php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77008 heap-buffer-overflow in zif_sodium_pad
Submitted: 2018-10-12 12:32 UTC Modified: 2018-10-14 16:52 UTC
From: zzw20124321 at gmail dot com Assigned: jedisct1 (profile)
Status: Closed Package: statgrab (PECL)
PHP Version: 7.2Git-2018-10-12 (Git) OS: Ubuntu 16.04.3
Private report: No CVE-ID: None
 [2018-10-12 12:32 UTC] zzw20124321 at gmail dot com
Description:
------------
a heap buffer overflow in zif_sodium_pad


/sapi/cli/php -v
PHP 7.2.10 (cli) (built: Oct  8 2018 05:36:41) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies


 
test@ubuntu:~/php-7.2.10_bak$ ./sapi/cli/php ../crashxxxx.php
```
Warning: ftp_site() expects exactly 2 parameters, 0 given in /home/test/crashxxxx.php on line 6
=================================================================
==17594==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000001200 at pc 0x556907c879b1 bp 0x7fff74df9c50 sp 0x7fff74df9c40
READ of size 1 at 0x603000001200 thread T0
    #0 0x556907c879b0 in zif_sodium_pad /home/test/php-7.2.10_bak/ext/sodium/libsodium.c:3407
    #1 0x556908282ad3 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/test/php-7.2.10/Zend/zend_vm_execute.h:617
    #2 0x556908282ad3 in execute_ex /home/test/php-7.2.10/Zend/zend_vm_execute.h:59750
    #3 0x5569082a8eba in zend_execute /home/test/php-7.2.10/Zend/zend_vm_execute.h:63776
    #4 0x556908005795 in zend_execute_scripts /home/test/php-7.2.10/Zend/zend.c:1496
    #5 0x556907eeddfc in php_execute_script /home/test/php-7.2.10/main/main.c:2590
    #6 0x5569082ae333 in do_cli /home/test/php-7.2.10/sapi/cli/php_cli.c:1011
    #7 0x5569073f4025 in main /home/test/php-7.2.10/sapi/cli/php_cli.c:1404
    #8 0x7f29fae8db96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #9 0x5569073f43b9 in _start (/home/test/php-7.2.10_bak/sapi/cli/php+0x44e3b9)

0x603000001200 is located 0 bytes to the right of 32-byte region [0x6030000011e0,0x603000001200)
allocated by thread T0 here:
    #0 0x7f29fea79b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x556907f82488 in __zend_malloc /home/test/php-7.2.10/Zend/zend_alloc.c:2829

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/test/php-7.2.10_bak/ext/sodium/libsodium.c:3407 in zif_sodium_pad
Shadow bytes around the buggy address:
  0x0c067fff81f0: 04 fa fa fa 00 00 00 06 fa fa 00 00 01 fa fa fa
  0x0c067fff8200: 00 00 00 07 fa fa 00 00 00 00 fa fa 00 00 00 06
  0x0c067fff8210: fa fa 00 00 00 07 fa fa 00 00 01 fa fa fa 00 00
  0x0c067fff8220: 00 fa fa fa 00 00 01 fa fa fa fd fd fd fd fa fa
  0x0c067fff8230: 00 00 00 00 fa fa 00 00 00 02 fa fa 00 00 00 00
=>0x0c067fff8240:[fa]fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff8250: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c067fff8260: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff8270: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff8280: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c067fff8290: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17594==ABORTING
```

Test script:
---------------
test@ubuntu:~/php-7.2.10_bak$ cat ../crashxxxx.php


<?php
function func1(){	return urldecode(preg_quote(uniqid(), gzcompress(gc_mem_caches(-4294967296,-100))));}
function func2(){	return memory_get_peak_usage(func1());}
function test()
{
	return sodium_pad(ftp_site(),func2());
}
test();
?>


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-10-14 06:44 UTC] zzw20124321 at gmail dot com
I test this bug in PHP 7.2.11, the bug exit in this version

php-7.2.11/sapi/cli/php -v
PHP 7.2.11 (cli) (built: Oct 12 2018 06:27:06) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies

crash.php

<?php
function test()
{
        return sodium_pad(NULL, 200000);
}
test();
?>
 [2018-10-14 06:47 UTC] stas@php.net
-Assigned To: +Assigned To: jedisct1
 [2018-10-14 07:32 UTC] stas@php.net
-Status: Assigned +Status: Feedback
 [2018-10-14 07:32 UTC] stas@php.net
I tried the code above and it does not produce any crashes for me.
 [2018-10-14 07:39 UTC] zzw20124321 at gmail dot com
-Status: Feedback +Status: Assigned
 [2018-10-14 07:39 UTC] zzw20124321 at gmail dot com
which version php did you test?
 [2018-10-14 08:45 UTC] zzw20124321 at gmail dot com
I test on this version
http://php.net/get/php-7.2.11.tar.bz2/from/a/mirror


configure
./configure   --enable-mbstring   --with-curl   --with-openssl   --with-xmlrpc   --enable-soap   --enable-zip   --with-gd   --with-jpeg-dir   --with-png-dir   --with-mysql   --with-pgsql   --enable-embedded-mysqli   --with-freetype-dir   --enable-intl   --with-xsl   --with-sodium --enable-ftp --with-zlib

make with -fsanitize=address






if you want a crashes, try this. or change args 2 nums.

<?php
function test()
{
        return sodium_pad(NULL, 2097152);
}
test();
?>


I test on my pc :

~/php-7.2.11$ php ../crashxxxx.php
Segmentation fault

~/php-7.2.11$ cat ../crashxxxx.php
<?php
function test()
{
        return sodium_pad(NULL, 2097152);
}
test();
?>
 [2018-10-14 09:26 UTC] jedisct1@php.net
It has been fixed in version 2.0.13:  https://github.com/jedisct1/libsodium-php/commit/a628f63a43bb9ede2a6c4655c63da1f1c1c61c63

The change has been backported to the code shipped with PHP.
 [2018-10-14 09:36 UTC] zzw20124321 at gmail dot com
Is this  belongs to security problem? Can you open a cve for this?
 [2018-10-14 09:47 UTC] jedisct1@php.net
This will crash  the process (just like ini_set('memory_limit',-1); $a = str_repeat('x', 2147483647); $b = $a . $a;) but you won't be able to read any interesting content from the heap that way.

Even if it succeeds with an empty string as an input, the real sodium_pad() function will be called right after, and fill the destination buffer with zeros.
 [2018-10-14 09:58 UTC] zzw20124321 at gmail dot com
Since i can't get any data from php memory, but I can crash php. So maybe this can DDos.
 [2018-10-14 16:52 UTC] stas@php.net
-Status: Assigned +Status: Closed -Type: Security +Type: Bug
 [2018-10-14 16:52 UTC] stas@php.net
Since this requires specially crafted arguments not likely to be encountered in regular code, as per https://wiki.php.net/security it is not a security issue. Since it's already fixed, I am closing it.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Wed Nov 14 15:01:27 2018 UTC