Skip to content

phpdbg heap buffer overflow -- by misuse of the option "--run" #10715

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
randomssr opened this issue Feb 27, 2023 · 1 comment
Closed

phpdbg heap buffer overflow -- by misuse of the option "--run" #10715

randomssr opened this issue Feb 27, 2023 · 1 comment
Labels
Bug Status: Needs Triage

Comments

@randomssr
Copy link

Description

When the program input contains the option of "--run" , the program will cause heap buffer overflow error.

Test Environment
Ubuntu 20.04, 64 bit phpdbg (version: 8.2.1RC1 ; commit 232bc2d)

How to trigger
Compile the program with AddressSanitizer
Run command $ ./phpdbg --run $PoC
Details
ASAN report
$./phpdbg --run $PoC

[Welcome to phpdbg, the interactive PHP debugger, v8.2.0]
To get help using phpdbg type "help" and press enter
[Please report bugs to <http://bugs.php.net/report.php>]
=================================================================
==940729==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000003d0f at pc 0x0000029a7b12 bp 0x7ffc7efb0710 sp 0x7ffc7efb0708
READ of size 1 at 0x602000003d0f thread T0
    #0 0x29a7b11 in phpdbg_process_print /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg_out.c:96:34
    #1 0x29a6c47 in phpdbg_vprint /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg_out.c:146:8
    #2 0x29a875f in phpdbg_print /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg_out.c:199:8
    #3 0x28d9ce7 in php_sapi_phpdbg_ub_write /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg.c:848:9
    #4 0x1934f0d in php_output_op /home/root/FuzzDateset/php/php-8.2.0/main/output.c:1083:4
    #5 0x19346e5 in php_output_write /home/root/FuzzDateset/php/php-8.2.0/main/output.c:261:3
    #6 0x21dc800 in ZEND_ECHO_SPEC_CONST_HANDLER /home/root/FuzzDateset/php/php-8.2.0/Zend/zend_vm_execute.h:4097:4
    #7 0x22c8e38 in zend_vm_call_opcode_handler /home/root/FuzzDateset/php/php-8.2.0/Zend/zend_vm_execute.h:64558:8
    #8 0x291c9b0 in phpdbg_execute_ex /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg_prompt.c:1819:21
    #9 0x1dd9667 in zend_execute /home/root/FuzzDateset/php/php-8.2.0/Zend/zend_vm_execute.h:60380:2
    #10 0x2900f0e in phpdbg_do_run /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg_prompt.c:883:4
    #11 0x28d570d in main /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg.c:1600:8
    #12 0x7f42b3e8c082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #13 0x60296d in _start (/home/root/randomFuzz/php/phpdbg/phpdbg_b_s_r/phpdbg+0x60296d)

0x602000003d0f is located 1 bytes to the left of 1-byte region [0x602000003d10,0x602000003d11)
allocated by thread T0 here:
    #0 0x67f11d in malloc (/home/root/randomFuzz/php/phpdbg/phpdbg_b_s_r/phpdbg+0x67f11d)
    #1 0x7f42b3ef3c47 in __vasprintf_internal /build/glibc-SzIz7B/glibc-2.31/libio/vasprintf.c:71:30

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg_out.c:96:34 in phpdbg_process_print
Shadow bytes around the buggy address:
  0x0c047fff8750: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 00 00
  0x0c047fff8760: fa fa 05 fa fa fa 05 fa fa fa 04 fa fa fa 01 fa
  0x0c047fff8770: fa fa 01 fa fa fa fd fa fa fa fd fd fa fa 00 fa
  0x0c047fff8780: fa fa 00 fa fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047fff8790: fa fa fd fd fa fa fd fa fa fa fd fd fa fa 00 fa
=>0x0c047fff87a0: fa[fa]01 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff87b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff87c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff87d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff87e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff87f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==940729==ABORTING

The URL of PoC is PoC

PHP Version

PHP 8.2.1RC1

Operating System

Ubuntu 20.04
@nielsdos
Copy link
Member

Minimum reproducing file is a single-byte file with a NUL byte as contents.
This causes msglen to be equal to 0, and therefore when msglen-1 is computed it points outside the message buffer.
I'll look into fixing this.

nielsdos added a commit to nielsdos/php-src that referenced this issue Feb 27, 2023
@nielsdos
Fix phpGH-10715: phpdbg heap buffer overflow -- by misuse of the opti…
daf9933 
…on "--run"

Fixes phpGH-10715

When a string starting with a NUL character is passed to
phpdbg_vprint(), the vasprintf() will return that 0 characters have been
printed. This causes msglen == 0. When phpdbg_process_print() is called
with a message of length 0, the -1 to check for '\n' will perform an out
of bounds read. Since nothing is printed anyway for msglen == 0, it
seems best to just skip the printing routine for this case.
@nielsdos nielsdos mentioned this issue Feb 27, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Status: Needs Triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nielsdos @randomssr and others