php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73540 Invalid memory access in zif_create_function
Submitted: 2016-11-16 11:12 UTC Modified: 2021-04-28 12:51 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: ahihibughunter at gmail dot com Assigned: cmb (profile)
Status: Wont fix Package: Unknown/Other Function
PHP Version: 5.6.28 OS: ALL
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ahihibughunter at gmail dot com
New email:
PHP Version: OS:

 

 [2016-11-16 11:12 UTC] ahihibughunter at gmail dot com
Description:
------------
In function zif_create_function
ZEND_FUNCTION(create_function)
{
....
	eval_code[eval_code_length++] = ')';
	eval_code[eval_code_length++] = '{';

	memcpy(eval_code + eval_code_length, function_code, function_code_len);
	eval_code_length += function_code_len;

	eval_code[eval_code_length++] = '}';  <- crashed here
	eval_code[eval_code_length] = '\0';
.....
}
length of eval_code increate without check it value cause php5 crash



Test script:
---------------
<?php
ini_set('memory_limit', -1);
$z  = str_repeat('a',0x7fffffff);
var_dump( uasort($array_arg, create_function('x, x',$z) ) );
?>


Expected result:
----------------
No crash

Actual result:
--------------
$ gdb ../../../php5new/php-src-PHP-5.6.28/sapi/cli/php 
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
.................
(gdb) r test.php 
Starting program: /home/zx/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000adff8e in zif_create_function (ht=2, return_value=0x7ffff7fb5bc0, return_value_ptr=0x7ffff7f7a238, this_ptr=0x0, return_value_used=1)
    at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_builtin_functions.c:1826
1826		eval_code[eval_code_length++] = '}';
(gdb) bt
#0  0x0000000000adff8e in zif_create_function (ht=2, return_value=0x7ffff7fb5bc0, return_value_ptr=0x7ffff7f7a238, this_ptr=0x0, return_value_used=1)
    at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_builtin_functions.c:1826
#1  0x0000000000b0bbaa in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f7a2b0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_vm_execute.h:558
#2  0x0000000000b116d5 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f7a2b0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_vm_execute.h:2602
#3  0x0000000000b0b212 in execute_ex (execute_data=0x7ffff7f7a2b0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_vm_execute.h:363
#4  0x0000000000b0b299 in zend_execute (op_array=0x7ffff7fb5348) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_vm_execute.h:388
#5  0x0000000000ac3c49 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend.c:1341
#6  0x0000000000a24d6c in php_execute_script (primary_file=0x7fffffffc9f0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/main/main.c:2613
#7  0x0000000000b80a61 in do_cli (argc=2, argv=0x147a670) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php_cli.c:998
#8  0x0000000000b81dc4 in main (argc=2, argv=0x147a670) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php_cli.c:1382
(gdb) print eval_code_length
$1 = -2147483619
(gdb) 


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-16 22:01 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-11-16 22:01 UTC] stas@php.net
Not a security issue.
 [2016-11-16 22:01 UTC] stas@php.net
Not a security issue.
 [2021-04-28 12:51 UTC] cmb@php.net
-Status: Open +Status: Wont fix -Assigned To: +Assigned To: cmb
 [2021-04-28 12:51 UTC] cmb@php.net
create_function() is deprecated as of PHP 7.2.0, and removed as of
PHP 8.0.0, and I consider it to be highly unlikely that anybody
would try to create a function with a resulting length of SIZE_MAX
(note that eval_code_length is changed from `int` to `size_t` as
of PHP 7.0.0).
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Oct 04 00:01:27 2024 UTC