php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73634 grapheme_strpos illegal memory access
Submitted: 2016-12-01 15:06 UTC Modified: 2017-01-16 09:19 UTC
From: fernando at null-life dot com Assigned:
Status: Closed Package: intl (PECL)
PHP Version: 7.0.13 OS: Linux
Private report: No CVE-ID:
 [2016-12-01 15:06 UTC] fernando at null-life dot com
Description:
------------
Negative offset parameter and a big string haystack causes illegal memory access in zend_memnstr_ex function, through grapheme_strpos.


Source code:
https://github.com/php/php-src/blob/PHP-7.0.14/Zend/zend_operators.c#L2923


ZEND_API const char* ZEND_FASTCALL zend_memnstr_ex(const char *haystack, const char *needle, size_t needle_len, const char *end) /* {{{ */
{
        unsigned int td[256];
        register size_t i;
        register const char *p;

        if (needle_len == 0 || (end - haystack) == 0) {
                return NULL;
        }

        zend_memnstr_ex_pre(td, needle, needle_len, 0);

        p = haystack;
        end -= needle_len;

        while (p <= end) {
                for (i = 0; i < needle_len; i++) {
                        if (needle[i] != p[i]) {                // Illegal memory access
                                break;
                        }
                }
                if (i == needle_len) {
                        return p;
                }
                if (UNEXPECTED(p == end)) {
                        return NULL;
                }
                p += td[(unsigned char)(p[needle_len])];
        }

        return NULL;
}


GDB output:

LD_LIBRARY_PATH=/home/operac/icu58/lib USE_ZEND_ALLOC=1 ASAN_OPTIONS=detect_leaks=0 gdb -q --args /home/operac/build5/bin/php -dextension=/home/operac/build5/lib/php/20151012-debug/intl.so -n poc.php
Reading symbols from /home/operac/build5/bin/php...done.
(gdb) r
Starting program: /home/operac/build5/bin/php -dextension=/home/operac/build5/lib/php/20151012-debug/intl.so -n poc.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000e3e188 in zend_memnstr_ex (haystack=0x7ffeec200015 <error: Cannot access memory at address 0x7ffeec200015>, needle=0x7fffef257b18 "ABCD", needle_len=4,
    end=0x7fffec200013 "1111") at /home/operac/build5/php-src/Zend/zend_operators.c:2923
2923                            if (needle[i] != p[i]) {
(gdb) bt
#0  0x0000000000e3e188 in zend_memnstr_ex (haystack=0x7ffeec200015 <error: Cannot access memory at address 0x7ffeec200015>, needle=0x7fffef257b18 "ABCD",
    needle_len=4, end=0x7fffec200013 "1111") at /home/operac/build5/php-src/Zend/zend_operators.c:2923
#1  0x00007fffeef1ff55 in zend_memnstr (haystack=0x7ffeec200015 <error: Cannot access memory at address 0x7ffeec200015>, needle=0x7fffef257b18 "ABCD", needle_len=4,
    end=0x7fffec200017 "") at /home/operac/build5/php-src/Zend/zend_operators.h:182
#2  0x00007fffeef208f7 in zif_grapheme_strpos (execute_data=0x7fffef213100, return_value=0x7fffef2130f0)
    at /home/operac/build5/php-src/ext/intl/grapheme/grapheme_string.c:142
#3  0x0000000000f277dd in ZEND_DO_ICALL_SPEC_HANDLER () at /home/operac/build5/php-src/Zend/zend_vm_execute.h:586
#4  0x0000000000f26873 in execute_ex (ex=0x7fffef213030) at /home/operac/build5/php-src/Zend/zend_vm_execute.h:414
#5  0x0000000000f26aee in zend_execute (op_array=0x7fffef280000, return_value=0x0) at /home/operac/build5/php-src/Zend/zend_vm_execute.h:458
#6  0x0000000000e49c67 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/operac/build5/php-src/Zend/zend.c:1427
#7  0x0000000000d0b9d9 in php_execute_script (primary_file=0x7fffffffd010) at /home/operac/build5/php-src/main/main.c:2494
#8  0x0000000001058a1d in do_cli (argc=4, argv=0x60400000de90) at /home/operac/build5/php-src/sapi/cli/php_cli.c:974
#9  0x000000000105a82d in main (argc=4, argv=0x60400000de90) at /home/operac/build5/php-src/sapi/cli/php_cli.c:1344



Test script:
---------------
<?php
ini_set('memory_limit', -1);

$v1=str_repeat("1", 0x8fffffff);
grapheme_strpos($v1, "ABCD", -2);

Expected result:
----------------
No crash

Actual result:
--------------
ASan output:

ASAN:SIGSEGV
=================================================================
==16336==ERROR: AddressSanitizer: SEGV on unknown address 0x7f600de00015 (pc 0x000000e3e188 bp 0x7ffcfa5b0050 sp 0x7ffcfa5afb90 T0)
    #0 0xe3e187 in zend_memnstr_ex /home/operac/build5/php-src/Zend/zend_operators.c:2923
    #1 0x7f6110b1ff54 in zend_memnstr /home/operac/build5/php-src/Zend/zend_operators.h:182
    #2 0x7f6110b208f6 in zif_grapheme_strpos /home/operac/build5/php-src/ext/intl/grapheme/grapheme_string.c:142
    #3 0xf277dc in ZEND_DO_ICALL_SPEC_HANDLER /home/operac/build5/php-src/Zend/zend_vm_execute.h:586
    #4 0xf26872 in execute_ex /home/operac/build5/php-src/Zend/zend_vm_execute.h:414
    #5 0xf26aed in zend_execute /home/operac/build5/php-src/Zend/zend_vm_execute.h:458
    #6 0xe49c66 in zend_execute_scripts /home/operac/build5/php-src/Zend/zend.c:1427
    #7 0xd0b9d8 in php_execute_script /home/operac/build5/php-src/main/main.c:2494
    #8 0x1058a1c in do_cli /home/operac/build5/php-src/sapi/cli/php_cli.c:974
    #9 0x105a82c in main /home/operac/build5/php-src/sapi/cli/php_cli.c:1344
    #10 0x7f61166dd82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x430a88 in _start (/home/operac/build5/bin/php+0x430a88)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/operac/build5/php-src/Zend/zend_operators.c:2923 zend_memnstr_ex
==16336==ABORTING


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-16 09:19 UTC] stas@php.net
-Type: Security +Type: Bug
 [2017-01-16 09:19 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8c44d07fd485a8e8d62bc6e4fe14bec5493ebc58
Log: Fix bug #73634 - grapheme_strpos illegal memory access
 [2017-01-16 09:19 UTC] stas@php.net
-Status: Open +Status: Closed
 [2017-06-20 20:29 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=18b6de7a91859df736781a3ea0bd248b94a9a6df
Log: Fix bug #73634 - grapheme_strpos illegal memory access
 [2017-06-21 04:33 UTC] sixd@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=18b6de7a91859df736781a3ea0bd248b94a9a6df
Log: Fix bug #73634 - grapheme_strpos illegal memory access
 [2017-06-21 14:53 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5189e43b6dfe1774f8876214d2c583a64a446226
Log: Fix bug #73634 - grapheme_strpos illegal memory access
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Mon Jul 24 10:01:45 2017 UTC