PHP :: Bug #73610 :: mb_ereg illegal memory access

Bug #73610	mb_ereg illegal memory access
Submitted:	2016-11-26 04:27 UTC	Modified:	2021-07-23 08:23 UTC
From:	fernando at null-life dot com	Assigned:	nikic (profile)
Status:	Closed	Package:	*Regular Expressions
PHP Version:	7.0.13	OS:	Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	fernando at null-life dot com
New email:
PHP Version:		OS:

New Comment:

[2016-11-26 04:27 UTC] fernando at null-life dot com

Description:
------------
Pattern too long causes illegal memory access in zend_inline_hash_func, through mb_ereg function.

Source code:
https://github.com/php/php-src/blob/master/Zend/zend_string.h#L330

static zend_always_inline zend_ulong zend_inline_hash_func(const char *str, size_t len)
{
	zend_ulong hash = Z_UL(5381);

	/* variant with the hash unrolled eight times */
	for (; len >= 8; len -= 8) {
		hash = ((hash << 5) + hash) + *str++;
		hash = ((hash << 5) + hash) + *str++;
		hash = ((hash << 5) + hash) + *str++;
		hash = ((hash << 5) + hash) + *str++;
		hash = ((hash << 5) + hash) + *str++;
		hash = ((hash << 5) + hash) + *str++;
		hash = ((hash << 5) + hash) + *str++;
		hash = ((hash << 5) + hash) + *str++;
	}
...



GDB output:

gdb -q --args /home/operac/build5/bin/php -n poc.php
Reading symbols from /home/operac/build5/bin/php...done.
Program received signal SIGSEGV, Segmentation fault.
0x0000000000e75b1d in zend_inline_hash_func (str=0x7fffeec02001 <error: Cannot access memory at address 0x7fffeec02001>, len=18446744069414580248) at /home/operac/build5/php-src/Zend/zend_string.h:330
330                     hash = ((hash << 5) + hash) + *str++;
(gdb) p str
$1 = 0x7fffeec02001 <error: Cannot access memory at address 0x7fffeec02001>
(gdb)



Test script:
---------------
<?php

ini_set('memory_limit', -1);

$v1=str_repeat('a', 0x80001000);
mb_ereg($v1, "a");


Expected result:
----------------
No crash

Actual result:
--------------
ASan output:

ASAN:SIGSEGV
=================================================================
==15290==ERROR: AddressSanitizer: SEGV on unknown address 0x7f910da02000 (pc 0x000000e75b1d bp 0x7fff08e2c4b0 sp 0x7fff08e2c490 T0)
    #0 0xe75b1c in zend_inline_hash_func /home/operac/build5/php-src/Zend/zend_string.h:330
    #1 0xe85192 in zend_hash_str_find /home/operac/build5/php-src/Zend/zend_hash.c:1998
    #2 0x8b2312 in zend_hash_str_find_ptr /home/operac/build5/php-src/Zend/zend_hash.h:697
    #3 0x8b3506 in php_mbregex_compile_pattern /home/operac/build5/php-src/ext/mbstring/php_mbregex.c:454
    #4 0x8b496f in _php_mb_regex_ereg_exec /home/operac/build5/php-src/ext/mbstring/php_mbregex.c:727
    #5 0x8b4f4d in zif_mb_ereg /home/operac/build5/php-src/ext/mbstring/php_mbregex.c:774
    #6 0xf277dc in ZEND_DO_ICALL_SPEC_HANDLER /home/operac/build5/php-src/Zend/zend_vm_execute.h:586
    #7 0xf26872 in execute_ex /home/operac/build5/php-src/Zend/zend_vm_execute.h:414
    #8 0xf26aed in zend_execute /home/operac/build5/php-src/Zend/zend_vm_execute.h:458
    #9 0xe49c66 in zend_execute_scripts /home/operac/build5/php-src/Zend/zend.c:1427
    #10 0xd0b9d8 in php_execute_script /home/operac/build5/php-src/main/main.c:2494
    #11 0x1058a1c in do_cli /home/operac/build5/php-src/sapi/cli/php_cli.c:974
    #12 0x105a82c in main /home/operac/build5/php-src/sapi/cli/php_cli.c:1344
    #13 0x7f911366c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x430a88 in _start (/home/operac/build5/bin/php+0x430a88)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/operac/build5/php-src/Zend/zend_string.h:330 zend_inline_hash_func
==15290==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-11-26 22:57 UTC] stas@php.net

-Assigned To: +Assigned To: hirokawa

[2016-11-27 14:09 UTC] kalle@php.net

-Assigned To: hirokawa +Assigned To: stas

[2016-11-27 14:09 UTC] kalle@php.net

Stas, hirokawa does not have security permissions so he cannot see it even if you assign it (hence the re-assign).

Side note, perhaps we need a better way to deal with such based off $security_developers in bugs-web

[2016-11-27 22:00 UTC] stas@php.net

-Status: Assigned +Status: Open -Assigned To: stas +Assigned To:

[2016-11-27 22:00 UTC] stas@php.net

I thought the person assigned automatically gets access to the ticket. If it's not so, it must be fixed - there's absolutely no reason to hide ticket from the person is was assigned to. I'll check the bugs code.

I'd ask to also not to assign all security issues to me since I use "Assigned" to handle issues I've already gone through, and if you assign them to me I'd think I already took care of them. If the person assigned can't handle it, and we don't have somebody who did commit to handle them or have handled them, please leave it unassigned. Otherwise it's hard to see which issues are being handled by whom.

[2017-01-16 01:23 UTC] stas@php.net

-Assigned To: +Assigned To: hirokawa

[2017-10-24 07:01 UTC] kalle@php.net

-Status: Assigned +Status: Open -Assigned To: hirokawa +Assigned To:

[2021-07-23 08:23 UTC] nikic@php.net

-Status: Open +Status: Closed -Type: Security +Type: Bug -Assigned To: +Assigned To: nikic

[2021-07-23 08:23 UTC] nikic@php.net

This no longer reproduces for me, might have been fixed by https://github.com/php/php-src/commit/f9cfc029a58b4fd7c71e83f330a54d3cb2d905db.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 04:01:28 2024 UTC