php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73610 mb_ereg illegal memory access
Submitted: 2016-11-26 04:27 UTC Modified: 2021-07-23 08:23 UTC
From: fernando at null-life dot com Assigned: nikic (profile)
Status: Closed Package: *Regular Expressions
PHP Version: 7.0.13 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2016-11-26 04:27 UTC] fernando at null-life dot com
Description:
------------
Pattern too long causes illegal memory access in zend_inline_hash_func, through mb_ereg function.

Source code:
https://github.com/php/php-src/blob/master/Zend/zend_string.h#L330

static zend_always_inline zend_ulong zend_inline_hash_func(const char *str, size_t len)
{
	zend_ulong hash = Z_UL(5381);

	/* variant with the hash unrolled eight times */
	for (; len >= 8; len -= 8) {
		hash = ((hash << 5) + hash) + *str++;
		hash = ((hash << 5) + hash) + *str++;
		hash = ((hash << 5) + hash) + *str++;
		hash = ((hash << 5) + hash) + *str++;
		hash = ((hash << 5) + hash) + *str++;
		hash = ((hash << 5) + hash) + *str++;
		hash = ((hash << 5) + hash) + *str++;
		hash = ((hash << 5) + hash) + *str++;
	}
...



GDB output:

gdb -q --args /home/operac/build5/bin/php -n poc.php
Reading symbols from /home/operac/build5/bin/php...done.
Program received signal SIGSEGV, Segmentation fault.
0x0000000000e75b1d in zend_inline_hash_func (str=0x7fffeec02001 <error: Cannot access memory at address 0x7fffeec02001>, len=18446744069414580248) at /home/operac/build5/php-src/Zend/zend_string.h:330
330                     hash = ((hash << 5) + hash) + *str++;
(gdb) p str
$1 = 0x7fffeec02001 <error: Cannot access memory at address 0x7fffeec02001>
(gdb)



Test script:
---------------
<?php

ini_set('memory_limit', -1);

$v1=str_repeat('a', 0x80001000);
mb_ereg($v1, "a");


Expected result:
----------------
No crash

Actual result:
--------------
ASan output:

ASAN:SIGSEGV
=================================================================
==15290==ERROR: AddressSanitizer: SEGV on unknown address 0x7f910da02000 (pc 0x000000e75b1d bp 0x7fff08e2c4b0 sp 0x7fff08e2c490 T0)
    #0 0xe75b1c in zend_inline_hash_func /home/operac/build5/php-src/Zend/zend_string.h:330
    #1 0xe85192 in zend_hash_str_find /home/operac/build5/php-src/Zend/zend_hash.c:1998
    #2 0x8b2312 in zend_hash_str_find_ptr /home/operac/build5/php-src/Zend/zend_hash.h:697
    #3 0x8b3506 in php_mbregex_compile_pattern /home/operac/build5/php-src/ext/mbstring/php_mbregex.c:454
    #4 0x8b496f in _php_mb_regex_ereg_exec /home/operac/build5/php-src/ext/mbstring/php_mbregex.c:727
    #5 0x8b4f4d in zif_mb_ereg /home/operac/build5/php-src/ext/mbstring/php_mbregex.c:774
    #6 0xf277dc in ZEND_DO_ICALL_SPEC_HANDLER /home/operac/build5/php-src/Zend/zend_vm_execute.h:586
    #7 0xf26872 in execute_ex /home/operac/build5/php-src/Zend/zend_vm_execute.h:414
    #8 0xf26aed in zend_execute /home/operac/build5/php-src/Zend/zend_vm_execute.h:458
    #9 0xe49c66 in zend_execute_scripts /home/operac/build5/php-src/Zend/zend.c:1427
    #10 0xd0b9d8 in php_execute_script /home/operac/build5/php-src/main/main.c:2494
    #11 0x1058a1c in do_cli /home/operac/build5/php-src/sapi/cli/php_cli.c:974
    #12 0x105a82c in main /home/operac/build5/php-src/sapi/cli/php_cli.c:1344
    #13 0x7f911366c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x430a88 in _start (/home/operac/build5/bin/php+0x430a88)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/operac/build5/php-src/Zend/zend_string.h:330 zend_inline_hash_func
==15290==ABORTING




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-26 22:57 UTC] stas@php.net
-Assigned To: +Assigned To: hirokawa
 [2016-11-27 14:09 UTC] kalle@php.net
-Assigned To: hirokawa +Assigned To: stas
 [2016-11-27 14:09 UTC] kalle@php.net
Stas, hirokawa does not have security permissions so he cannot see it even if you assign it (hence the re-assign).

Side note, perhaps we need a better way to deal with such based off $security_developers in bugs-web
 [2016-11-27 22:00 UTC] stas@php.net
-Status: Assigned +Status: Open -Assigned To: stas +Assigned To:
 [2016-11-27 22:00 UTC] stas@php.net
I thought the person assigned automatically gets access to the ticket. If it's not so, it must be fixed - there's absolutely no reason to hide ticket from the person is was assigned to. I'll check the bugs code.

I'd ask to also not to assign all security issues to me since I use "Assigned" to handle issues I've already gone through, and if you assign them to me I'd think I already took care of them. If the person assigned can't handle it, and we don't have somebody who did commit to handle them or have handled them, please leave it unassigned. Otherwise it's hard to see which issues are being handled by whom.
 [2017-01-16 01:23 UTC] stas@php.net
-Assigned To: +Assigned To: hirokawa
 [2017-10-24 07:01 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: hirokawa +Assigned To:
 [2021-07-23 08:23 UTC] nikic@php.net
-Status: Open +Status: Closed -Type: Security +Type: Bug -Assigned To: +Assigned To: nikic
 [2021-07-23 08:23 UTC] nikic@php.net
This no longer reproduces for me, might have been fixed by https://github.com/php/php-src/commit/f9cfc029a58b4fd7c71e83f330a54d3cb2d905db.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Dec 07 16:03:34 2021 UTC