php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78833 Integer overflow in pack causes out-of-bound access
Submitted: 2019-11-18 20:47 UTC Modified: 2019-12-02 10:23 UTC
From: thomas dot bouzerar at protonmail dot com Assigned: cmb (profile)
Status: Closed Package: Strings related
PHP Version: 7.3.11 OS: ALL
Private report: No CVE-ID: None
 [2019-11-18 20:47 UTC] thomas dot bouzerar at protonmail dot com
Description:
------------
There exists an integer overflow in the builtin php function pack, as seen in the code below:

case 'E': /* big endian double */
  if (arg < 0) {
    arg = num_args - currentarg;
  }

currentarg += arg; // currentarg (signed int) can be overflowed by chaining multiple positive 'arg' values

currentarg is later used by:
case 'H':
  /* ... */
  if (arg < 0) {
  if (!try_convert_to_string(&argv[currentarg])) {
    efree(formatcodes);
    efree(formatargs);
    return;
  }
/* ... */

Causing an out-of-bounds read from argv array. This might lead to sensitive memory leak (although not tested) or DoS.


Test script:
---------------
<?php
pack("E2E2147483647H*", 0x0, 0x0, 0x0);
?>


Expected result:
----------------
No segfault

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x000055555584c10e in ?? ()

$rax   : 0x7ff7f521d100    
$rbx   : 0xf               
$rcx   : 0x48              
$rdx   : 0x2a              
$rsp   : 0x00007fffffffa510  →  0x0000000000000003
$rbp   : 0x2               
$rsi   : 0x000055555584c208  →   test eax, eax
$rdi   : 0x00005555560a3190  →  0xff7a8f68ff5da44d
$rip   : 0x000055555584c10e  →   cmp BYTE PTR [rax+0x8], 0x6
$r8    : 0x00007ffff5202ab8  →  "E2E2147483647H*"
$r9    : 0x00005555560a2ee4  →  0xff7a8d1cff7a8d3c
$r10   : 0x00007ffff5277100  →  0x7fffffff00000002
$r11   : 0x00007ffff5202aa0  →  0x0000004600000001
$r12   : 0x48              
$r13   : 0x00007ffff526a040  →  0x00007ffff5264545  →  0x0000000000000000
$r14   : 0xf               
$r15   : 0x80000001        
$eflags: [zero CARRY PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 

─────────────────────────────────────────────────────── code:x86:64 ────
   0x55555584c102                  movsxd rax, r15d
   0x55555584c105                  shl    rax, 0x4
   0x55555584c109                  add    rax, QWORD PTR [rsp+0x10]
 → 0x55555584c10e                  cmp    BYTE PTR [rax+0x8], 0x6
   0x55555584c112                  je     0x55555584c14c
   0x55555584c114                  mov    QWORD PTR [rsp+0x28], r10
   0x55555584c119                  mov    rdi, rax
   0x55555584c11c                  mov    QWORD PTR [rsp+0x20], r8
   0x55555584c121                  mov    QWORD PTR [rsp+0x18], r11
─────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "php", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────── trace ────
[#0] 0x55555584c10e → cmp BYTE PTR [rax+0x8], 0x6
[#1] 0x555555993048 → execute_ex()
[#2] 0x555555997d46 → zend_execute()
[#3] 0x5555559105eb → zend_execute_scripts()
[#4] 0x5555558b2cf9 → php_execute_script()
[#5] 0x55555599a33d → lea rax, [rip+0x8951fc]        # 0x55555622f540 <executor_globals>
[#6] 0x5555556a1fa7 → mov ebp, eax
[#7] 0x7ffff74ab153 → __libc_start_main()
[#8] 0x5555556a26ce → _start()



Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-11-18 22:24 UTC] stas@php.net
-Type: Security +Type: Bug -Package: *General Issues +Package: Strings related
 [2019-11-18 22:24 UTC] stas@php.net
Not a security issue, but probably worth adding a check.
 [2019-11-19 13:23 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #78833: Integer overflow in pack causes out-of-bound access
On GitHub:  https://github.com/php/php-src/pull/4932
Patch:      https://github.com/php/php-src/pull/4932.patch
 [2019-11-26 10:57 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2019-12-02 10:22 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=db420cb6a141876b2f7d101051fb01934a28071a
Log: Fix #78833: Integer overflow in pack causes out-of-bound access
 [2019-12-02 10:22 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2019-12-02 10:23 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 12:01:29 2024 UTC