php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #76557 heap-buffer-overflow (READ of size 48) while reading exif data
Submitted: 2018-07-01 00:34 UTC Modified: 2018-08-03 02:56 UTC
From: geeknik at protonmail dot ch Assigned: kalle (profile)
Status: Closed Package: EXIF related
PHP Version: 5.6.36 OS: Debian 9 x64
Private report: No CVE-ID: 2018-14851
 [2018-07-01 00:34 UTC] geeknik at protonmail dot ch
Description:
------------
USE_ZEND_ALLOC=0 ./php-7.2.7 -r '$exif = exif_read_data("http://dtf.pw/php727/poc/630/test000.jpeg"); var_dump($exif);'


Expected result:
----------------
No crash.

Actual result:
--------------
==996==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d000011958 at pc 0x0000004ce426 bp 0x7ffc064d6a00 sp 0x7ffc064d61b0
READ of size 48 at 0x61d000011958 thread T0
    #0 0x4ce425 in __asan_memcpy /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3
    #1 0x13f4905 in _estrndup /root/php-7.2.7/Zend/zend_alloc.c:2538:2
    #2 0xe039ad in exif_iif_add_value /root/php-7.2.7/ext/exif/exif.c:2119:21
    #3 0xe039ad in exif_iif_add_tag /root/php-7.2.7/ext/exif/exif.c:2199
    #4 0xe0b818 in exif_process_IFD_TAG /root/php-7.2.7/ext/exif/exif.c:3543:2
    #5 0xe0bccf in exif_process_IFD_in_MAKERNOTE /root/php-7.2.7/ext/exif/exif.c:3213:8
    #6 0xe0bccf in exif_process_IFD_TAG /root/php-7.2.7/ext/exif/exif.c:3494
    #7 0xe08c15 in exif_process_IFD_in_JPEG /root/php-7.2.7/ext/exif/exif.c:3576:8
    #8 0xe0ac0e in exif_process_IFD_TAG /root/php-7.2.7/ext/exif/exif.c:3534:11
    #9 0xe08c15 in exif_process_IFD_in_JPEG /root/php-7.2.7/ext/exif/exif.c:3576:8
    #10 0xe014c0 in exif_process_TIFF_in_JPEG /root/php-7.2.7/ext/exif/exif.c:3665:2
    #11 0xe014c0 in exif_process_APP1 /root/php-7.2.7/ext/exif/exif.c:3690
    #12 0xe014c0 in exif_scan_JPEG_header /root/php-7.2.7/ext/exif/exif.c:3835
    #13 0xe014c0 in exif_scan_FILE_header /root/php-7.2.7/ext/exif/exif.c:4224
    #14 0xe014c0 in exif_read_from_impl /root/php-7.2.7/ext/exif/exif.c:4365
    #15 0xe014c0 in exif_read_from_stream /root/php-7.2.7/ext/exif/exif.c:4382
    #16 0xdf8f18 in exif_read_from_file /root/php-7.2.7/ext/exif/exif.c:4409:8
    #17 0xdf8f18 in zif_exif_read_data /root/php-7.2.7/ext/exif/exif.c:4482
    #18 0x17c5d34 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /root/php-7.2.7/Zend/zend_vm_execute.h:617:2
    #19 0x15ed419 in execute_ex /root/php-7.2.7/Zend/zend_vm_execute.h:59723:7
    #20 0x15eda9a in zend_execute /root/php-7.2.7/Zend/zend_vm_execute.h:63760:2
    #21 0x14758eb in zend_eval_stringl /root/php-7.2.7/Zend/zend_execute_API.c:1082:4
    #22 0x1475fb9 in zend_eval_stringl_ex /root/php-7.2.7/Zend/zend_execute_API.c:1123:11
    #23 0x1475fb9 in zend_eval_string_ex /root/php-7.2.7/Zend/zend_execute_API.c:1134
    #24 0x18c4aea in do_cli /root/php-7.2.7/sapi/cli/php_cli.c:1044:8
    #25 0x18c2c03 in main /root/php-7.2.7/sapi/cli/php_cli.c:1405:18
    #26 0x7f43ac6d32e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #27 0x427479 in _start (/root/php-7.2.7/sapi/cli/php+0x427479)

Address 0x61d000011958 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3 in __asan_memcpy

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-07-01 17:03 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2018-07-01 17:03 UTC] cmb@php.net
Thanks for reporting this issue!  I can confirm the OOB read with
valgrind on PHP-7.1 and master (haven't tested other versions).
 [2018-07-02 02:59 UTC] stas@php.net
-Assigned To: +Assigned To: kalle
 [2018-07-02 02:59 UTC] stas@php.net
-PHP Version: 7.2.7 +PHP Version: 5.6.36 -CVE-ID: +CVE-ID: needed
 [2018-07-02 04:20 UTC] stas@php.net
I am not sure whether I understand the code right or not, but it looks to me like the problem is in exif_process_IFD_in_MAKERNOTE, where the code changes offset_base:

	switch (maker_note->offset_mode) {
		case MN_OFFSET_MAKER:
			offset_base = value_ptr;

... etc.

When offset_base is changed, both IFDlength and displacement stay the same, so when the values in exif_process_IFD_TAG() are verified:

		if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base)) {

they are checked against the same IFDlength values as before, however the code uses new offset_base:

		value_ptr = offset_base+offset_val;

So if that offset_base is more than before, and offset_val is checked the length measured with old base, the new value can cause reading outside the data that is loaded.
 [2018-07-02 05:22 UTC] stas@php.net
-Status: Verified +Status: Assigned
 [2018-07-02 05:22 UTC] stas@php.net
Proposed fix in https://gist.github.com/smalyshev/9e3197a51b489ab0ecb2438da6f4d59f and in security repo as 53cb7bf758cb1137239b069c5642ac00736bf787. Please verify.
 [2018-07-02 14:02 UTC] geeknik at protonmail dot ch
I can confirm the proposed patch fixes this issue (and #76558) in PHP 7.2.7.
 [2018-07-16 23:57 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3462efa386f26d343062094514af604c29e3edce
Log: Fix bug #76557: heap-buffer-overflow (READ of size 48) while reading exif data
 [2018-07-16 23:57 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2018-08-02 19:00 UTC] geeknik at protonmail dot ch
CVE-2018-14851 has been assigned to this bug.
 [2018-08-03 02:56 UTC] kaplan@php.net
-CVE-ID: needed +CVE-ID: 2018-14851
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Nov 18 18:01:26 2018 UTC