Headline
CVE-2019-20454: Array cross-border reading/global variable coverage in PCRE
An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.
Sec Bug #78338
Array cross-border reading/global variable coverage in PCRE
Submitted:
2019-07-28 04:17 UTC
Modified:
2019-07-29 22:01 UTC
From:
3556158925 at qq dot com
Assigned:
stas (profile)
Status:
Closed
Package:
PCRE related
PHP Version:
7.3.8
OS:
Ubuntu 18.04.1 LTS
Private report:
No
CVE-ID:
None
[2019-07-28 04:17 UTC] 3556158925 at qq dot com
Description:
Get the lastest version of PHP: git clone https://github.com/php/php-src
Configure PHP: ./configure PCRE is the default extension in PHP, even if use "./configure --disable-all", you can still trigger the following bugs.
The test script is very easy: <?php $fuzz=file_get_contents($argv[1]); preg_match($fuzz,$fuzz);
The input file you can download here: http://47.104.189.187/input.zip Unzip this file and use the “input_file.txt” as input file
Then ./php-src/sapi/cli/php ./test.php ./input_file.txt you will see "Segmentation fault (core dumped)"
Use gdb to see the details: Program received signal SIGSEGV, Segmentation fault. 0x0000555555710367 in do_extuni_no_utf (args=0x7fffffffa110, cc=0x7ffff3a58868 “\377\066\250\250\250\066\066\066zzzz=*\377/\n”) at /home/daige/Desktop/test/php-src/ext/pcre/pcre2lib/pcre2_jit_compile.c:8546 8546 lgb = UCD_GRAPHBREAK©;
I analyse this crash,it is caused by array cross-border reading, then I use AFL to fuzz PHP,it reports some global variable coverage,you can see the crash cases in "input.zip".
Test script:
The test script is very easy: <?php $fuzz=file_get_contents($argv[1]); preg_match($fuzz,$fuzz);
The input file you can download here: http://47.104.189.187/input.zip Unzip this file and use the “input_file.txt” as input file
Then ./php-src/sapi/cli/php ./test.php ./input_file.txt you will see "Segmentation fault (core dumped)"
Actual result:
Program received signal SIGSEGV, Segmentation fault. 0x0000555555710367 in do_extuni_no_utf (args=0x7fffffffa110, cc=0x7ffff3a58868 “\377\066\250\250\250\066\066\066zzzz=*\377/\n”) at /home/daige/Desktop/test/php-src/ext/pcre/pcre2lib/pcre2_jit_compile.c:8546 8546 lgb = UCD_GRAPHBREAK©;
Patches
Add a Patch
Pull Requests
Add a Pull Request
History
AllCommentsChangesGit/SVN commitsRelated reports
[2019-07-28 04:21 UTC] [email protected]
This looks like segfault inside PCRE library. Did you report it to the PCRE maintainers?
[2019-07-28 07:22 UTC] 3556158925 at qq dot com
I send this report to PRCE maintainer just now, thanks.
[2019-07-29 17:17 UTC] [email protected]
-Status: Open +Status: Analyzed -Assigned To: +Assigned To: stas
[2019-07-29 17:17 UTC] [email protected]
This issue has already been fixed upstream. Since it is caused by erroneous treatment of the subject (which may be user supplied), we should consider to apply the following patch to our bundled pcre2 (PHP-7.3+):
ext/pcre/pcre2lib/pcre2_jit_compile.c | 2 ± 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ext/pcre/pcre2lib/pcre2_jit_compile.c b/ext/pcre/pcre2lib/pcre2_jit_compile.c index 1f21bfb6ad…283aeff83c 100644 — a/ext/pcre/pcre2lib/pcre2_jit_compile.c +++ b/ext/pcre/pcre2lib/pcre2_jit_compile.c @@ -8538,7 +8538,7 @@ int lgb, rgb, ricount; PCRE2_SPTR bptr; uint32_t c;
-GETCHARINC(c, cc); +c = *cc++; #if PCRE2_CODE_UNIT_WIDTH == 32 if (c >= 0x110000) return NULL;
[2019-07-29 22:01 UTC] [email protected]
-Status: Analyzed +Status: Closed
[2019-07-29 22:01 UTC] [email protected]
The fix for this bug has been committed. If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test. Thank you for the report, and for helping us make PHP better.
[2019-07-29 22:01 UTC] [email protected]
-PHP Version: 7.4Git-2019-07-28 (Git) +PHP Version: 7.3.8
Related news
Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server.
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
Red Hat Security Advisory 2022-5924-01 - Service Telemetry Framework provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform deployment for storage, retrieval, and monitoring.
An update is now available for Service Telemetry Framework 1.4 for RHEL 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30631: golang: compress/gzip: stack exhaustion in Reader.Read
GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects.