PHP :: Sec Bug #77394 :: Buffer overflow in multibyte case folding

Sec Bug #77394	Buffer overflow in multibyte case folding - unicode
Submitted:	2019-01-01 21:23 UTC	Modified:	2019-02-22 22:09 UTC
From:	hugh at allthethings dot co dot nz	Assigned:	stas (profile)
Status:	Closed	Package:	mbstring related
PHP Version:	5.6.39	OS:	Linux
Private report:	No	CVE-ID:	2019-9023

View Add Comment Developer Edit

[2019-01-01 21:23 UTC] hugh at allthethings dot co dot nz

Description:
------------
When using mb regex functions such as mb_ereg and mb_split, with a pattern containing (?i) and a string ending with an incomplete multibyte character, then the case folding function will go past the end of the buffer. This can result in memory corruption and/or leakage.

Reproduced in 5.6.39, 7.0.33, and 7.1.25. Not an issue in 7.2, 7.3 and master.

Patch available at https://gist.github.com/hughdavenport/7f7b78c08aea058eaa955510d1548f12

Test script:
---------------
php -r 'var_dump(mb_ereg("(?i)FFF00000000000000000\xfd",""));'

Expected result:
----------------
no crash

Actual result:
--------------
$ ../php-7.0.33/sapi/cli/php -r 'var_dump(mb_ereg("(?i)FFF00000000000000000\xfd",""));'
=================================================================
==13642==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000003ad8 at pc 0x0000008914cc bp 0x7ffd807c7430 sp 0x7ffd807c7428
READ of size 1 at 0x606000003ad8 thread T0
    #0 0x8914cb in onigenc_unicode_mbc_case_fold /home/hugh/php-7.0.33/ext/mbstring/oniguruma/enc/unicode.c:11026:15
    #1 0x896600 in mbc_case_fold /home/hugh/php-7.0.33/ext/mbstring/oniguruma/enc/utf8.c:219:12
    #2 0x80bbfb in update_string_node_case_fold /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:3208:11
    #3 0x80bbfb in expand_case_fold_make_rem_string /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:3242
    #4 0x7ea7d9 in expand_case_fold_string /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:3465:9
    #5 0x7ea7d9 in setup_tree /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:3688
    #6 0x7e99c7 in setup_tree /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:3811:8
    #7 0x7ddcc8 in onig_compile /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:5337:7
    #8 0x806389 in onig_new /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:5547:7
    #9 0x97e487 in php_mbregex_compile_pattern /home/hugh/php-7.0.33/ext/mbstring/php_mbregex.c:456:19
    #10 0x978bce in _php_mb_regex_ereg_exec /home/hugh/php-7.0.33/ext/mbstring/php_mbregex.c:727:7
    #11 0x1257a45 in ZEND_DO_ICALL_SPEC_HANDLER /home/hugh/php-7.0.33/Zend/zend_vm_execute.h:586:2
    #12 0x10d966d in execute_ex /home/hugh/php-7.0.33/Zend/zend_vm_execute.h:417:7
    #13 0x10da547 in zend_execute /home/hugh/php-7.0.33/Zend/zend_vm_execute.h:458:2
    #14 0xeeec74 in zend_eval_stringl /home/hugh/php-7.0.33/Zend/zend_execute_API.c:1137:4
    #15 0xeef77a in zend_eval_stringl_ex /home/hugh/php-7.0.33/Zend/zend_execute_API.c:1178:11
    #16 0xeef77a in zend_eval_string_ex /home/hugh/php-7.0.33/Zend/zend_execute_API.c:1189
    #17 0x13181f6 in do_cli /home/hugh/php-7.0.33/sapi/cli/php_cli.c:1010:21
    #18 0x13150e5 in main /home/hugh/php-7.0.33/sapi/cli/php_cli.c:1350:18
    #19 0x7fb7612c5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #20 0x4383f9 in _start (/home/hugh/php-7.0.33/sapi/cli/php+0x4383f9)

0x606000003ad8 is located 0 bytes to the right of 56-byte region [0x606000003aa0,0x606000003ad8)
allocated by thread T0 here:
    #0 0x4eda50 in malloc (/home/hugh/php-7.0.33/sapi/cli/php+0x4eda50)
    #1 0x856f6f in node_new /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:1129:18
    #2 0x856f6f in node_new_str /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:1507
    #3 0x856f6f in onig_node_new_str /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:1525
    #4 0x7e94b3 in setup_tree /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:3679:11
    #5 0x7e6d56 in setup_tree /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:3668:6
    #6 0x7ddcc8 in onig_compile /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:5337:7
    #7 0x806389 in onig_new /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:5547:7

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hugh/php-7.0.33/ext/mbstring/oniguruma/enc/unicode.c:11026:15 in onigenc_unicode_mbc_case_fold
Shadow bytes around the buggy address:
  0x0c0c7fff8700: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8710: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c7fff8720: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff8730: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8740: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
=>0x0c0c7fff8750: fa fa fa fa 00 00 00 00 00 00 00[fa]fa fa fa fa
  0x0c0c7fff8760: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8770: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c7fff8780: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff8790: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff87a0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13642==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-01-02 08:44 UTC] stas@php.net

-Assigned To: +Assigned To: stas

[2019-01-02 08:44 UTC] stas@php.net

I've made a common fix for four mbstring regex issues. It's in security repo as 6eb73547f231336d09e42d161ea6756b88832d46 and in https://gist.github.com/smalyshev/d5b79a07341ffdd77dc88860724bd2f5. Please verify.

[2019-01-02 21:10 UTC] hugh at allthethings dot co dot nz

Verified on 5.6, 7.0 and 7.1

[2019-01-07 08:18 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2019-01-07 08:18 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2019-02-22 22:09 UTC] stas@php.net

-CVE-ID: +CVE-ID: 2019-9023

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed Apr 24 03:01:29 2024 UTC