php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73646 mb_ereg_search_init null pointer dereference
Submitted: 2016-12-03 17:48 UTC Modified: 2016-12-09 07:55 UTC
From: fernando at null-life dot com Assigned:
Status: Closed Package: mbstring related
PHP Version: 7.1.0 OS: Linux 32 bits
Private report: No CVE-ID:
 [2016-12-03 17:48 UTC] fernando at null-life dot com
Description:
------------
When a string is built with str_repeat and invalid length, a null pointer dereference happens in mb_ereg search _init function.

-----------------------------

Source code:
https://github.com/php/php-src/blob/PHP-7.1/ext/mbstring/php_mbregex.c#L1384


PHP_FUNCTION(mb_ereg_search_init)
{
	size_t argc = ZEND_NUM_ARGS();
	zval *arg_str;
	char *arg_pattern = NULL, *arg_options = NULL;
	size_t arg_pattern_len = 0, arg_options_len = 0;
	OnigSyntaxType *syntax = NULL;
	OnigOptionType option;
...
	ZVAL_DUP(&MBREX(search_str), arg_str);

	if (php_mb_check_encoding(
	Z_STRVAL_P(arg_str),
	Z_STRLEN_P(arg_str),
	_php_mb_regex_mbctype2name(MBREX(current_mbctype))   // Null pointer dereference
	)) {
		MBREX(search_pos) = 0;
		RETVAL_TRUE;
	} else {
		MBREX(search_pos) = Z_STRLEN_P(arg_str);
		RETVAL_FALSE;
	}
...


GDB output:

 gdb -q --args /home/user/build2/bin/php -n poc.php
Reading symbols from /home/user/build2/bin/php...done.
(gdb) r
Starting program: /home/user/build2/bin/php -n poc.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Warning: str_repeat(): Second argument has to be greater than or equal to 0 in /home/user/crashes/mb_ereg_search/poc.php on line 5

Program received signal SIGSEGV, Segmentation fault.
0x08566b05 in zif_mb_ereg_search_init (execute_data=0xf1014090, return_value=0xffff9a00) at /home/user/build2/php-src/ext/mbstring/php_mbregex.c:1384
1384            if (php_mb_check_encoding(
(gdb) l
1379                    zval_ptr_dtor(&MBREX(search_str));
1380            }
1381
1382            ZVAL_DUP(&MBREX(search_str), arg_str);
1383
1384            if (php_mb_check_encoding(
1385            Z_STRVAL_P(arg_str),
1386            Z_STRLEN_P(arg_str),
1387            _php_mb_regex_mbctype2name(MBREX(current_mbctype))
1388            )) {




Test script:
---------------
<?php

$v1=str_repeat("#", -1);
mb_ereg_search_init($v1);

Expected result:
----------------
No crash

Actual result:
--------------
Warning: str_repeat(): Second argument has to be greater than or equal to 0 in /home/user/crashes/mb_ereg_search/poc.php on line 5
ASAN:SIGSEGV
=================================================================
==19448==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000c (pc 0x08566b05 bp 0xffdfc2b8 sp 0xffdfc080 T0)
    #0 0x8566b04 in zif_mb_ereg_search_init /home/user/build2/php-src/ext/mbstring/php_mbregex.c:1384
    #1 0x8cb669e in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/user/build2/php-src/Zend/zend_vm_execute.h:628
    #2 0x8cb4ed1 in execute_ex /home/user/build2/php-src/Zend/zend_vm_execute.h:429
    #3 0x8cb51e4 in zend_execute /home/user/build2/php-src/Zend/zend_vm_execute.h:474
    #4 0x8baf604 in zend_execute_scripts /home/user/build2/php-src/Zend/zend.c:1474
    #5 0x8a47247 in php_execute_script /home/user/build2/php-src/main/main.c:2533
    #6 0x8eaec77 in do_cli /home/user/build2/php-src/sapi/cli/php_cli.c:990
    #7 0x8eb1239 in main /home/user/build2/php-src/sapi/cli/php_cli.c:1378
    #8 0xf6953636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #9 0x806f240  (/home/user/build2/bin/php+0x806f240)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/build2/php-src/ext/mbstring/php_mbregex.c:1384 zif_mb_ereg_search_init
==19448==ABORTING


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-06 05:48 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-12-06 05:48 UTC] stas@php.net
Not a security issue.
 [2016-12-06 23:19 UTC] cmb@php.net
-Package: *Regular Expressions +Package: mbstring related
 [2016-12-06 23:26 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2016-12-06 23:26 UTC] cmb@php.net
Thanks for reporting this bug!

The crux is that mb_ereg_search_init() accepts a zval as first argument and assumes that it IS_STRING, but neither checks nor enforces this.
 [2016-12-07 18:56 UTC] fernando at null-life dot com
I think it's the same root cause, but if I supply a different value, there is a illegal memory access trying to read memory address that I can control, and I consider it should be handled as a security bug, for example:

<?php

mb_ereg_search_init(-0x4523500e);

output:

ASAN:SIGSEGV
=================================================================
==5243==ERROR: AddressSanitizer: SEGV on unknown address 0xbadcaffe (pc 0x08566b05 bp 0xff86d9d8 sp 0xff86d7a0 T0)
    #0 0x8566b04 in zif_mb_ereg_search_init /home/user/build2/php-src/ext/mbstring/php_mbregex.c:1384
    #1 0x8cb669e in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/user/build2/php-src/Zend/zend_vm_execute.h:628
    #2 0x8cb4ed1 in execute_ex /home/user/build2/php-src/Zend/zend_vm_execute.h:429
    #3 0x8cb51e4 in zend_execute /home/user/build2/php-src/Zend/zend_vm_execute.h:474
    #4 0x8baf604 in zend_execute_scripts /home/user/build2/php-src/Zend/zend.c:1474
    #5 0x8a47247 in php_execute_script /home/user/build2/php-src/main/main.c:2533
    #6 0x8eaec77 in do_cli /home/user/build2/php-src/sapi/cli/php_cli.c:990
    #7 0x8eb1239 in main /home/user/build2/php-src/sapi/cli/php_cli.c:1378
    #8 0xf6973636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #9 0x806f240  (/home/user/build2/bin/php+0x806f240)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/build2/php-src/ext/mbstring/php_mbregex.c:1384 zif_mb_ereg_search_init
==5243==ABORTING
 [2016-12-09 07:56 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6a43c61bcdedf54b1736e608f0919bacdba6ed00
Log: Fixed bug #73646 (mb_ereg_search_init null pointer dereference)
 [2016-12-09 07:56 UTC] laruence@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Feb 21 18:01:40 2017 UTC