php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77008 heap-buffer-overflow in zif_sodium_pad
Submitted: 2018-10-12 12:32 UTC Modified: 2018-10-14 16:52 UTC
From: zzw20124321 at gmail dot com Assigned: jedisct1 (profile)
Status: Closed Package: statgrab (PECL)
PHP Version: 7.2Git-2018-10-12 (Git) OS: Ubuntu 16.04.3
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: zzw20124321 at gmail dot com
New email:
PHP Version: OS:

 

 [2018-10-12 12:32 UTC] zzw20124321 at gmail dot com
Description:
------------
a heap buffer overflow in zif_sodium_pad


/sapi/cli/php -v
PHP 7.2.10 (cli) (built: Oct  8 2018 05:36:41) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies


 
test@ubuntu:~/php-7.2.10_bak$ ./sapi/cli/php ../crashxxxx.php
```
Warning: ftp_site() expects exactly 2 parameters, 0 given in /home/test/crashxxxx.php on line 6
=================================================================
==17594==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000001200 at pc 0x556907c879b1 bp 0x7fff74df9c50 sp 0x7fff74df9c40
READ of size 1 at 0x603000001200 thread T0
    #0 0x556907c879b0 in zif_sodium_pad /home/test/php-7.2.10_bak/ext/sodium/libsodium.c:3407
    #1 0x556908282ad3 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/test/php-7.2.10/Zend/zend_vm_execute.h:617
    #2 0x556908282ad3 in execute_ex /home/test/php-7.2.10/Zend/zend_vm_execute.h:59750
    #3 0x5569082a8eba in zend_execute /home/test/php-7.2.10/Zend/zend_vm_execute.h:63776
    #4 0x556908005795 in zend_execute_scripts /home/test/php-7.2.10/Zend/zend.c:1496
    #5 0x556907eeddfc in php_execute_script /home/test/php-7.2.10/main/main.c:2590
    #6 0x5569082ae333 in do_cli /home/test/php-7.2.10/sapi/cli/php_cli.c:1011
    #7 0x5569073f4025 in main /home/test/php-7.2.10/sapi/cli/php_cli.c:1404
    #8 0x7f29fae8db96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #9 0x5569073f43b9 in _start (/home/test/php-7.2.10_bak/sapi/cli/php+0x44e3b9)

0x603000001200 is located 0 bytes to the right of 32-byte region [0x6030000011e0,0x603000001200)
allocated by thread T0 here:
    #0 0x7f29fea79b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x556907f82488 in __zend_malloc /home/test/php-7.2.10/Zend/zend_alloc.c:2829

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/test/php-7.2.10_bak/ext/sodium/libsodium.c:3407 in zif_sodium_pad
Shadow bytes around the buggy address:
  0x0c067fff81f0: 04 fa fa fa 00 00 00 06 fa fa 00 00 01 fa fa fa
  0x0c067fff8200: 00 00 00 07 fa fa 00 00 00 00 fa fa 00 00 00 06
  0x0c067fff8210: fa fa 00 00 00 07 fa fa 00 00 01 fa fa fa 00 00
  0x0c067fff8220: 00 fa fa fa 00 00 01 fa fa fa fd fd fd fd fa fa
  0x0c067fff8230: 00 00 00 00 fa fa 00 00 00 02 fa fa 00 00 00 00
=>0x0c067fff8240:[fa]fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff8250: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c067fff8260: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff8270: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff8280: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c067fff8290: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17594==ABORTING
```

Test script:
---------------
test@ubuntu:~/php-7.2.10_bak$ cat ../crashxxxx.php


<?php
function func1(){	return urldecode(preg_quote(uniqid(), gzcompress(gc_mem_caches(-4294967296,-100))));}
function func2(){	return memory_get_peak_usage(func1());}
function test()
{
	return sodium_pad(ftp_site(),func2());
}
test();
?>


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-10-14 06:44 UTC] zzw20124321 at gmail dot com
I test this bug in PHP 7.2.11, the bug exit in this version

php-7.2.11/sapi/cli/php -v
PHP 7.2.11 (cli) (built: Oct 12 2018 06:27:06) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies

crash.php

<?php
function test()
{
        return sodium_pad(NULL, 200000);
}
test();
?>
 [2018-10-14 06:47 UTC] stas@php.net
-Assigned To: +Assigned To: jedisct1
 [2018-10-14 07:32 UTC] stas@php.net
-Status: Assigned +Status: Feedback
 [2018-10-14 07:32 UTC] stas@php.net
I tried the code above and it does not produce any crashes for me.
 [2018-10-14 07:39 UTC] zzw20124321 at gmail dot com
-Status: Feedback +Status: Assigned
 [2018-10-14 07:39 UTC] zzw20124321 at gmail dot com
which version php did you test?
 [2018-10-14 08:45 UTC] zzw20124321 at gmail dot com
I test on this version
http://php.net/get/php-7.2.11.tar.bz2/from/a/mirror


configure
./configure   --enable-mbstring   --with-curl   --with-openssl   --with-xmlrpc   --enable-soap   --enable-zip   --with-gd   --with-jpeg-dir   --with-png-dir   --with-mysql   --with-pgsql   --enable-embedded-mysqli   --with-freetype-dir   --enable-intl   --with-xsl   --with-sodium --enable-ftp --with-zlib

make with -fsanitize=address






if you want a crashes, try this. or change args 2 nums.

<?php
function test()
{
        return sodium_pad(NULL, 2097152);
}
test();
?>


I test on my pc :

~/php-7.2.11$ php ../crashxxxx.php
Segmentation fault

~/php-7.2.11$ cat ../crashxxxx.php
<?php
function test()
{
        return sodium_pad(NULL, 2097152);
}
test();
?>
 [2018-10-14 09:26 UTC] jedisct1@php.net
It has been fixed in version 2.0.13:  https://github.com/jedisct1/libsodium-php/commit/a628f63a43bb9ede2a6c4655c63da1f1c1c61c63

The change has been backported to the code shipped with PHP.
 [2018-10-14 09:36 UTC] zzw20124321 at gmail dot com
Is this  belongs to security problem? Can you open a cve for this?
 [2018-10-14 09:47 UTC] jedisct1@php.net
This will crash  the process (just like ini_set('memory_limit',-1); $a = str_repeat('x', 2147483647); $b = $a . $a;) but you won't be able to read any interesting content from the heap that way.

Even if it succeeds with an empty string as an input, the real sodium_pad() function will be called right after, and fill the destination buffer with zeros.
 [2018-10-14 09:58 UTC] zzw20124321 at gmail dot com
Since i can't get any data from php memory, but I can crash php. So maybe this can DDos.
 [2018-10-14 16:52 UTC] stas@php.net
-Status: Assigned +Status: Closed -Type: Security +Type: Bug
 [2018-10-14 16:52 UTC] stas@php.net
Since this requires specially crafted arguments not likely to be encountered in regular code, as per https://wiki.php.net/security it is not a security issue. Since it's already fixed, I am closing it.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Oct 09 19:01:26 2024 UTC