php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81701 Memory Corruption vulnerability on Zend_execute_api
Submitted: 2021-12-17 12:56 UTC Modified: 2021-12-17 18:31 UTC
From: 3ntr0py1337 at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: Reproducible crash
PHP Version: Next Major Version OS: Ubuntu 20.04.3 LTS
Private report: No CVE-ID: None
 [2021-12-17 12:56 UTC] 3ntr0py1337 at gmail dot com
Description:
------------
There is a memory corruption vulnerability which would overwrite the Stack pointer causing a crash. with proper control, can lead to RCE

Test script:
---------------
Sample 1 - source code
--TEST--
ZE2 __toString() in __destruct
--FILE--
<?php

class Test
{
    function __toString()
    {
        return "He echo $this;
    }
}

$o = nello\n";
    }

    function __destruct()
    {
        echo $this;
    }
}

$o = new Test%
$o = NULL;

$o = new Test;

?>
====DONE====
--EXPECT--
Hello
====DONE====
Hello

Expected result:
----------------
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555556342667 <zend_call_function+103>:	je     0x5555563460f0 <zend_call_function+15088>
   0x55555634266d <zend_call_function+109>:	nop    DWORD PTR [rax]
   0x555556342670 <zend_call_function+112>:	lea    rsp,[rsp-0x98]
=> 0x555556342678 <zend_call_function+120>:	mov    QWORD PTR [rsp],rdx
   0x55555634267c <zend_call_function+124>:	mov    QWORD PTR [rsp+0x8],rcx
   0x555556342681 <zend_call_function+129>:	mov    QWORD PTR [rsp+0x10],rax
   0x555556342686 <zend_call_function+134>:	mov    rcx,0x643c
   0x55555634268d <zend_call_function+141>:	call   0x555556351980 <__afl_maybe_log>
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fefe8
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555556342678 in zend_call_function (fci=0x7fffff7ff180, fci_cache=0x7fffff7ff160) at /home/ubuntu/victims/php-src/Zend/zend_execute_API.c:730
730		if (!fci_cache || !fci_cache->function_handler) {


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-12-17 18:09 UTC] stas@php.net
-Type: Security +Type: Bug
 [2021-12-17 18:31 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2021-12-17 18:31 UTC] cmb@php.net
Simpler reproducer:

<?php
class Test
{
    function __toString()
    {
        return $this;
    }
}
echo new Test();
?>

As such, this is a duplicate of bug #64196.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun Dec 04 20:03:43 2022 UTC