AddressSanitizer reports a heap buffer overflow in php_getopt()
| Bug #68095 | AddressSanitizer reports a heap buffer overflow in php_getopt() | ||||
|---|---|---|---|---|---|
| Submitted: | 2014-09-25 08:04 UTC | Modified: | 2014-09-30 00:27 UTC | ||
| From: | symeon dot paraschoudis at htbridge dot com | Assigned: | |||
| Status: | Closed | Package: | *General Issues | ||
| PHP Version: | 5.5.17 | OS: | Ubuntu 14.04.1 LTS 32bit | ||
| Private report: | No | CVE-ID: | None | ||
[2014-09-25 08:04 UTC] symeon dot paraschoudis at htbridge dot com
Description:
------------
It also affects 5.6.0
Please note I was not able to reproduce it on a Windows system.
PoC
===============================
php -c -i -ini
Result
===============================
=================================================================
==19849== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb2900613 at pc 0x8e7c77e bp 0xbfdeb138 sp 0xbfdeb12c
READ of size 1 at 0xb2900613 thread T0
#0 0x8e7c77d in php_getopt getopt.c:135
#1 0x92c38a6 in do_cli php_cli.c:682 (discriminator 1)
#2 0x92c7c1d in main php_cli.c:1378
#3 0xb504ca82 in __libc_start_main libc-start.c:287
#4 0x807be20 in _start ??:?
0xb2900613 is located 0 bytes to the right of 3-byte region [0xb2900610,0xb2900613)
allocated by thread T0 here:
#0 0xb6147854 in malloc ??:?
#1 0xb50ae257 in __GI___strdup strdup.c:42
#2 0x92e7ef7 in save_ps_args ps_title.c:222
#3 0x92c66f6 in main php_cli.c:1225
#4 0xb504ca82 in __libc_start_main libc-start.c:287
Shadow bytes around the buggy address:
0x36520070: fa fa 00 01 fa fa 00 01 fa fa 00 fa fa fa 00 02
0x36520080: fa fa 00 fa fa fa 00 fa fa fa 04 fa fa fa fd fd
0x36520090: fa fa fd fd fa fa 00 00 fa fa fd fd fa fa fd fa
0x365200a0: fa fa fd fa fa fa 03 fa fa fa fd fa fa fa 00 00
0x365200b0: fa fa fd fd fa fa 04 fa fa fa 05 fa fa fa 03 fa
=>0x365200c0: fa fa[03]fa fa fa 04 fa fa fa 00 03 fa fa 00 02
0x365200d0: fa fa 00 05 fa fa 00 07 fa fa 00 00 fa fa 00 07
0x365200e0: fa fa 00 fa fa fa 00 07 fa fa 00 01 fa fa 00 02
0x365200f0: fa fa 00 03 fa fa 00 00 fa fa 00 07 fa fa 00 03
0x36520100: fa fa 00 fa fa fa 00 03 fa fa 00 07 fa fa 00 fa
0x36520110: fa fa 00 fa fa fa fd fd fa fa 00 fa fa fa fd fd
==19849== ABORTING
or triggering it with valgrind:
$ valgrind --tool=memcheck --num-callers=30 --log-file=php.log ~/Desktop/php-5.5.17/sapi/cli/php -c -i -ini
user@ubuntuvm:~/Desktop$ cat php.log
==19859== Memcheck, a memory error detector
==19859== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==19859== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info
==19859== Command: /home/user/Desktop/php-5.5.17/sapi/cli/php -c -i -ini
==19859== Parent PID: 2142
==19859==
==19859== Invalid read of size 1
==19859== at 0x856FA95: php_getopt (getopt.c:135)
==19859== by 0x869D76D: do_cli (php_cli.c:682)
==19859== by 0x869F278: main (php_cli.c:1378)
==19859== Address 0x6ee709b is 0 bytes after a block of size 3 alloc'd
==19859== at 0x402A17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==19859== by 0x5000257: strdup (strdup.c:42)
==19859== by 0x86A98F9: save_ps_args (ps_title.c:222)
==19859== by 0x869EADE: main (php_cli.c:1225)
==19859==
==19859==
==19859== HEAP SUMMARY:
==19859== in use at exit: 14,843 bytes in 30 blocks
==19859== total heap usage: 34,740 allocs, 34,710 frees, 2,668,162 bytes allocated
==19859==
==19859== LEAK SUMMARY:
==19859== definitely lost: 0 bytes in 0 blocks
==19859== indirectly lost: 0 bytes in 0 blocks
==19859== possibly lost: 0 bytes in 0 blocks
==19859== still reachable: 14,843 bytes in 30 blocks
==19859== suppressed: 0 bytes in 0 blocks
==19859== Rerun with --leak-check=full to see details of leaked memory
==19859==
==19859== For counts of detected and suppressed errors, rerun with: -v
==19859== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2014-09-30 00:27 UTC] stas@php.net
[2014-10-28 02:11 UTC] stas@php.net
-Status: Open +Status: Closed