PHP :: Bug #79149 :: SEGV in mb_convert_encoding with non-string encodings

Bug #79149	SEGV in mb_convert_encoding with non-string encodings
Submitted:	2020-01-21 14:21 UTC	Modified:	2020-01-22 08:45 UTC
From:	wxhusst at gmail dot com	Assigned:	cmb (profile)
Status:	Closed	Package:	mbstring related
PHP Version:	PHP 7.4	OS:	linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2020-01-21 14:21 UTC] wxhusst at gmail dot com

Description:
------------
AddressSanitizer:DEADLYSIGNAL
=================================================================
==116931==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000019 (pc 0x7fb588144ba5 bp 0x7fffc09a0570 sp 0x7fffc099fd08 T0)
==116931==The signal is caused by a READ memory access.
==116931==Hint: address points to the zero page.
    #0 0x7fb588144ba4  /build/glibc-4WA41p/glibc-2.30/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:62
    #1 0x615eda in strlen /home/buildnode/jenkins/workspace/oss-swift-5.1-package-linux-ubuntu-18_04/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc
    #2 0x1c75c68 in _estrdup /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_alloc.c:2617:11
    #3 0x10c0d10 in zif_mb_convert_encoding /home/raven/fuzz/php-src-php-7.4.2/ext/mbstring/mbstring.c:3377:25
    #4 0x242215d in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:1269:2
    #5 0x2131c97 in execute_ex /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:53611:7
    #6 0x2132d52 in zend_execute /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:57913:2
    #7 0x1eb6d8c in zend_execute_scripts /home/raven/fuzz/php-src-php-7.4.2/Zend/zend.c:1665:4
    #8 0x1a9b754 in php_execute_script /home/raven/fuzz/php-src-php-7.4.2/main/main.c:2617:14
    #9 0x255f9f0 in do_cli /home/raven/fuzz/php-src-php-7.4.2/sapi/cli/php_cli.c:961:5
    #10 0x255c3a7 in main /home/raven/fuzz/php-src-php-7.4.2/sapi/cli/php_cli.c:1352:18
    #11 0x7fb587fe01e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
    #12 0x602b3d in _start (/home/raven/fuzz/php-src-php-7.4.2/sapi/cli/php+0x602b3d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-4WA41p/glibc-2.30/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:62 
==116931==ABORTING

Test script:
---------------
<?php
try { try { mb_convert_encoding(str_repeat(chr(154), 257) + str_repeat(chr(40), 257) + str_repeat(chr(29), 17), str_repeat("A", 0x100), array("a" => 1, "b" => "2", "c" => 3.0)); } catch (Exception $e) { } } catch(Error $e) { }
?>


Expected result:
----------------
normal

Actual result:
--------------
crash

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-01-21 15:55 UTC] cmb@php.net

-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb

[2020-01-21 15:55 UTC] cmb@php.net

I cannot reproduce this.  Does this only affect the master branch?
If so, it wouldn't be a security issue.

[2020-01-21 16:12 UTC] wxhusst at gmail dot com

-Status: Feedback +Status: Assigned

[2020-01-21 16:12 UTC] wxhusst at gmail dot com

https://github.com/php/php-src/commit/264ef4f16300270dd4e92d2510660836a4814579

I build source from this version.

I just test this.

[2020-01-21 16:28 UTC] nikic@php.net

I can reproduce this. Here's a reduction:

<?php
mb_convert_encoding("", "UTF-8", [0]);

Presumably non-string encodings are not handled correctly.

[2020-01-21 16:30 UTC] cmb@php.net

Then this is likely a duplicate of bug #79150.  I already have a
working patch.

[2020-01-21 16:31 UTC] nikic@php.net

In https://github.com/php/php-src/blob/a3e29ba34add1f06089b749802728c30aa70e5e9/ext/mbstring/mbstring.c#L2882 and a few places below we use Z_STRVAL_P(hash_entry), while we should be using encoding_str.

This doesn't seem like a realistic pathway for remote exploitation though.

[2020-01-21 16:55 UTC] wxhusst at gmail dot com

I also think this don't seem like a realistic pathway for remote exploitation, :)

[2020-01-21 17:16 UTC] cmb@php.net

Suggested fix for PHP 7.4:
<https://gist.github.com/cmb69/080acb60a50d40f76bc7b628b376b5e4>.

For PHP 7.3 we should also replace the convert_to_string_ex()[1],
which can modify passed arguments.

Regarding exploitability:

  mb_convert_encoding($_GET['text'], 'UTF-8', $_GET['encodings'])

would be vulnerable.  However, that would be a userland bug, in my
opionion.

[1] <https://github.com/php/php-src/blob/php-7.3.14/ext/mbstring/mbstring.c#L3236>

[2020-01-21 17:20 UTC] stas@php.net

-Summary: SEGV caused by zif_mb_convert_encoding +Summary: SEGV caused by zif_mb_convert_encoding with non-string encodings -Type: Security +Type: Bug

[2020-01-21 17:54 UTC] nikic@php.net

Patch LGTM.

[2020-01-22 08:34 UTC] cmb@php.net

Related To: Bug #79150

[2020-01-22 08:45 UTC] cmb@php.net

-Summary: SEGV caused by zif_mb_convert_encoding with non-string encodings +Summary: SEGV in mb_convert_encoding with non-string encodings -PHP Version: master-Git-2020-01-21 (Git) +PHP Version: PHP 7.4

[2020-01-22 08:45 UTC] cmb@php.net

Thanks for checking Nikita!

To clarify, PHP 7.3 and earlier are not affected by this issue.

[2020-01-22 08:46 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=94c9dc498ffdedd9ae91357bd3345ba31f232220
Log: Fix #79149: SEGV in mb_convert_encoding with non-string encodings

[2020-01-22 08:46 UTC] cmb@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC