heap buffer overflow due to incorrect length in expand_case_fold_string
| Sec Bug #77382 | heap buffer overflow due to incorrect length in expand_case_fold_string | ||||
|---|---|---|---|---|---|
| Submitted: | 2018-12-30 22:13 UTC | Modified: | 2019-02-22 22:09 UTC | ||
| From: | hugh at allthethings dot co dot nz | Assigned: | stas (profile) | ||
| Status: | Closed | Package: | mbstring related | ||
| PHP Version: | 5.6.39 | OS: | Linux | ||
| Private report: | No | CVE-ID: | 2019-9023 | ||
[2018-12-30 22:13 UTC] hugh at allthethings dot co dot nz
Description: ------------ In expand_case_fold_string the len field is calculated off enclen, and is then used in onig_node_new_str which is passed to xmemcpy later down the line. This length may overshoot the string buffer if the last character is an unfinished multibyte character. Patch available at https://gist.github.com/hughdavenport/aa428164c8f30d20c178ce0ab2907947 Test script: --------------- php -r 'var_dump(mb_ereg("(?i)000000000000000000000\xf0",""));' Expected result: ---------------- no crash Actual result: -------------- $ ~/php-5.6.39/sapi/cli/php -r 'var_dump(mb_split("(?i)000000000000000000000\xf0",""));' ================================================================= ==11478==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000001fd8 at pc 0x0000004d67d1 bp 0x7ffcde7b2e90 sp 0x7ffcde7b2640 READ of size 4 at 0x606000001fd8 thread T0 #0 0x4d67d0 in __asan_memcpy (/home/hugh/php-5.6.39/sapi/cli/php+0x4d67d0) #1 0x87e12b in onig_strcpy /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:223:5 #2 0x87e12b in onig_node_str_cat /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:1456 #3 0x87ed4e in node_new_str /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:1515:7 #4 0x87ed4e in onig_node_new_str /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:1525 #5 0x80e2a3 in expand_case_fold_string_alt /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:3289:11 #6 0x80e2a3 in expand_case_fold_string /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:3431 #7 0x80e2a3 in setup_tree /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:3687 #8 0x8118d7 in setup_tree /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:3810:8 #9 0x805bd8 in onig_compile /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:5336:7 #10 0x82e2a9 in onig_new /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:5546:7 #11 0x9a6975 in php_mbregex_compile_pattern /home/hugh/php-5.6.39/ext/mbstring/php_mbregex.c:458:19 #12 0x9a5c97 in zif_mb_split /home/hugh/php-5.6.39/ext/mbstring/php_mbregex.c:1076:12 #13 0x11a18b8 in zend_do_fcall_common_helper_SPEC /home/hugh/php-5.6.39/Zend/zend_vm_execute.h:558:5 #14 0xffb81d in execute_ex /home/hugh/php-5.6.39/Zend/zend_vm_execute.h:363:14 #15 0xffd802 in zend_execute /home/hugh/php-5.6.39/Zend/zend_vm_execute.h:388:2 #16 0xebd637 in zend_eval_stringl /home/hugh/php-5.6.39/Zend/zend_execute_API.c:1080:4 #17 0xebedb9 in zend_eval_stringl_ex /home/hugh/php-5.6.39/Zend/zend_execute_API.c:1127:11 #18 0xebedb9 in zend_eval_string_ex /home/hugh/php-5.6.39/Zend/zend_execute_API.c:1138 #19 0x1259386 in do_cli /home/hugh/php-5.6.39/sapi/cli/php_cli.c:1040:31 #20 0x1256181 in main /home/hugh/php-5.6.39/sapi/cli/php_cli.c:1386:18 #21 0x7f66c1fb5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #22 0x436129 in _start (/home/hugh/php-5.6.39/sapi/cli/php+0x436129) 0x606000001fd8 is located 0 bytes to the right of 56-byte region [0x606000001fa0,0x606000001fd8) allocated by thread T0 here: #0 0x4eb780 in malloc (/home/hugh/php-5.6.39/sapi/cli/php+0x4eb780) #1 0x888fc3 in node_new /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:1129:18 #2 0x888fc3 in onig_node_new_alt /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:1266 #3 0x888fc3 in parse_subexp /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:5505 #4 0x890c12 in parse_enclose /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:4551:11 #5 0x890c12 in parse_exp /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:5072 #6 0x88c561 in parse_branch /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:5460:11 #7 0x888b22 in parse_subexp /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:5487:7 #8 0x880655 in parse_regexp /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:5531:7 #9 0x880655 in onig_parse_make_tree /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regparse.c:5558 #10 0x805645 in onig_compile /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:5301:7 #11 0x82e2a9 in onig_new /home/hugh/php-5.6.39/ext/mbstring/oniguruma/regcomp.c:5546:7 SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/hugh/php-5.6.39/sapi/cli/php+0x4d67d0) in __asan_memcpy Shadow bytes around the buggy address: 0x0c0c7fff83a0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd 0x0c0c7fff83b0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 fa 0x0c0c7fff83c0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa 0x0c0c7fff83d0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 0x0c0c7fff83e0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa =>0x0c0c7fff83f0: fa fa fa fa 00 00 00 00 00 00 00[fa]fa fa fa fa 0x0c0c7fff8400: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 0x0c0c7fff8410: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa 0x0c0c7fff8420: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa 0x0c0c7fff8430: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 0x0c0c7fff8440: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==11478==ABORTING
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2019-01-02 08:43 UTC] stas@php.net
-Assigned To: +Assigned To: stas
[2019-01-02 21:16 UTC] hugh at allthethings dot co dot nz
[2019-01-07 08:18 UTC] stas@php.net
-Status: Assigned +Status: Closed
[2019-02-22 22:09 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2019-9023