php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #77721 Heap-use-after-free (READ of size 8) in match_at()
Submitted: 2019-03-10 20:04 UTC Modified: 2019-08-25 07:26 UTC
From: geeknik at protonmail dot ch Assigned: stas (profile)
Status: Closed Package: mbstring related
PHP Version: 7.3.3 OS: Fedora 29 x64
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: geeknik at protonmail dot ch
New email:
PHP Version: OS:

 

 [2019-03-10 20:04 UTC] geeknik at protonmail dot ch 
Description:
------------
This heap-use-after-free was discovered while fuzzing 7.3.2 with AFL and verified in 7.3.3.

Test script:
---------------
php -r '$file=file_get_contents("test0011"); print_r(mbreg($file, 0);'


echo "KCg/KAApMCspKysrKCgoMFxnPDA+KTApfCgpKSsrKysoKD8oMSkoMFxnPDA+KSkrKysrKyswKigp
KSsrKysoKD8oMSkoMFxnPDE+KSspKysrKysrKysrKyooKSkrKysrKCg/KDEpKCgwKVxnPDA+KSsp
KysoKSkrMCsrKisrKygoKDBcZzwwPikpKigpKSsrKysoKD8oMSkoMFxnPDA+KSspKysrKysrKysr
Kyp8KSsrKysqKysrKCg/KDEpKCgwKVxnPDA+KSspKysrKysrKysrKCkpKysqfCkrKysrKCg/KAAp
MCkpfA==" | base64 -d | tee test0011

sha256sum test0011
d2cf6b02cca2e840688fde31615732602888926dc537a1da65321882ce0f2341


Expected result:
----------------
No crash.

Actual result:
--------------
==29451==ERROR: AddressSanitizer: heap-use-after-free on address 0x62600000bbf8 at pc 0x00000117cc7f bp 0x7ffc6692dcd0 sp 0x7ffc6692dcc8
READ of size 8 at 0x62600000bbf8 thread T0
    #0 0x117cc7e in match_at /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c
    #1 0x117eaff in onig_search_with_param /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c:4855:7
    #2 0x117dbaf in onig_search /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c:4614:7
    #3 0x1292c42 in _php_mb_regex_ereg_exec /root/php-7.3.3/ext/mbstring/php_mbregex.c:912:6
    #4 0x1c0c821 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /root/php-7.3.3/Zend/zend_vm_execute.h:690:2
    #5 0x1a56533 in execute_ex /root/php-7.3.3/Zend/zend_vm_execute.h:55334:7
    #6 0x1a56cb0 in zend_execute /root/php-7.3.3/Zend/zend_vm_execute.h:60881:2
    #7 0x18c1514 in zend_eval_stringl /root/php-7.3.3/Zend/zend_execute_API.c:1018:4
    #8 0x18c1bdb in zend_eval_stringl_ex /root/php-7.3.3/Zend/zend_execute_API.c:1059:11
    #9 0x18c1bdb in zend_eval_string_ex /root/php-7.3.3/Zend/zend_execute_API.c:1070
    #10 0x1d05e68 in do_cli /root/php-7.3.3/sapi/cli/php_cli.c:1028:8
    #11 0x1d03c08 in main /root/php-7.3.3/sapi/cli/php_cli.c:1389:18
    #12 0x7f4c300592e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #13 0x448109 in _start (/root/php-7.3.3/sapi/cli/php+0x448109)

0x62600000bbf8 is located 11000 bytes inside of 11056-byte region [0x626000009100,0x62600000bc30)
freed by thread T0 here:
    #0 0x4f426f in realloc /b/swarming/w/ir/k/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:164:3
    #1 0x1189f47 in stack_double /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c:1446:30
    #2 0x116ea54 in match_at /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c:3248:7
    #3 0x117eaff in onig_search_with_param /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c:4855:7
    #4 0x117dbaf in onig_search /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c:4614:7
    #5 0x1292c42 in _php_mb_regex_ereg_exec /root/php-7.3.3/ext/mbstring/php_mbregex.c:912:6
    #6 0x1c0c821 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /root/php-7.3.3/Zend/zend_vm_execute.h:690:2
    #7 0x1a56533 in execute_ex /root/php-7.3.3/Zend/zend_vm_execute.h:55334:7
    #8 0x1a56cb0 in zend_execute /root/php-7.3.3/Zend/zend_vm_execute.h:60881:2
    #9 0x18c1514 in zend_eval_stringl /root/php-7.3.3/Zend/zend_execute_API.c:1018:4
    #10 0x18c1bdb in zend_eval_stringl_ex /root/php-7.3.3/Zend/zend_execute_API.c:1059:11
    #11 0x18c1bdb in zend_eval_string_ex /root/php-7.3.3/Zend/zend_execute_API.c:1070
    #12 0x1d05e68 in do_cli /root/php-7.3.3/sapi/cli/php_cli.c:1028:8
    #13 0x1d03c08 in main /root/php-7.3.3/sapi/cli/php_cli.c:1389:18
    #14 0x7f4c300592e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

previously allocated by thread T0 here:
    #0 0x4f426f in realloc /b/swarming/w/ir/k/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:164:3
    #1 0x1189f47 in stack_double /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c:1446:30
    #2 0x116e672 in match_at /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c:3487:7
    #3 0x117eaff in onig_search_with_param /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c:4855:7
    #4 0x117dbaf in onig_search /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c:4614:7
    #5 0x1292c42 in _php_mb_regex_ereg_exec /root/php-7.3.3/ext/mbstring/php_mbregex.c:912:6
    #6 0x1c0c821 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /root/php-7.3.3/Zend/zend_vm_execute.h:690:2
    #7 0x1a56533 in execute_ex /root/php-7.3.3/Zend/zend_vm_execute.h:55334:7
    #8 0x1a56cb0 in zend_execute /root/php-7.3.3/Zend/zend_vm_execute.h:60881:2
    #9 0x18c1514 in zend_eval_stringl /root/php-7.3.3/Zend/zend_execute_API.c:1018:4
    #10 0x18c1bdb in zend_eval_stringl_ex /root/php-7.3.3/Zend/zend_execute_API.c:1059:11
    #11 0x18c1bdb in zend_eval_string_ex /root/php-7.3.3/Zend/zend_execute_API.c:1070
    #12 0x1d05e68 in do_cli /root/php-7.3.3/sapi/cli/php_cli.c:1028:8
    #13 0x1d03c08 in main /root/php-7.3.3/sapi/cli/php_cli.c:1389:18
    #14 0x7f4c300592e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-use-after-free /root/php-7.3.3/ext/mbstring/oniguruma/src/regexec.c in match_at

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-03-11 03:20 UTC] geeknik at protonmail dot ch 
Test script is actually:

php -r '$file=file_get_contents("test0011"); print_r(mb_ereg($file, 0);'
 [2019-03-11 10:59 UTC] cmb@php.net
-Package: *Regular Expressions +Package: mbstring related
 [2019-03-31 06:53 UTC] stas@php.net 
Since we're moving away from bundling oniguruma, maybe it should be reported to oniguruma maintainers - https://github.com/kkos/oniguruma
 [2019-04-06 00:00 UTC] geeknik at protonmail dot ch 
Someone else reported a similar UAF back in 2017 that is still unpatched, so this one is now public at https://github.com/kkos/oniguruma/issues/139.
 [2019-04-18 08:42 UTC] cmb@php.net 
With PHP-7.3 on Windows (bundled oniguruma 6.9.0) I get a somewhat
different ASAN report:

=================================================================
==7000==ERROR: AddressSanitizer: heap-use-after-free on address 0x11805420b8d8 at pc 0x7ff805b0c066 bp 0x001a2e9fae80 sp 0x001a2e9faec8
READ of size 8 at 0x11805420b8d8 thread T0
    #0 0x7ff805b0c065 in onig_match_with_param+0x12e55 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x18072c065)
    #1 0x7ff805b111e3 in onig_search_with_param+0x1193 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x1807311e3)
    #2 0x7ff805b5c494 in onig_unicode_define_user_property+0x5c54 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x18077c494)
    #3 0x7ff805620667 in zend_execute+0x13bcd7 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180240667)
    #4 0x7ff8054e47f9 in execute_ex+0xf9 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x1801047f9)
    #5 0x7ff8054e4d4c in zend_execute+0x3bc (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180104d4c)
    #6 0x7ff8053e937e in zend_execute_scripts+0x1be (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x18000937e)
    #7 0x7ff805807755 in php_execute_script+0x845 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180427755)
    #8 0x7ff76687407b in sapi_cli_single_write+0x306b (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php.exe+0x14000407b)
    #9 0x7ff766871ae3 in sapi_cli_single_write+0xad3 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php.exe+0x140001ae3)
    #10 0x7ff766890ad3 in sapi_cli_single_write+0x1fac3 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php.exe+0x140020ad3)
    #11 0x7ff84b6c7973 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017973)
    #12 0x7ff84d72a270 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x18006a270)

0x11805420b8d8 is located 10200 bytes inside of 10672-byte region [0x118054209100,0x11805420bab0)
freed by thread T0 here:
    #0 0x7ff804a847d5 in _asan_memmove+0x5d5 (C:\Program Files\LLVM\lib\clang\8.0.0\lib\windows\clang_rt.asan_dynamic-x86_64.dll+0x1800347d5)
    #1 0x7ff805b19a27 in onig_setup_builtin_monitors_by_ascii_encoded_name+0x1947 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180739a27)
    #2 0x7ff805b01b40 in onig_match_with_param+0x8930 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180721b40)
    #3 0x7ff805b111e3 in onig_search_with_param+0x1193 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x1807311e3)
    #4 0x7ff805b5c494 in onig_unicode_define_user_property+0x5c54 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x18077c494)
    #5 0x7ff805620667 in zend_execute+0x13bcd7 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180240667)
    #6 0x7ff8054e47f9 in execute_ex+0xf9 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x1801047f9)
    #7 0x7ff8054e4d4c in zend_execute+0x3bc (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180104d4c)
    #8 0x7ff8053e937e in zend_execute_scripts+0x1be (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x18000937e)
    #9 0x7ff805807755 in php_execute_script+0x845 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180427755)
    #10 0x7ff76687407b in sapi_cli_single_write+0x306b (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php.exe+0x14000407b)
    #11 0x7ff766871ae3 in sapi_cli_single_write+0xad3 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php.exe+0x140001ae3)
    #12 0x7ff766890ad3 in sapi_cli_single_write+0x1fac3 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php.exe+0x140020ad3)
    #13 0x7ff84b6c7973 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017973)
    #14 0x7ff84d72a270 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x18006a270)

previously allocated by thread T0 here:
    #0 0x7ff804a847d5 in _asan_memmove+0x5d5 (C:\Program Files\LLVM\lib\clang\8.0.0\lib\windows\clang_rt.asan_dynamic-x86_64.dll+0x1800347d5)
    #1 0x7ff805b19a27 in onig_setup_builtin_monitors_by_ascii_encoded_name+0x1947 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180739a27)
    #2 0x7ff805afb96e in onig_match_with_param+0x275e (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x18071b96e)
    #3 0x7ff805b111e3 in onig_search_with_param+0x1193 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x1807311e3)
    #4 0x7ff805b5c494 in onig_unicode_define_user_property+0x5c54 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x18077c494)
    #5 0x7ff805620667 in zend_execute+0x13bcd7 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180240667)
    #6 0x7ff8054e47f9 in execute_ex+0xf9 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x1801047f9)
    #7 0x7ff8054e4d4c in zend_execute+0x3bc (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180104d4c)
    #8 0x7ff8053e937e in zend_execute_scripts+0x1be (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x18000937e)
    #9 0x7ff805807755 in php_execute_script+0x845 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x180427755)
    #10 0x7ff76687407b in sapi_cli_single_write+0x306b (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php.exe+0x14000407b)
    #11 0x7ff766871ae3 in sapi_cli_single_write+0xad3 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php.exe+0x140001ae3)
    #12 0x7ff766890ad3 in sapi_cli_single_write+0x1fac3 (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php.exe+0x140020ad3)
    #13 0x7ff84b6c7973 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017973)
    #14 0x7ff84d72a270 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x18006a270)

SUMMARY: AddressSanitizer: heap-use-after-free (D:\php-sdk\phpdev\vc15\x64\php-src-7.3\x64\Release\php7.dll+0x18072c065) in onig_match_with_param+0x12e55
Shadow bytes around the buggy address:
  0x03645ea416c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x03645ea416d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x03645ea416e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x03645ea416f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x03645ea41700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x03645ea41710: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
  0x03645ea41720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x03645ea41730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x03645ea41740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x03645ea41750: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
  0x03645ea41760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==7000==ABORTING

With PHP-7.4 on Windows using oniguruma 6.9.1, ASAN does not
complain.  I assume the issue has been fixed with 6.9.1, but still
we need to patch our bundled onigurumas.
 [2019-08-25 07:26 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2019-08-25 07:26 UTC] stas@php.net 
Upgraded to 6.9.1, should have fixed it.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 15:01:28 2024 UTC