Invalid parameter in memcpy function trough openssl

Invalid parameter in memcpy function trough openssl_pbkdf2

Bug #72776	Invalid parameter in memcpy function trough openssl_pbkdf2
Submitted:	2016-08-07 14:44 UTC	Modified:	2017-02-13 01:45 UTC
From:	marceloje at gmail dot com	Assigned:	bukka (profile)
Status:	Closed	Package:	OpenSSL related
PHP Version:	5.6.24	OS:	Linux
Private report:	No	CVE-ID:	None

[2016-08-07 14:44 UTC] marceloje at gmail dot com

Description:
------------
When key_length parameter is greater than 0x7fffffff, size parameter is interpreted as negative in memcpy, inside PKCS5_PBKDF2_HMAC function (libcrypto.so).

This issue happens only in PHP 5.6 branch. PHP 7.0 avoids this issue trough PHP_OPENSSL_CHECK_NUMBER_CONVERSION macro: https://github.com/php/php-src/blob/PHP-7.0.10/ext/openssl/openssl.c#L541

Test script:
---------------
poc.php

<?php

openssl_pbkdf2("emyei", "beford", 0x100000000 - 1, 0);

Expected result:
----------------
No crash

Actual result:
--------------
ASan output:

USE_ZEND_ALLOC=0 ASAN_OPTIONS=detect_leaks=0 /home/operac/build2/bin/php -n poc.php
=================================================================
==11421==ERROR: AddressSanitizer: negative-size-param: (size=-1)
    #0 0x7f919d1029a1 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c9a1)
    #1 0x7f919b2c87e9 in PKCS5_PBKDF2_HMAC (/lib/x86_64-linux-gnu/libcrypto.so.1.0.0+0x1317e9)
    #2 0x5be33e in zif_openssl_pbkdf2 /home/operac/build2/php-src-56/ext/openssl/openssl.c:4080
    #3 0x1d5b393 in zend_do_fcall_common_helper_SPEC /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:558
    #4 0x1c0463c in execute_ex /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:363
    #5 0x194c382 in zend_execute_scripts /home/operac/build2/php-src-56/Zend/zend.c:1341
    #6 0x169a2df in php_execute_script /home/operac/build2/php-src-56/main/main.c:2613
    #7 0x1d64366 in do_cli /home/operac/build2/php-src-56/sapi/cli/php_cli.c:994
    #8 0x4550a0 in main /home/operac/build2/php-src-56/sapi/cli/php_cli.c:1378
    #9 0x7f919ab4482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x4556b8 in _start (/home/operac/build2/bin/php+0x4556b8)

Address 0x7ffd544616b0 is located in stack of thread T0
SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memcpy
==11421==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-08-07 21:26 UTC] stas@php.net

-Assigned To: +Assigned To: pajoye

[2016-08-07 21:26 UTC] stas@php.net

Doesn't look to me like security issue. Assigning to OpenSSL maintainer.

[2016-10-30 22:04 UTC] stas@php.net

-Assigned To: pajoye +Assigned To: bukka

[2016-11-02 19:49 UTC] bukka@php.net

From the quick check, it would require very high memory limit and the app would have allow user to set key length which has very small probability IMHO. I would consider it as low severity.

If they are no objections, I will commit a fix to the public repo to 5.6 only and leave it on RM to decide if it should be ported to 5.5.

[2016-11-03 03:40 UTC] stas@php.net

5.5 is EOL. Please feel free to commit to 5.6 and above.

[2016-11-06 20:49 UTC] bukka@php.net

-Status: Assigned +Status: Closed

[2017-02-13 01:45 UTC] stas@php.net

-Type: Security +Type: Bug