php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77544 stack-buffer-overflow while using eval in php 5.6.40
Submitted: 2019-01-29 19:12 UTC Modified: 2019-01-31 14:52 UTC
From: insi_2304 at ymail dot com Assigned:
Status: Duplicate Package: Scripting Engine problem
PHP Version: 5.6.40 OS: Kali Linux
Private report: No CVE-ID: None
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
32 + 37 = ?
Subscribe to this entry?

 
 [2019-01-29 19:12 UTC] insi_2304 at ymail dot com
Description:
------------
root@kali2:~/fuzzing/victims/php-src-php-5.6.40/sapi/cli# USE_ZEND_ALLOC=0 ./php -r 'eval(file_get_contents("php://stdin"));' < ./stack_bof_eval 
=================================================================
==3122==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd1460eb10 at pc 0x00000149417d bp 0x7ffd1460c590 sp 0x7ffd1460c588
WRITE of size 1 at 0x7ffd1460eb10 thread T0
    #0 0x149417c in yysyntax_error /root/fuzzing/victims/php-src-php-5.6.40/Zend/zend_language_parser.c:3171:18
    #1 0x14864cc in zendparse /root/fuzzing/victims/php-src-php-5.6.40/Zend/zend_language_parser.c:6673:33
    #2 0x1499e51 in compile_string /root/fuzzing/victims/php-src-php-5.6.40/Zend/zend_language_scanner.l:751:21
    #3 0x1798da1 in ZEND_INCLUDE_OR_EVAL_SPEC_VAR_HANDLER /root/fuzzing/victims/php-src-php-5.6.40/Zend/zend_vm_execute.h:13758:21
    #4 0x16ece6d in execute_ex /root/fuzzing/victims/php-src-php-5.6.40/Zend/zend_vm_execute.h:363:14
    #5 0x16eee52 in zend_execute /root/fuzzing/victims/php-src-php-5.6.40/Zend/zend_vm_execute.h:388:2
    #6 0x15aec87 in zend_eval_stringl /root/fuzzing/victims/php-src-php-5.6.40/Zend/zend_execute_API.c:1080:4
    #7 0x15b0409 in zend_eval_stringl_ex /root/fuzzing/victims/php-src-php-5.6.40/Zend/zend_execute_API.c:1127:11
    #8 0x15b0409 in zend_eval_string_ex /root/fuzzing/victims/php-src-php-5.6.40/Zend/zend_execute_API.c:1138
    #9 0x194a9c8 in do_cli /root/fuzzing/victims/php-src-php-5.6.40/sapi/cli/php_cli.c:1038:8
    #10 0x1947841 in main /root/fuzzing/victims/php-src-php-5.6.40/sapi/cli/php_cli.c:1382:18
    #11 0x7f3d63d9c09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #12 0x43de79 in _start (/root/fuzzing/victims/php-src-php-5.6.40/sapi/cli/php+0x43de79)

Address 0x7ffd1460eb10 is located in stack of thread T0 at offset 9040 in frame
    #0 0x1485a2f in zendparse /root/fuzzing/victims/php-src-php-5.6.40/Zend/zend_language_parser.c:3213

  This frame has 8 object(s):
    [32, 72) 'yylval'
    [112, 512) 'yyssa'
    [576, 8576) 'yyvsa'
    [8832, 8872) 'yyval'
    [8912, 9040) 'yymsgbuf' <== Memory access at offset 9040 overflows this variable
    [9072, 9080) 'yymsg_alloc'
    [9104, 9144) 'tmp_znode'
    [9184, 9224) 'tmp_znode1708'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/fuzzing/victims/php-src-php-5.6.40/Zend/zend_language_parser.c:3171:18 in yysyntax_error
Shadow bytes around the buggy address:
  0x1000228b9d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000228b9d20: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2
  0x1000228b9d30: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x1000228b9d40: f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 f2 f2 f2
  0x1000228b9d50: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000228b9d60: 00 00[f2]f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 f2
  0x1000228b9d70: f2 f2 f2 f2 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3
  0x1000228b9d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000228b9d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000228b9da0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x1000228b9db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3122==ABORTING


Test script:
---------------
namespace MfP"pp{}    namespace M�Feovuw);
�chP1ÀXhe__Fakeup>at�Zi\{mfd(�Fro
�at��"ce
$dmtdti�h.hhhhhhhhhhhhhUh$dm.hhhhhhhhhhhhhtdtireate t�o�eeev_destrudi�lad��dral);
e h� $datEmAr atIstanc��ateX��eHme-adry-It�Zi\{mfd(�FroN��b@omA.ray�d($�FC;
echo �eete');



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-29 22:29 UTC] stas@php.net
-Type: Security +Type: Bug -Package: *Extensibility Functions +Package: Scripting Engine problem
 [2019-01-29 22:45 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2019-01-29 22:45 UTC] cmb@php.net
The title claims this about PHP 5.6.40, but the version field says it's 7.3.1.  Which is it?
 [2019-01-30 04:34 UTC] insi_2304 at ymail dot com
-Status: Feedback +Status: Assigned -PHP Version: 7.3.1 +PHP Version: 5.6.40
 [2019-01-30 04:34 UTC] insi_2304 at ymail dot com
The version affected is 5.6.40,
 [2019-01-30 08:33 UTC] cmb@php.net
-Status: Assigned +Status: Feedback
 [2019-01-30 08:33 UTC] cmb@php.net
Then please check whether this issue also happens with any
*actively* *supported* PHP version[1].

[1] <http://php.net/supported-versions.php>
 [2019-01-30 11:46 UTC] insi_2304 at ymail dot com
-Status: Feedback +Status: Assigned
 [2019-01-30 11:46 UTC] insi_2304 at ymail dot com
I could not check for other supported versions as other versions are throwing memory leak while compiling with asan
 [2019-01-30 12:04 UTC] cmb@php.net
-Status: Assigned +Status: Open -Assigned To: cmb +Assigned To:
 [2019-01-30 12:04 UTC] cmb@php.net
Then we likeley should cater to these memory leaks first.
 [2019-01-30 14:44 UTC] insi_2304 at ymail dot com
Will this one be fixed?
 [2019-01-30 14:53 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2019-01-30 14:53 UTC] nikic@php.net
This is bug #70430, which has been fixed in PHP 7.0.
 [2019-01-30 15:03 UTC] insi_2304 at ymail dot com
Shouldn't it be fixed in 5.6.40 as it is being provided on main website, not even in the archive downloads to download it and this was the reason why I started testing it
 [2019-01-30 15:13 UTC] nikic@php.net
PHP 5.6 is EOL, so it will not be fixed there, no. You are right though that PHP 5.6 and PHP 7.0 probably shouldn't appear on the download page anymore.

@cmb: Maybe you know how to do that?
 [2019-01-30 17:48 UTC] insi_2304 at ymail dot com
The bug status should be anything other than duplicate as the bug#70430 was fixed in 2015 itself. I think it is different code path in the Zend language parser that is why it is still present in the 5.6.40 for which the release date is 10-jan-2019.
 [2019-01-30 17:54 UTC] nikic@php.net
The linked bug was fixed only in PHP 7.0 and above. The actual release date is not relevant here, it's a matter of which branch the bug fix landed on. This particular change only went into PHP 7, but not PHP 5.
 [2019-01-31 14:52 UTC] cmb@php.net
> @cmb: Maybe you know how to do that?

Done.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 18:01:30 2024 UTC