php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76244 A stack overflow vulnerability exist (most likely) in the isSet function
Submitted: 2018-04-20 11:12 UTC Modified: 2021-05-28 14:53 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: daniel dot teuchert at rub dot de Assigned: cmb (profile)
Status: Wont fix Package: Scripting Engine problem
PHP Version: 7.2.4 OS: Linux 4.6.2
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: daniel dot teuchert at rub dot de
New email:
PHP Version: OS:

 

 [2018-04-20 11:12 UTC] daniel dot teuchert at rub dot de
Description:
------------
Calling isSet with too many parameters causes a stack overflow.
Executing the test script results in a stack overflow.
The produced ASAN output can be found here: https://github.com/pnoltof/php_bug/blob/master/ASAN_output.txt
An attacker can possibly use this flaw to execute arbitrary code.

Steps to reproduce:
Build latest php version (compile with ASAN)
Donwload PoC file called "stack_overflow" (see Test script)
Execute binary file in $WORKDIR/php-7.2.4/sapi/cli/:
$WORKDIR/php-7.2.4/sapi/cli/php stack_overflow

I was not able to reproduce this behavior when debugging with gdb.

Test script:
---------------
PoC file can be found here: https://github.com/pnoltof/php_bug/blob/master/stack_overflow


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-04-22 22:16 UTC] cmb@php.net
This does not look like a security issue, since checking so many
variables in a single isset() does not appear to be of any
practical purpose.
 [2018-04-23 03:34 UTC] stas@php.net
-Type: Security +Type: Bug
 [2018-04-23 03:34 UTC] stas@php.net
Not a security issue, please see https://wiki.php.net/security
 [2021-05-28 14:53 UTC] cmb@php.net
-Status: Open +Status: Wont fix -Package: *Programming Data Structures +Package: Scripting Engine problem -Assigned To: +Assigned To: cmb
 [2021-05-28 14:53 UTC] cmb@php.net
Actually, this looks like a recursion issue during parsing; I
don't think we want to "improve" the parser to handle such
pathological code.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 19:01:29 2024 UTC