php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78363 Buffer overflow in zendparse
Submitted: 2019-08-01 20:18 UTC Modified: 2019-08-02 08:45 UTC
From: iamliketohack at gmail dot com Assigned: nikic (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 7.3.7 OS: Ubuntu
Private report: No CVE-ID: None
 [2019-08-01 20:18 UTC] iamliketohack at gmail dot com
Description:
------------
I have found a potential Global Buffer Overflow in PHP 7.3.7, other versions may also be effected. I build PHP with ASAN support and fuzzed PHP using AFL which revealed the below information:

Test script:
---------------
I have a testcase which reproduces this bug, how can I send it?

Actual result:
--------------
==1572==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000002fc6e48 at pc 0x0000004eda9b bp 0x7ffd2bae3870 sp 0x7ffd2bae3020
READ of size 13 at 0x000002fc6e48 thread T0
    #0 0x4eda9a in __interceptor_memcmp.part.283 (/home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/sapi/cli/php+0x4eda9a)
    #1 0x1e507ce in zend_yytnamerr /home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/Zend/zend_language_parser.c:7088:4
    #2 0x1e4e143 in yysyntax_error /home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/Zend/zend_language_parser.c:3168:22
    #3 0x1e42b06 in zendparse /home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/Zend/zend_language_parser.c:6885:33
    #4 0x1e54b92 in zend_compile /home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/Zend/zend_language_scanner.l:586:7
    #5 0x1e54720 in compile_file /home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/Zend/zend_language_scanner.l:636:14
    #6 0x17512ec in phar_compile_file /home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/ext/phar/phar.c:3347:9
    #7 0x1f9d75d in zend_execute_scripts /home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/Zend/zend.c:1562:14
    #8 0x1da0f4f in php_execute_script /home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/main/main.c:2630:14
    #9 0x23ec780 in do_cli /home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/sapi/cli/php_cli.c:997:5
    #10 0x23e98bb in main /home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/sapi/cli/php_cli.c:1389:18
    #11 0x7f1ee158eb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x4546b9 in _start (/home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/sapi/cli/php+0x4546b9)

0x000002fc6e48 is located 56 bytes to the left of global variable '<string literal>' defined in '/home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/Zend/zend_language_parser.c:873:38' (0x2fc6e80) of size 4
  '<string literal>' is ascii string ''(''
0x000002fc6e48 is located 0 bytes to the right of global variable '<string literal>' defined in '/home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/Zend/zend_language_parser.c:873:27' (0x2fc6e40) of size 8
  '<string literal>' is ascii string 'T_ERROR'
SUMMARY: AddressSanitizer: global-buffer-overflow (/home/user/afl-2.52b/targets/php_build/php-tokenized/php-7.3.7/sapi/cli/php+0x4eda9a) in __interceptor_memcmp.part.283
Shadow bytes around the buggy address:
  0x0000805f0d70: 00 00 00 04 f9 f9 f9 f9 00 00 00 00 02 f9 f9 f9
  0x0000805f0d80: f9 f9 f9 f9 00 00 00 06 f9 f9 f9 f9 00 00 00 00
  0x0000805f0d90: 02 f9 f9 f9 f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9
  0x0000805f0da0: 00 00 00 06 f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9
  0x0000805f0db0: 00 00 00 01 f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9
=>0x0000805f0dc0: 00 00 03 f9 f9 f9 f9 f9 00[f9]f9 f9 f9 f9 f9 f9
  0x0000805f0dd0: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0000805f0de0: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0000805f0df0: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0000805f0e00: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0000805f0e10: 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1572==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-08-01 20:42 UTC] stas@php.net
-Summary: Potential Global Buffer Overlfow +Summary: Buffer overflow in zendparse -Type: Security +Type: Bug -Package: Reproducible crash +Package: Scripting Engine problem -PHP Version: Irrelevant +PHP Version: 7.3.7
 [2019-08-01 20:44 UTC] stas@php.net
Test script, base64-encoded:

PD8wfDw8PGwKbF48PDxsDQAkYQoJbDA=
 [2019-08-02 07:58 UTC] nikic@php.net
Not getting errors under valgrind, just:

Parse error: Invalid body indentation level (expecting an indentation level of at least 1) in /home/nikic/php-7.3/t022.php on line 3

There is a somewhat suspicious memcmp(yystr, "\"end of file\"", sizeof("\"end of file\"") - 1) == 0 comparison in the yytnamerr implementation though... possibly that should be using strcmp.
 [2019-08-02 08:39 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=85e8ccd55e37028be6260c142c27689977564c9a
Log: Fixed bug #78363
 [2019-08-02 08:39 UTC] nikic@php.net
-Status: Open +Status: Closed
 [2019-08-02 08:45 UTC] nikic@php.net
-Assigned To: +Assigned To: nikic
 [2019-08-02 08:45 UTC] nikic@php.net
I've fixed this in 7.2 as the issue could also exist there and added the test for 7.3 in https://github.com/php/php-src/commit/d89157cd677a00dd02ab890b0af9dc40389514e2.

Peculiar that asan caught this but valgrind didn't.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Dec 09 23:01:24 2019 UTC