php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74577 Memory corruption in zend_string_extend
Submitted: 2017-05-12 06:33 UTC Modified: 2017-05-12 06:46 UTC
From: whitehat002 at hotmail dot com Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 7.1.5 OS:
Private report: No CVE-ID: None
 [2017-05-12 06:33 UTC] whitehat002 at hotmail dot com
Description:
------------
This bug only exists in php7.This can result in denial of service or other problem.

Test script:
---------------
<?php
ini_set('memory_limit',-1);
$a=str_repeat("a",0x7ffffe00);
$a.=$a;

Expected result:
----------------
no crash 

Actual result:
--------------
[----------------------------------registers-----------------------------------]
EAX: 0xfffffc00 
EBX: 0xb7013050 --> 0x36c00000 
ECX: 0x80000000 
EDX: 0x36c00010 
ESI: 0xb7013050 --> 0x36c00000 
EDI: 0x36c00000 
EBP: 0x7ffffe00 
ESP: 0xbfffc080 --> 0x0 
EIP: 0x83b7b09 (<concat_function+393>:	mov    DWORD PTR [edi+0x8],0x0)
EFLAGS: 0x210286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x83b7b00 <concat_function+384>:	mov    edi,eax
   0x83b7b02 <concat_function+386>:	mov    eax,DWORD PTR [esp+0x18]
   0x83b7b06 <concat_function+390>:	lea    edx,[edi+0x10]
=> 0x83b7b09 <concat_function+393>:	mov    DWORD PTR [edi+0x8],0x0
   0x83b7b10 <concat_function+400>:	mov    DWORD PTR [esp+0x2c],edx
   0x83b7b14 <concat_function+404>:	mov    DWORD PTR [edi+0xc],eax
   0x83b7b17 <concat_function+407>:	jmp    0x83b7a56 <concat_function+214>
   0x83b7b1c <concat_function+412>:	mov    ecx,DWORD PTR [esp+0x20]
[------------------------------------stack-------------------------------------]
0000| 0xbfffc080 --> 0x0 
0004| 0xbfffc084 --> 0x5 
0008| 0xbfffc088 --> 0xbfffc1a8 --> 0x1 
0012| 0xbfffc08c --> 0xbfffc110 --> 0xb70543f0 --> 0xb70543d8 --> 0xb70543a8 --> 0xb7054420 (--> ...)
0016| 0xbfffc090 --> 0xb705e320 --> 0x0 
0020| 0xbfffc094 --> 0x7ffffe00 
0024| 0xbfffc098 --> 0xfffffc00 
0028| 0xbfffc09c --> 0xb7013050 --> 0x36c00000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
zend_string_extend (persistent=0x0, len=0xfffffc00, s=0x36c00000)
    at /root/php-7.1.5/Zend/zend_string.h:210
210				zend_string_forget_hash_val(ret);
gdb-peda$ bt
#0  zend_string_extend (persistent=0x0, len=0xfffffc00, s=0x36c00000)
    at /root/php-7.1.5/Zend/zend_string.h:210
#1  concat_function (result=0xb7013050, op1=0xb7013050, op2=0xb7013050)
    at /root/php-7.1.5/Zend/zend_operators.c:1759
#2  0x08439dba in zend_binary_assign_op_helper_SPEC_CV_CV (
    binary_op=0x83b7980 <concat_function>, execute_data=0xb7013020)
    at /root/php-7.1.5/Zend/zend_vm_execute.h:44196
#3  0x0840969e in execute_ex (ex=0xb7013020)
    at /root/php-7.1.5/Zend/zend_vm_execute.h:432
#4  0x08457abf in zend_execute (op_array=0xb7069180, return_value=0x0)
    at /root/php-7.1.5/Zend/zend_vm_execute.h:474
#5  0x083c1890 in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3)
    at /root/php-7.1.5/Zend/zend.c:1476
#6  0x08362cad in php_execute_script (primary_file=0xbfffe464)
    at /root/php-7.1.5/main/main.c:2537
#7  0x08459bd4 in do_cli (argc=0x3, argv=0x8a8e868)
    at /root/php-7.1.5/sapi/cli/php_cli.c:993
#8  0x080785ad in main (argc=0x3, argv=0x8a8e868)
    at /root/php-7.1.5/sapi/cli/php_cli.c:1381
#9  0xb791daf3 in __libc_start_m

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-05-12 06:46 UTC] requinix@php.net
-Status: Open +Status: Duplicate
 [2017-05-12 06:46 UTC] requinix@php.net
Duplicate of bug #73122
 [2018-02-28 18:34 UTC] contacto at agora-security dot com
Hello,

Has this issue been fixed?
I don't see any reference about it in the Changelog:
http://www.php.net/ChangeLog-7.php#7.1.5
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Apr 06 11:01:25 2020 UTC