeat("A",2147483647+1);
 msgfmt_parse_message($boom,"ABC","EFG");

Actual result:
--------------
./php-7.0.12 test.php
Segmentation fault

====Digging into GDB====

gdb-peda$ continue
Continuing.
Program received signal SIGSEGV, Segmentation fault.
Stopped reason: SIGSEGV

gdb-peda$ backtrace
#0  __strcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:241
#1  0x00007ffff382368c in strcpy (__src=0x7fff6d400018 'A' <repeats 200 times>...,
    __dest=0x7fffffffa29d 'A' <repeats 200 times>...)
    at /usr/include/x86_64-linux-gnu/bits/string3.h:104
#2  icu_52::Locale::Locale (this=0x7fffffffa420,
    newLanguage=0x7fff6d400018 'A' <repeats 200 times>..., newCountry=0x0,
    newVariant=0x0, newKeywords=0x0) at locid.cpp:336
#3  0x4141414141414141 in ?? ()
#4  0x4141414141414141 in ?? ()
#5  0x4141414141414141 in ?? ()
#6  0x4141414141414141 in ?? ()
#7  0x4141414141414141 in ?? ()
#8  0x4141414141414141 in ?? ()
#9  0x4141414141414141 in ?? ()
.......
.....

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-07 10:49 UTC] emmanuel dot law at gmail dot com
Here's my proposed patch:

https://gist.github.com/libnex/4f3382725b4020763af64c9a5e6acf5e
 [2016-11-18 14:41 UTC] krakjoe@php.net
-Type: Security +Type: Bug
 [2016-11-18 14:41 UTC] krakjoe@php.net
This issue does not meet the criteria to be considered a security issue.

Please review: https://wiki.php.net/security
 [2016-11-18 15:45 UTC] emmanuel dot law at gmail dot com
Isn't this similar to bug #73218 which was considered a security bug? Just wondering,
 [2017-06-02 22:01 UTC] nikic@php.net
@krakjoe: The security policy could use some clarification as to how length overflow bugs are classified. Right now both "low severity" and "not a security issue" could apply and I don't think we're handling these consistently.
 [2017-06-02 22:06 UTC] nikic@php.net
Automatic comment on behalf of emmanuel.law@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=95c4564f939c916538579ef63602a3cd31941c51
Log: Fixed bug #73473: Stack Buffer Overflow in msgfmt_parse_message
 [2017-06-02 22:06 UTC] nikic@php.net
-Status: Open +Status: Closed
 [2017-07-17 22:55 UTC] emmanuel dot law at gmail dot com
MITRE has assigned this CVE-2017-11362

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11362
 [2017-07-17 22:55 UTC] emmanuel dot law at gmail dot com
MITRE has assigned this CVE-2017-11362

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11362
 [2017-07-18 05:39 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2017-07-18 05:39 UTC] stas@php.net
I have no idea why this one was issued a CVE, it's not a security issue. Looks like practice of assigning CVEs to projects without any consultation with developers continues. Sigh.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC