php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #75457 heap-use-after-free in php7.0.25
Submitted: 2017-10-30 03:52 UTC Modified: 2019-08-26 02:44 UTC
From: idaifish at gmail dot com Assigned: stas (profile)
Status: Closed Package: PCRE related
PHP Version: 7.0.25 OS: Linux
Private report: No CVE-ID: None
 [2017-10-30 03:52 UTC] idaifish at gmail dot com
Description:
------------
Got a crash while fuzzing php7.0.25,

It seems like a PCRE issue, I've reported to the upstream.

Report: https://bugs.exim.org/show_bug.cgi?id=2184



Test script:
---------------
<?php
$pattern = "/(((?(?C)0?=))(?!()0|.(?0)0)())/";
preg_match($pattern, "hello");
?>

Expected result:
----------------
nothing

Actual result:
--------------
==70724==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000006500 at pc 0x00000073da38 bp 0x7fffe63d7010 sp 0x7fffe63d7008
READ of size 1 at 0x621000006500 thread T0
    #0 0x73da37 in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:3248:23
    #1 0x703b62 in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1610:7
    #2 0x7273ec in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #3 0x7273ec in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #4 0x6e1a37 in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1804:9
    #5 0x703b62 in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1610:7
    #6 0x7273ec in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #7 0x7273ec in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #8 0x6e1a37 in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1804:9
    #9 0x703b62 in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1610:7
    #10 0x7273ec in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #11 0x7273ec in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #12 0x6e1a37 in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1804:9
    #13 0x703b62 in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1610:7
    #14 0x7273ec in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #15 0x7273ec in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #16 0x6e1a37 in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1804:9
    #17 0x703b62 in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1610:7
    #18 0x7273ec in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #19 0x7273ec in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #20 0x6d0957 in php_pcre_exec /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:6934:8
    #21 0x8cba4e in php_pcre_match_impl /home/idai/PHPs/php-7.0.25/ext/pcre/php_pcre.c:808:11
    #22 0x8e6670 in php_do_pcre_match /home/idai/PHPs/php-7.0.25/ext/pcre/php_pcre.c:693:2
    #23 0x2156fd4 in ZEND_DO_ICALL_SPEC_HANDLER /home/idai/PHPs/php-7.0.25/Zend/zend_vm_execute.h:586:2
    #24 0x1f05c18 in execute_ex /home/idai/PHPs/php-7.0.25/Zend/zend_vm_execute.h:417:7
    #25 0x1f06de9 in zend_execute /home/idai/PHPs/php-7.0.25/Zend/zend_vm_execute.h:458:2
    #26 0x1cc2875 in zend_execute_scripts /home/idai/PHPs/php-7.0.25/Zend/zend.c:1445:4
    #27 0x19368c7 in php_execute_script /home/idai/PHPs/php-7.0.25/main/main.c:2518:14
    #28 0x2278e40 in do_cli /home/idai/PHPs/php-7.0.25/sapi/cli/php_cli.c:977:5
    #29 0x2275330 in main /home/idai/PHPs/php-7.0.25/sapi/cli/php_cli.c:1347:18
    #30 0x7f61132fd82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #31 0x432128 in _start (/home/idai/Workspace/pcre/php_asan+0x432128)

0x621000006500 is located 0 bytes inside of 4096-byte region [0x621000006500,0x621000007500)
freed by thread T0 here:
    #0 0x4ea5f0 in __interceptor_cfree.localalias.0 (/home/idai/Workspace/pcre/php_asan+0x4ea5f0)
    #1 0x7f611335854a in _IO_setb (/lib/x86_64-linux-gnu/libc.so.6+0x7b54a)

previously allocated by thread T0 here:
    #0 0x4ea7a8 in malloc (/home/idai/Workspace/pcre/php_asan+0x4ea7a8)
    #1 0x7f611334a1d4 in _IO_file_doallocate (/lib/x86_64-linux-gnu/libc.so.6+0x6d1d4)

    SUMMARY: AddressSanitizer: heap-use-after-free /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:3248:23 in match
    Shadow bytes around the buggy address:
      0x0c427fff8c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c427fff8ca0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c427fff8cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c427fff8cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c427fff8cd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c427fff8ce0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c427fff8cf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==70724==ABORTING


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-10-30 10:29 UTC] cmb@php.net
It seems your using the bundled libpcre, which is a patched 8.38.
The issue might already be solved in newer PCRE versions.
 [2017-10-31 01:54 UTC] idaifish at gmail dot com
Yes, the maintainer has confirmed.
 [2017-11-01 06:47 UTC] kalle@php.net
-Status: Open +Status: Verified
 [2018-08-02 05:15 UTC] ab@php.net
We might still want to apply this for the next security releases

https://vcs.pcre.org/pcre?view=revision&revision=1638

or at least to 7.1

Thanks.
 [2019-08-16 12:45 UTC] cmb@php.net
-Status: Verified +Status: Analyzed -Assigned To: +Assigned To: stas
 [2019-08-16 12:45 UTC] cmb@php.net
Seems this ticket has been overlooked.  I've assembled a patch[1]
with the backported fix and a regression test.  Stas, would you
please commit this to the sec repo (the actual patch is for
PHP-7.1 only, the test can be merged up to master).  Apparently,
there's no CVE for the upstream bug, so I don't think we need one
either.

[1] <https://gist.github.com/cmb69/a2cdb25813925d7b6e700c219fd34074>
 [2019-08-25 06:26 UTC] stas@php.net
62cf513f8a50120254862503fc8c4c7257ae4638 in security repo, will merge soon.
 [2019-08-26 02:44 UTC] stas@php.net
-Status: Analyzed +Status: Closed
 [2019-08-26 02:44 UTC] stas@php.net
The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test.
Thank you for the report, and for helping us make PHP better.


 [2019-08-28 02:33 UTC] pollita@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8debe97557a1ca7adf7c564db6a78fb6a82084b5
Log: Fix #75457: heap-use-after-free in php7.0.25
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Sep 14 13:01:27 2024 UTC