php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79149 SEGV in mb_convert_encoding with non-string encodings
Submitted: 2020-01-21 14:21 UTC Modified: 2020-01-22 08:45 UTC
From: wxhusst at gmail dot com Assigned: cmb (profile)
Status: Closed Package: mbstring related
PHP Version: PHP 7.4 OS: linux
Private report: No CVE-ID: None
 [2020-01-21 14:21 UTC] wxhusst at gmail dot com
Description:
------------
AddressSanitizer:DEADLYSIGNAL
=================================================================
==116931==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000019 (pc 0x7fb588144ba5 bp 0x7fffc09a0570 sp 0x7fffc099fd08 T0)
==116931==The signal is caused by a READ memory access.
==116931==Hint: address points to the zero page.
    #0 0x7fb588144ba4  /build/glibc-4WA41p/glibc-2.30/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:62
    #1 0x615eda in strlen /home/buildnode/jenkins/workspace/oss-swift-5.1-package-linux-ubuntu-18_04/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc
    #2 0x1c75c68 in _estrdup /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_alloc.c:2617:11
    #3 0x10c0d10 in zif_mb_convert_encoding /home/raven/fuzz/php-src-php-7.4.2/ext/mbstring/mbstring.c:3377:25
    #4 0x242215d in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:1269:2
    #5 0x2131c97 in execute_ex /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:53611:7
    #6 0x2132d52 in zend_execute /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:57913:2
    #7 0x1eb6d8c in zend_execute_scripts /home/raven/fuzz/php-src-php-7.4.2/Zend/zend.c:1665:4
    #8 0x1a9b754 in php_execute_script /home/raven/fuzz/php-src-php-7.4.2/main/main.c:2617:14
    #9 0x255f9f0 in do_cli /home/raven/fuzz/php-src-php-7.4.2/sapi/cli/php_cli.c:961:5
    #10 0x255c3a7 in main /home/raven/fuzz/php-src-php-7.4.2/sapi/cli/php_cli.c:1352:18
    #11 0x7fb587fe01e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
    #12 0x602b3d in _start (/home/raven/fuzz/php-src-php-7.4.2/sapi/cli/php+0x602b3d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-4WA41p/glibc-2.30/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:62 
==116931==ABORTING

Test script:
---------------
<?php
try { try { mb_convert_encoding(str_repeat(chr(154), 257) + str_repeat(chr(40), 257) + str_repeat(chr(29), 17), str_repeat("A", 0x100), array("a" => 1, "b" => "2", "c" => 3.0)); } catch (Exception $e) { } } catch(Error $e) { }
?>


Expected result:
----------------
normal

Actual result:
--------------
crash

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-01-21 15:55 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2020-01-21 15:55 UTC] cmb@php.net
I cannot reproduce this.  Does this only affect the master branch?
If so, it wouldn't be a security issue.
 [2020-01-21 16:12 UTC] wxhusst at gmail dot com
-Status: Feedback +Status: Assigned
 [2020-01-21 16:12 UTC] wxhusst at gmail dot com
https://github.com/php/php-src/commit/264ef4f16300270dd4e92d2510660836a4814579

I build source from this version.

I just test this.
 [2020-01-21 16:28 UTC] nikic@php.net
I can reproduce this. Here's a reduction:

<?php
mb_convert_encoding("", "UTF-8", [0]);

Presumably non-string encodings are not handled correctly.
 [2020-01-21 16:30 UTC] cmb@php.net
Then this is likely a duplicate of bug #79150.  I already have a
working patch.
 [2020-01-21 16:31 UTC] nikic@php.net
In https://github.com/php/php-src/blob/a3e29ba34add1f06089b749802728c30aa70e5e9/ext/mbstring/mbstring.c#L2882 and a few places below we use Z_STRVAL_P(hash_entry), while we should be using encoding_str.

This doesn't seem like a realistic pathway for remote exploitation though.
 [2020-01-21 16:55 UTC] wxhusst at gmail dot com
I also think this don't seem like a realistic pathway for remote exploitation, :)
 [2020-01-21 17:16 UTC] cmb@php.net
Suggested fix for PHP 7.4:
<https://gist.github.com/cmb69/080acb60a50d40f76bc7b628b376b5e4>.

For PHP 7.3 we should also replace the convert_to_string_ex()[1],
which can modify passed arguments.

Regarding exploitability:

  mb_convert_encoding($_GET['text'], 'UTF-8', $_GET['encodings'])

would be vulnerable.  However, that would be a userland bug, in my
opionion.

[1] <https://github.com/php/php-src/blob/php-7.3.14/ext/mbstring/mbstring.c#L3236>
 [2020-01-21 17:20 UTC] stas@php.net
-Summary: SEGV caused by zif_mb_convert_encoding +Summary: SEGV caused by zif_mb_convert_encoding with non-string encodings -Type: Security +Type: Bug
 [2020-01-21 17:54 UTC] nikic@php.net
Patch LGTM.
 [2020-01-22 08:45 UTC] cmb@php.net
-Summary: SEGV caused by zif_mb_convert_encoding with non-string encodings +Summary: SEGV in mb_convert_encoding with non-string encodings -PHP Version: master-Git-2020-01-21 (Git) +PHP Version: PHP 7.4
 [2020-01-22 08:45 UTC] cmb@php.net
Thanks for checking Nikita!

To clarify, PHP 7.3 and earlier are not affected by this issue.
 [2020-01-22 08:46 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=94c9dc498ffdedd9ae91357bd3345ba31f232220
Log: Fix #79149: SEGV in mb_convert_encoding with non-string encodings
 [2020-01-22 08:46 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Feb 19 13:01:30 2020 UTC