php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #81738 buffer overflow in hash_update() on long parameter
Submitted: 2022-10-11 18:24 UTC Modified: 2022-10-21 05:55 UTC
From: nicky at mouha dot be Assigned:
Status: Closed Package: hash related
PHP Version: 8.2.0RC3 OS: all 64-bit
Private report: No CVE-ID: 2022-37454
 [2022-10-11 18:24 UTC] nicky at mouha dot be
Description:
------------
I would like to inform you of a buffer overflow vulnerability in PHP.

The authors of the upstream repository have a proposed fix, and would like to coordinate a reasonable timeline for public disclosure.

Thanks for confirming receipt of this message, and for establishing a reasonable timeframe for remediation.

Looking forward to your reply!


Test script:
---------------
<?php
$ctx = hash_init("sha3-224");
hash_update($ctx, str_repeat("\x00", 1));
hash_update($ctx, str_repeat("\x00", 4294967295));
echo hash_final($ctx);
?>

Expected result:
----------------
c5bcc3bc73b5ef45e91d2d7c70b64f196fac08eee4e4acf6e6571ebe

Actual result:
--------------
Segmentation fault

Patches

CVE-2022-37454 (last revision 2022-10-11 18:24 UTC by nicky at mouha dot be)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2022-10-11 18:32 UTC] stas@php.net
-Summary: Buffer overflow (CVE-2022-37454) +Summary: buffer overflow in hash_update() on long parameter
 [2022-10-11 18:41 UTC] stas@php.net
Backtrace: 

#0  0x0000556740d6d61b in KeccakP1600_AddBytesInLane (length=8, offset=<optimized out>, data=<optimized out>, lanePosition=196524, state=0x7fdd858802a0) at ./ext/hash/sha3/generic64lc/KeccakP-1600-opt64.c:120
#1  KeccakP1600_AddBytesInLane (length=8, offset=<optimized out>, data=<optimized out>, lanePosition=196524, state=0x7fdd858802a0) at ./ext/hash/sha3/generic64lc/KeccakP-1600-opt64.c:101
#2  KeccakP1600_AddBytes (state=state@entry=0x7fdd858802a0, data=data@entry=0x7fdc83400018 "", offset=<optimized out>, length=length@entry=4294967295) at ./ext/hash/sha3/generic64lc/KeccakP-1600-opt64.c:197
#3  0x0000556740d7b42a in KeccakWidth1600_SpongeAbsorb (instance=0x7fdd858802a0, data=<optimized out>, dataByteLen=4294967295) at ./ext/hash/sha3/generic64lc/KeccakSponge.inc:197
#4  0x0000556740d5b9ab in zif_hash_update (execute_data=<optimized out>, return_value=0x7ffdb97681e0) at ./ext/hash/hash.c:701
#5  0x0000556740f216eb in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at ./Zend/zend_vm_execute.h:1235
#6  execute_ex (ex=0x7ffdb97680d0) at ./Zend/zend_vm_execute.h:55757
#7  0x0000556740f28a6d in zend_execute (op_array=0x7fdd8588a000, return_value=0x0) at ./Zend/zend_vm_execute.h:60133
#8  0x0000556740ebaf2d in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at ./Zend/zend.c:1799
#9  0x0000556740e56781 in php_execute_script (primary_file=primary_file@entry=0x7ffdb976a770) at ./main/main.c:2541
#10 0x0000556740f9f821 in do_cli (argc=2, argv=0x5567415fbe40) at ./sapi/cli/php_cli.c:965
#11 0x0000556740cff251 in main (argc=2, argv=0x5567415fbe40) at ./sapi/cli/php_cli.c:1367
 [2022-10-11 18:42 UTC] ondrej@php.net
Nicky, thank you for the patch.

We’ve briefly discussed this internally on the PHP security list and this would not be classified as a security vulnerability in PHP as it falls under:

* requires invocation of specific code, which may be valid but is obviously malicious

See the security guidelines.

However as far as I can see from brief Google search this might be still classified as confidential by Keccak upstream?

Can you confirm what’s the publication date for Keccak upstream?
 [2022-10-11 18:55 UTC] stas@php.net
Let's see what Keccak people say and if they treat it as security issue we do the same and disclose/patch when they're ready.
 [2022-10-11 19:44 UTC] nicky at mouha dot be
MITRE considers this to be a security issue, and has assigned it CVE-2022-37454. The Keccak team considers it to be a security issue as well.

There is one large project (Python) that is vulnerable as well, and we hope to give them some time to reply before disclosing and patching. I hope to get a response from the Python security team soon, so that we can coordinate on a patch date.

So I hope to get back to everyone soon with a proposed publication date. In the meanwhile, thanks for keeping this confidential!

Also, thank you all for the incredibly fast response!
 [2022-10-21 01:25 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2022-37454
 [2022-10-21 06:06 UTC] git@php.net
Automatic comment on behalf of smalyshev
Revision: https://github.com/php/php-src/commit/248f647724e385bfb8d83aa5b5a5ca3c4ee2c7fd
Log: Fix bug #81738 (buffer overflow in hash_update() on long parameter)
 [2022-10-21 06:06 UTC] git@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Tue Nov 29 08:05:54 2022 UTC