php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #78338 Array cross-border reading/global variable coverage in PCRE
Submitted: 2019-07-28 04:17 UTC Modified: 2019-07-29 22:01 UTC
From: 3556158925 at qq dot com Assigned: stas (profile)
Status: Closed Package: PCRE related
PHP Version: 7.3.8 OS: Ubuntu 18.04.1 LTS
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: 3556158925 at qq dot com
New email:
PHP Version: OS:

 

 [2019-07-28 04:17 UTC] 3556158925 at qq dot com
Description:
------------
Get the lastest version of PHP:
git clone https://github.com/php/php-src

Configure PHP:
./configure
PCRE is the default extension in PHP, even if use "./configure --disable-all",
you can still trigger the following bugs.

The test script is very easy:
<?php
$fuzz=file_get_contents($argv[1]);
preg_match($fuzz,$fuzz);

The input file you can download here:
http://47.104.189.187/input.zip
Unzip this file and use the "input_file.txt" as input file

Then
./php-src/sapi/cli/php ./test.php ./input_file.txt
you will see "Segmentation fault (core dumped)"

Use gdb to see the details:
Program received signal SIGSEGV, Segmentation fault.
0x0000555555710367 in do_extuni_no_utf (args=0x7fffffffa110, 
    cc=0x7ffff3a58868 "\377\066\250\250\250\066\066\066zzzz=*\377/\n")
    at /home/daige/Desktop/test/php-src/ext/pcre/pcre2lib/pcre2_jit_compile.c:8546
8546	lgb = UCD_GRAPHBREAK(c);

I analyse this crash,it is caused by array cross-border reading, then I use AFL to fuzz PHP,it reports some global variable coverage,you can see the crash cases in "input.zip".

Test script:
---------------
The test script is very easy:
<?php
$fuzz=file_get_contents($argv[1]);
preg_match($fuzz,$fuzz);

The input file you can download here:
http://47.104.189.187/input.zip
Unzip this file and use the "input_file.txt" as input file

Then
./php-src/sapi/cli/php ./test.php ./input_file.txt
you will see "Segmentation fault (core dumped)"

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000555555710367 in do_extuni_no_utf (args=0x7fffffffa110, 
    cc=0x7ffff3a58868 "\377\066\250\250\250\066\066\066zzzz=*\377/\n")
    at /home/daige/Desktop/test/php-src/ext/pcre/pcre2lib/pcre2_jit_compile.c:8546
8546	lgb = UCD_GRAPHBREAK(c);

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-07-28 04:21 UTC] stas@php.net
This looks like segfault inside PCRE library. Did you report it to the PCRE maintainers?
 [2019-07-28 07:22 UTC] 3556158925 at qq dot com
I send this report to PRCE maintainer just now, thanks.
 [2019-07-29 09:12 UTC] cmb@php.net
> I send this report to PRCE maintainer just now, thanks.

For reference: <https://bugs.exim.org/show_bug.cgi?id=2421>
 [2019-07-29 17:17 UTC] cmb@php.net
-Status: Open +Status: Analyzed -Assigned To: +Assigned To: stas
 [2019-07-29 17:17 UTC] cmb@php.net
This issue has already been fixed upstream.  Since it is caused by
erroneous treatment of the subject (which may be user supplied),
we should consider to apply the following patch to our bundled
pcre2 (PHP-7.3+):

 ext/pcre/pcre2lib/pcre2_jit_compile.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/pcre/pcre2lib/pcre2_jit_compile.c b/ext/pcre/pcre2lib/pcre2_jit_compile.c
index 1f21bfb6ad..283aeff83c 100644
--- a/ext/pcre/pcre2lib/pcre2_jit_compile.c
+++ b/ext/pcre/pcre2lib/pcre2_jit_compile.c
@@ -8538,7 +8538,7 @@ int lgb, rgb, ricount;
 PCRE2_SPTR bptr;
 uint32_t c;
 
-GETCHARINC(c, cc);
+c = *cc++;
 #if PCRE2_CODE_UNIT_WIDTH == 32
 if (c >= 0x110000)
   return NULL;
 [2019-07-29 17:33 UTC] cmb@php.net
Formatted patch including regression test:
<https://gist.github.com/cmb69/3878eb568ea5d894f765a2703e5693e2>.
 [2019-07-29 22:01 UTC] stas@php.net
-Status: Analyzed +Status: Closed
 [2019-07-29 22:01 UTC] stas@php.net
The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test.
Thank you for the report, and for helping us make PHP better.


 [2019-07-29 22:01 UTC] stas@php.net
-PHP Version: 7.4Git-2019-07-28 (Git) +PHP Version: 7.3.8
 [2019-07-30 07:17 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9f6a5a027035d1fe7171a4fdd9b123cc4f439708
Log: Fix #78338: Array cross-border reading in PCRE
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Sep 21 13:01:27 2019 UTC