PHP :: Sec Bug #77385 :: buffer overflow in fetch_token
| Sec Bug #77385 | buffer overflow in fetch_token | ||||
|---|---|---|---|---|---|
| Submitted: | 2018-12-31 01:27 UTC | Modified: | 2019-02-22 22:09 UTC | ||
| From: | hugh at allthethings dot co dot nz | Assigned: | stas (profile) | ||
| Status: | Closed | Package: | mbstring related | ||
| PHP Version: | 5.6.39 | OS: | Linux | ||
| Private report: | No | CVE-ID: | 2019-9023 | ||
[2018-12-31 01:27 UTC] hugh at allthethings dot co dot nz
Description: ------------ Similar to #77370, using enclen on an incomplete multibyte character will return a pointer after the end of the buffer. This will cause memory corruption and/or leakage. Patch available at https://gist.github.com/hughdavenport/09b48d4b20a28bcd7afaa530e2ec6731 Reproduced on 5.6.39, 7.0.33, 7.1.25, but not on 7.2, 7.3 and master. Test script: --------------- php -r 'var_dump(mb_ereg("0000\\"."\xf5","0"));' Expected result: ---------------- no crash Actual result: -------------- $ ~/php-7.0.33/sapi/cli/php -r 'var_dump(mb_ereg("0000\\"."\xf5","0"));' ================================================================= ==27833==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300001a430 at pc 0x0000004d8aa1 bp 0x7ffe531d6220 sp 0x7ffe531d59d0 READ of size 4 at 0x60300001a430 thread T0 #0 0x4d8aa0 in __asan_memcpy (/home/hugh/php-7.0.33/sapi/cli/php+0x4d8aa0) #1 0x85644b in onig_strcpy /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:223:5 #2 0x85644b in onig_node_str_cat /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:1456 #3 0x8667eb in parse_exp /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:5109:6 #4 0x864525 in parse_branch /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:5450:7 #5 0x860e42 in parse_subexp /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:5487:7 #6 0x858975 in parse_regexp /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:5531:7 #7 0x858975 in onig_parse_make_tree /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regparse.c:5558 #8 0x7dd735 in onig_compile /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:5302:7 #9 0x806389 in onig_new /home/hugh/php-7.0.33/ext/mbstring/oniguruma/regcomp.c:5547:7 #10 0x97e487 in php_mbregex_compile_pattern /home/hugh/php-7.0.33/ext/mbstring/php_mbregex.c:456:19 #11 0x978bce in _php_mb_regex_ereg_exec /home/hugh/php-7.0.33/ext/mbstring/php_mbregex.c:727:7 #12 0x1257a45 in ZEND_DO_ICALL_SPEC_HANDLER /home/hugh/php-7.0.33/Zend/zend_vm_execute.h:586:2 #13 0x10d966d in execute_ex /home/hugh/php-7.0.33/Zend/zend_vm_execute.h:417:7 #14 0x10da547 in zend_execute /home/hugh/php-7.0.33/Zend/zend_vm_execute.h:458:2 #15 0xeeec74 in zend_eval_stringl /home/hugh/php-7.0.33/Zend/zend_execute_API.c:1137:4 #16 0xeef77a in zend_eval_stringl_ex /home/hugh/php-7.0.33/Zend/zend_execute_API.c:1178:11 #17 0xeef77a in zend_eval_string_ex /home/hugh/php-7.0.33/Zend/zend_execute_API.c:1189 #18 0x13181f6 in do_cli /home/hugh/php-7.0.33/sapi/cli/php_cli.c:1010:21 #19 0x13150e5 in main /home/hugh/php-7.0.33/sapi/cli/php_cli.c:1350:18 #20 0x7f239ba07b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #21 0x4383f9 in _start (/home/hugh/php-7.0.33/sapi/cli/php+0x4383f9) 0x60300001a430 is located 0 bytes to the right of 32-byte region [0x60300001a410,0x60300001a430) allocated by thread T0 here: #0 0x4eda50 in malloc (/home/hugh/php-7.0.33/sapi/cli/php+0x4eda50) #1 0xe29d1c in __zend_malloc /home/hugh/php-7.0.33/Zend/zend_alloc.c:2882:14 #2 0xeabfb5 in zend_try_ct_eval_binary_op /home/hugh/php-7.0.33/Zend/zend_compile.c:5881:2 #3 0xeabfb5 in zend_compile_binary_op /home/hugh/php-7.0.33/Zend/zend_compile.c:5992 #4 0xe411a6 in zend_compile_expr /home/hugh/php-7.0.33/Zend/zend_compile.c:7232:4 #5 0xe59afd in zend_compile_args /home/hugh/php-7.0.33/Zend/zend_compile.c:2785:4 #6 0xe5bcb0 in zend_compile_call_common /home/hugh/php-7.0.33/Zend/zend_compile.c:2873:14 SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/hugh/php-7.0.33/sapi/cli/php+0x4d8aa0) in __asan_memcpy Shadow bytes around the buggy address: 0x0c067fffb430: 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 0x0c067fffb440: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00 00 0x0c067fffb450: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 0x0c067fffb460: 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd fa fa 0x0c067fffb470: fd fd fd fd fa fa fd fd fd fd fa fa 00 00 00 00 =>0x0c067fffb480: fa fa 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa 0x0c067fffb490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffb4a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffb4b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffb4c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffb4d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==27833==ABORTING
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2019-01-02 08:44 UTC] stas@php.net
-Assigned To: +Assigned To: stas
[2019-01-02 21:14 UTC] hugh at allthethings dot co dot nz
[2019-01-07 08:18 UTC] stas@php.net
-Status: Assigned +Status: Closed
[2019-01-07 08:18 UTC] stas@php.net
[2019-02-22 22:09 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2019-9023