php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73496 Invalid memory access in zend_inline_hash_func
Submitted: 2016-11-11 08:43 UTC Modified: 2017-02-12 12:58 UTC
From: ahihibughunter at gmail dot com Assigned:
Status: Open Package: Filter related
PHP Version: 7.0.13 OS: ALL
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-11-11 08:43 UTC] ahihibughunter at gmail dot com
Description:
------------
in function php_stream_filter_create, filtername has very large value and cause crash in zend_hash_str_find_ptr.

PHPAPI php_stream_filter *php_stream_filter_create(const char *filtername, zval *filterparams, int persistent)
{
	......

	n = (int)strlen(filtername);     <-       filtername has very large value

	if (NULL != (factory = zend_hash_str_find_ptr(filter_hash, filtername, n))) {   <- crash here  
		filter = factory->create_filter(filtername, filterparams, persistent);
    ....
}

Test script:
---------------
<?php
ini_set('memory_limit', -1);
$str = str_repeat('a', 0x8fffff00);
stream_filter_register($str,$str);
$fd = fopen('php://memory','w');
$filter = stream_filter_append($fd, $str);
?>

Expected result:
----------------
No crash

Actual result:
--------------
$ gdb /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php 
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
....
Program received signal SIGSEGV, Segmentation fault.
0x0000000000a199ac in zend_inline_hash_func (str=0x7fffec800001 <error: Cannot access memory at address 0x7fffec800001>, len=18446744069414584088)
    at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_string.h:330
330			hash = ((hash << 5) + hash) + *str++;
(gdb) bt
#0  0x0000000000a199ac in zend_inline_hash_func (str=0x7fffec800001 <error: Cannot access memory at address 0x7fffec800001>, len=18446744069414584088)
    at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_string.h:330
#1  0x0000000000a1fb89 in zend_hash_str_find (ht=0x7fffed602840, str=0x7fff5c800018 'a' <repeats 200 times>..., len=18446744071830503168) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_hash.c:1998
#2  0x0000000000995b73 in zend_hash_str_find_ptr (ht=0x7fffed602840, str=0x7fff5c800018 'a' <repeats 200 times>..., len=18446744071830503168) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_hash.h:697
#3  0x0000000000996623 in php_stream_filter_create (filtername=0x7fff5c800018 'a' <repeats 200 times>..., filterparams=0x0, persistent=0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/main/streams/filter.c:260
#4  0x0000000000929e04 in apply_filter_to_stream (append=1, execute_data=0x7fffed614140, return_value=0x7fffed614120) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/standard/streamsfuncs.c:1157
#5  0x0000000000929ff4 in zif_stream_filter_append (execute_data=0x7fffed614140, return_value=0x7fffed614120) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/standard/streamsfuncs.c:1212
#6  0x0000000000a67659 in ZEND_DO_ICALL_SPEC_HANDLER () at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:586
#7  0x0000000000a67085 in execute_ex (ex=0x7fffed614030) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:414
#8  0x0000000000a67196 in zend_execute (op_array=0x7fffed684000, return_value=0x0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:458
#9  0x0000000000a0812d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend.c:1427
#10 0x00000000009701fc in php_execute_script (primary_file=0x7fffffffcab0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/main/main.c:2494
#11 0x0000000000ad06dc in do_cli (argc=2, argv=0x141c5a0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:974
#12 0x0000000000ad18aa in main (argc=2, argv=0x141c5a0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:1344


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-18 14:40 UTC] krakjoe@php.net
-Type: Security +Type: Bug
 [2016-11-18 14:40 UTC] krakjoe@php.net
This issue does not meet the criteria to be considered a security issue.

Please review: https://wiki.php.net/security
 [2016-11-19 01:01 UTC] ahihibughunter at gmail dot com
Hi krakjoe, be fair pls, u change the rules before i report this, or at least give me bounty for this. Thanks.
 [2016-11-19 01:16 UTC] ahihibughunter at gmail dot com
I mean after. Thanks
 [2016-11-19 15:30 UTC] rasmus@php.net
We don't have any bug bounties.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Mar 28 19:01:48 2017 UTC