php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #77385 buffer overflow in fetch_token
Submitted: 2018-12-31 01:27 UTC Modified: 2019-02-22 22:09 UTC
From: hugh at allthethings dot co dot nz Assigned: stas (profile)
Status: Closed Package: mbstring related
PHP Version: 5.6.39 OS: Linux
Private report: No CVE-ID: 2019-9023
View Add Comment Developer Edit
 [2018-12-31 01:27 UTC] hugh at allthethings dot co dot nz 
Description:
------------
Similar to #77370, using enclen on an incomplete multibyte character will return a pointer after the end of the buffer. This will cause memory corruption and/or leakage.

Patch available at https://gist.github.com/hughdavenport/09b48d4b20a28bcd7afaa530e2ec6731

Reproduced on 5.6.39, 7.0.33, 7.1.25, but not on 7.2, 7.3 and master.

Test script:
---------------
php -r 'var_dump(mb_ereg("0000\\"."\xf5","0"));'


Expected result:
----------------
no crash

Actual result:
--------------
$ ~/php-7.0.33/sapi/cli/php -r 'var_dump(mb_ereg("0000\\"."\xf5","0"));'
=================================================================
==27833==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300001a430 at pc 0x0000004d8aa1 bp 0x7ffe531d6220 sp 0x7ffe531d59d0
READ of size 4 at 0x60300001a430 thread T0
    #0 0x4d8aa0 in __asan_memcpy (/home/hugh/php-7.0.33/sapi/cli/php+0x4d8aa0)
    #1 0x85644b in onig_strcpy /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:223:5
    #2 0x85644b in onig_node_str_cat /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:1456
    #3 0x8667eb in parse_exp /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:5109:6
    #4 0x864525 in parse_branch /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:5450:7
    #5 0x860e42 in parse_subexp /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:5487:7
    #6 0x858975 in parse_regexp /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:5531:7
    #7 0x858975 in onig_parse_make_tree /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:5558
    #8 0x7dd735 in onig_compile /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:5302:7
    #9 0x806389 in onig_new /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:5547:7
    #10 0x97e487 in php_mbregex_compile_pattern /home/hugh/php-7.0.33/ext/mbstring/php_mbregex.c:456:19
    #11 0x978bce in _php_mb_regex_ereg_exec /home/hugh/php-7.0.33/ext/mbstring/php_mbregex.c:727:7
    #12 0x1257a45 in ZEND_DO_ICALL_SPEC_HANDLER /home/hugh/php-7.0.33/Zend/zend_vm_execute.h:586:2
    #13 0x10d966d in execute_ex /home/hugh/php-7.0.33/Zend/zend_vm_execute.h:417:7
    #14 0x10da547 in zend_execute /home/hugh/php-7.0.33/Zend/zend_vm_execute.h:458:2
    #15 0xeeec74 in zend_eval_stringl /home/hugh/php-7.0.33/Zend/zend_execute_API.c:1137:4
    #16 0xeef77a in zend_eval_stringl_ex /home/hugh/php-7.0.33/Zend/zend_execute_API.c:1178:11
    #17 0xeef77a in zend_eval_string_ex /home/hugh/php-7.0.33/Zend/zend_execute_API.c:1189
    #18 0x13181f6 in do_cli /home/hugh/php-7.0.33/sapi/cli/php_cli.c:1010:21
    #19 0x13150e5 in main /home/hugh/php-7.0.33/sapi/cli/php_cli.c:1350:18
    #20 0x7f239ba07b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #21 0x4383f9 in _start (/home/hugh/php-7.0.33/sapi/cli/php+0x4383f9)

0x60300001a430 is located 0 bytes to the right of 32-byte region [0x60300001a410,0x60300001a430)
allocated by thread T0 here:
    #0 0x4eda50 in malloc (/home/hugh/php-7.0.33/sapi/cli/php+0x4eda50)
    #1 0xe29d1c in __zend_malloc /home/hugh/php-7.0.33/Zend/zend_alloc.c:2882:14
    #2 0xeabfb5 in zend_try_ct_eval_binary_op /home/hugh/php-7.0.33/Zend/zend_compile.c:5881:2
    #3 0xeabfb5 in zend_compile_binary_op /home/hugh/php-7.0.33/Zend/zend_compile.c:5992
    #4 0xe411a6 in zend_compile_expr /home/hugh/php-7.0.33/Zend/zend_compile.c:7232:4
    #5 0xe59afd in zend_compile_args /home/hugh/php-7.0.33/Zend/zend_compile.c:2785:4
    #6 0xe5bcb0 in zend_compile_call_common /home/hugh/php-7.0.33/Zend/zend_compile.c:2873:14

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/hugh/php-7.0.33/sapi/cli/php+0x4d8aa0) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c067fffb430: 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x0c067fffb440: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fffb450: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fffb460: 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd fa fa
  0x0c067fffb470: fd fd fd fd fa fa fd fd fd fd fa fa 00 00 00 00
=>0x0c067fffb480: fa fa 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
  0x0c067fffb490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffb4a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffb4b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffb4c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffb4d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27833==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-02 08:44 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2019-01-02 08:44 UTC] stas@php.net 
I've made a common fix for four mbstring regex issues. It's in security repo as 6eb73547f231336d09e42d161ea6756b88832d46 and in https://gist.github.com/smalyshev/d5b79a07341ffdd77dc88860724bd2f5. Please verify.
 [2019-01-02 21:14 UTC] hugh at allthethings dot co dot nz 
Verified on 5.6, 7.0 and 7.1
 [2019-01-07 08:18 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-01-07 08:18 UTC] stas@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2019-02-22 22:09 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2019-9023
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 18:01:28 2024 UTC