php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #75457 heap-use-after-free in php7.0.25
Submitted: 2017-10-30 03:52 UTC Modified: 2019-08-26 02:44 UTC
From: idaifish at gmail dot com Assigned: stas (profile)
Status: Closed Package: PCRE related
PHP Version: 7.0.25 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: idaifish at gmail dot com
New email:
PHP Version: OS:

 

 [2017-10-30 03:52 UTC] idaifish at gmail dot com
Description:
------------
Got a crash while fuzzing php7.0.25,

It seems like a PCRE issue, I've reported to the upstream.

Report: https://bugs.exim.org/show_bug.cgi?id=2184



Test script:
---------------
<?php
$pattern = "/(((?(?C)0?=))(?!()0|.(?0)0)())/";
preg_match($pattern, "hello");
?>

Expected result:
----------------
nothing

Actual result:
--------------
==70724==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000006500 at pc 0x00000073da38 bp 0x7fffe63d7010 sp 0x7fffe63d7008
READ of size 1 at 0x621000006500 thread T0
    #0 0x73da37 in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:3248:23
    #1 0x703b62 in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1610:7
    #2 0x7273ec in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #3 0x7273ec in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #4 0x6e1a37 in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1804:9
    #5 0x703b62 in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1610:7
    #6 0x7273ec in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #7 0x7273ec in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #8 0x6e1a37 in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1804:9
    #9 0x703b62 in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1610:7
    #10 0x7273ec in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #11 0x7273ec in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #12 0x6e1a37 in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1804:9
    #13 0x703b62 in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1610:7
    #14 0x7273ec in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #15 0x7273ec in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #16 0x6e1a37 in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1804:9
    #17 0x703b62 in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1610:7
    #18 0x7273ec in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #19 0x7273ec in match /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #20 0x6d0957 in php_pcre_exec /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:6934:8
    #21 0x8cba4e in php_pcre_match_impl /home/idai/PHPs/php-7.0.25/ext/pcre/php_pcre.c:808:11
    #22 0x8e6670 in php_do_pcre_match /home/idai/PHPs/php-7.0.25/ext/pcre/php_pcre.c:693:2
    #23 0x2156fd4 in ZEND_DO_ICALL_SPEC_HANDLER /home/idai/PHPs/php-7.0.25/Zend/zend_vm_execute.h:586:2
    #24 0x1f05c18 in execute_ex /home/idai/PHPs/php-7.0.25/Zend/zend_vm_execute.h:417:7
    #25 0x1f06de9 in zend_execute /home/idai/PHPs/php-7.0.25/Zend/zend_vm_execute.h:458:2
    #26 0x1cc2875 in zend_execute_scripts /home/idai/PHPs/php-7.0.25/Zend/zend.c:1445:4
    #27 0x19368c7 in php_execute_script /home/idai/PHPs/php-7.0.25/main/main.c:2518:14
    #28 0x2278e40 in do_cli /home/idai/PHPs/php-7.0.25/sapi/cli/php_cli.c:977:5
    #29 0x2275330 in main /home/idai/PHPs/php-7.0.25/sapi/cli/php_cli.c:1347:18
    #30 0x7f61132fd82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #31 0x432128 in _start (/home/idai/Workspace/pcre/php_asan+0x432128)

0x621000006500 is located 0 bytes inside of 4096-byte region [0x621000006500,0x621000007500)
freed by thread T0 here:
    #0 0x4ea5f0 in __interceptor_cfree.localalias.0 (/home/idai/Workspace/pcre/php_asan+0x4ea5f0)
    #1 0x7f611335854a in _IO_setb (/lib/x86_64-linux-gnu/libc.so.6+0x7b54a)

previously allocated by thread T0 here:
    #0 0x4ea7a8 in malloc (/home/idai/Workspace/pcre/php_asan+0x4ea7a8)
    #1 0x7f611334a1d4 in _IO_file_doallocate (/lib/x86_64-linux-gnu/libc.so.6+0x6d1d4)

    SUMMARY: AddressSanitizer: heap-use-after-free /home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:3248:23 in match
    Shadow bytes around the buggy address:
      0x0c427fff8c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c427fff8ca0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c427fff8cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c427fff8cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c427fff8cd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c427fff8ce0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c427fff8cf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==70724==ABORTING


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-10-30 10:29 UTC] cmb@php.net
It seems your using the bundled libpcre, which is a patched 8.38.
The issue might already be solved in newer PCRE versions.
 [2017-10-31 01:54 UTC] idaifish at gmail dot com
Yes, the maintainer has confirmed.
 [2017-11-01 06:47 UTC] kalle@php.net
-Status: Open +Status: Verified
 [2018-08-02 05:15 UTC] ab@php.net
We might still want to apply this for the next security releases

https://vcs.pcre.org/pcre?view=revision&revision=1638

or at least to 7.1

Thanks.
 [2019-08-16 12:45 UTC] cmb@php.net
-Status: Verified +Status: Analyzed -Assigned To: +Assigned To: stas
 [2019-08-16 12:45 UTC] cmb@php.net
Seems this ticket has been overlooked.  I've assembled a patch[1]
with the backported fix and a regression test.  Stas, would you
please commit this to the sec repo (the actual patch is for
PHP-7.1 only, the test can be merged up to master).  Apparently,
there's no CVE for the upstream bug, so I don't think we need one
either.

[1] <https://gist.github.com/cmb69/a2cdb25813925d7b6e700c219fd34074>
 [2019-08-25 06:26 UTC] stas@php.net
62cf513f8a50120254862503fc8c4c7257ae4638 in security repo, will merge soon.
 [2019-08-26 02:44 UTC] stas@php.net
-Status: Analyzed +Status: Closed
 [2019-08-26 02:44 UTC] stas@php.net
The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test.
Thank you for the report, and for helping us make PHP better.


 [2019-08-28 02:33 UTC] pollita@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8debe97557a1ca7adf7c564db6a78fb6a82084b5
Log: Fix #75457: heap-use-after-free in php7.0.25
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Sep 14 01:01:31 2024 UTC