php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77382 heap buffer overflow due to incorrect length in expand_case_fold_string
Submitted: 2018-12-30 22:13 UTC Modified: 2019-02-22 22:09 UTC
From: hugh at allthethings dot co dot nz Assigned: stas (profile)
Status: Closed Package: mbstring related
PHP Version: 5.6.39 OS: Linux
Private report: No CVE-ID: 2019-9023
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
36 + 3 = ?
Subscribe to this entry?

 
 [2018-12-30 22:13 UTC] hugh at allthethings dot co dot nz
Description:
------------
In expand_case_fold_string the len field is calculated off enclen, and is then used in onig_node_new_str which is passed to xmemcpy later down the line. This length may overshoot the string buffer if the last character is an unfinished multibyte character.

Patch available at https://gist.github.com/hughdavenport/aa428164c8f30d20c178ce0ab2907947

Test script:
---------------
php -r 'var_dump(mb_ereg("(?i)000000000000000000000\xf0",""));'

Expected result:
----------------
no crash

Actual result:
--------------
$ ~/php-5.6.39/sapi/cli/php -r 'var_dump(mb_split("(?i)000000000000000000000\xf0",""));'
=================================================================
==11478==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000001fd8 at pc 0x0000004d67d1 bp 0x7ffcde7b2e90 sp 0x7ffcde7b2640
READ of size 4 at 0x606000001fd8 thread T0
    #0 0x4d67d0 in __asan_memcpy (/home/hugh/php-5.6.39/sapi/cli/php+0x4d67d0)
    #1 0x87e12b in onig_strcpy /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:223:5
    #2 0x87e12b in onig_node_str_cat /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:1456
    #3 0x87ed4e in node_new_str /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:1515:7
    #4 0x87ed4e in onig_node_new_str /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:1525
    #5 0x80e2a3 in expand_case_fold_string_alt /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:3289:11
    #6 0x80e2a3 in expand_case_fold_string /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:3431
    #7 0x80e2a3 in setup_tree /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:3687
    #8 0x8118d7 in setup_tree /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:3810:8
    #9 0x805bd8 in onig_compile /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:5336:7
    #10 0x82e2a9 in onig_new /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:5546:7
    #11 0x9a6975 in php_mbregex_compile_pattern /home/hugh/php-5.6.39/ext/mbstring/php_mbregex.c:458:19
    #12 0x9a5c97 in zif_mb_split /home/hugh/php-5.6.39/ext/mbstring/php_mbregex.c:1076:12
    #13 0x11a18b8 in zend_do_fcall_common_helper_SPEC /home/hugh/php-5.6.39/Zend/zend_vm_execute.h:558:5
    #14 0xffb81d in execute_ex /home/hugh/php-5.6.39/Zend/zend_vm_execute.h:363:14
    #15 0xffd802 in zend_execute /home/hugh/php-5.6.39/Zend/zend_vm_execute.h:388:2
    #16 0xebd637 in zend_eval_stringl /home/hugh/php-5.6.39/Zend/zend_execute_API.c:1080:4
    #17 0xebedb9 in zend_eval_stringl_ex /home/hugh/php-5.6.39/Zend/zend_execute_API.c:1127:11
    #18 0xebedb9 in zend_eval_string_ex /home/hugh/php-5.6.39/Zend/zend_execute_API.c:1138
    #19 0x1259386 in do_cli /home/hugh/php-5.6.39/sapi/cli/php_cli.c:1040:31
    #20 0x1256181 in main /home/hugh/php-5.6.39/sapi/cli/php_cli.c:1386:18
    #21 0x7f66c1fb5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #22 0x436129 in _start (/home/hugh/php-5.6.39/sapi/cli/php+0x436129)

0x606000001fd8 is located 0 bytes to the right of 56-byte region [0x606000001fa0,0x606000001fd8)
allocated by thread T0 here:
    #0 0x4eb780 in malloc (/home/hugh/php-5.6.39/sapi/cli/php+0x4eb780)
    #1 0x888fc3 in node_new /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:1129:18
    #2 0x888fc3 in onig_node_new_alt /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:1266
    #3 0x888fc3 in parse_subexp /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:5505
    #4 0x890c12 in parse_enclose /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:4551:11
    #5 0x890c12 in parse_exp /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:5072
    #6 0x88c561 in parse_branch /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:5460:11
    #7 0x888b22 in parse_subexp /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:5487:7
    #8 0x880655 in parse_regexp /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:5531:7
    #9 0x880655 in onig_parse_make_tree /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:5558
    #10 0x805645 in onig_compile /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:5301:7
    #11 0x82e2a9 in onig_new /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:5546:7

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/hugh/php-5.6.39/sapi/cli/php+0x4d67d0) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c0c7fff83a0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
  0x0c0c7fff83b0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c7fff83c0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff83d0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff83e0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
=>0x0c0c7fff83f0: fa fa fa fa 00 00 00 00 00 00 00[fa]fa fa fa fa
  0x0c0c7fff8400: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8410: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c7fff8420: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff8430: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8440: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11478==ABORTING



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-02 08:43 UTC] stas@php.net
I've made a common fix for four mbstring regex issues. It's in security repo as 6eb73547f231336d09e42d161ea6756b88832d46 and in https://gist.github.com/smalyshev/d5b79a07341ffdd77dc88860724bd2f5. Please verify.
 [2019-01-02 08:43 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2019-01-02 21:16 UTC] hugh at allthethings dot co dot nz
Verified on 5.6, 7.0 and 7.1
 [2019-01-07 08:18 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-01-07 08:18 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

See bug #77381
 [2019-02-22 22:09 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2019-9023
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Aug 20 16:01:30 2019 UTC