Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stack buffer overflow in ext/bcmath/libbcmath/src/div.c:459 #16262

Open
YuanchengJiang opened this issue Oct 6, 2024 · 1 comment
Open

Stack buffer overflow in ext/bcmath/libbcmath/src/div.c:459 #16262

YuanchengJiang opened this issue Oct 6, 2024 · 1 comment
Assignees
@SakiTakamachi
Labels
Bug Extension: bcmath Status: Verified

Comments

@YuanchengJiang
Copy link

Description

The following code:

<?php
$array = array (10);
$fusion = $array;
require(__DIR__ . "/run_bcmath_tests_function.inc");
$exponents = ["252", "-112"];
$baseNumbers = array_merge($fusion, [
]);
run_bcmath_tests($baseNumbers, $exponents, "**", bcpow(...));

Resulted in this output:

==1599205==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f0179c71df0 at pc 0x5599a5410139 bp 0x7ffeb0b4acb0 sp 0x7ffeb0b4aca8
WRITE of size 1 at 0x7f0179c71df0 thread T0
    #0 0x5599a5410138 in bc_divide /php-src/ext/bcmath/libbcmath/src/div.c:459:12
    #1 0x5599a542466f in bc_raise /php-src/ext/bcmath/libbcmath/src/raise.c:95:3
    #2 0x5599a53e582f in zif_bcpow /php-src/ext/bcmath/bcmath.c:618:2
    #3 0x5599a7e56fac in zend_closure_internal_handler /php-src/Zend/zend_closures.c:724:2
    #4 0x5599a8343d67 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /php-src/Zend/zend_vm_execute.h:2037:4
    #5 0x5599a8086303 in execute_ex /php-src/Zend/zend_vm_execute.h:58565:7
    #6 0x5599a8088462 in zend_execute /php-src/Zend/zend_vm_execute.h:64217:2
    #7 0x5599a8d886e1 in zend_execute_script /php-src/Zend/zend.c:1928:3
    #8 0x5599a769a9d8 in php_execute_script_ex /php-src/main/main.c:2574:13
    #9 0x5599a769ba98 in php_execute_script /php-src/main/main.c:2614:9
    #10 0x5599a8d9be56 in do_cli /php-src/sapi/cli/php_cli.c:935:5
    #11 0x5599a8d96524 in main /php-src/sapi/cli/php_cli.c:1310:18
    #12 0x7f017d8e6d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #13 0x7f017d8e6e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #14 0x5599a4c03904 in _start (/php-src/sapi/cli/php+0x2403904) (BuildId: d9851980940e1525eb2e61068d0828e86059842d)

Address 0x7f0179c71df0 is located in stack of thread T0 at offset 496 in frame
    #0 0x5599a53e3a8f in zif_bcpow /php-src/ext/bcmath/bcmath.c:571

  This frame has 8 object(s):
    [32, 40) 'base_str' (line 572)
    [64, 72) 'exponent_str' (line 572)
    [96, 104) 'scale_param' (line 573)
    [128, 129) 'scale_param_is_null' (line 574)
    [144, 152) 'first' (line 575)
    [176, 184) 'bc_exponent' (line 575)
    [208, 216) 'result' (line 575)
    [240, 496) 'bc_arena' (line 593) <== Memory access at offset 496 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /php-src/ext/bcmath/libbcmath/src/div.c:459:12 in bc_divide
Shadow bytes around the buggy address:
  0x0fe0af386360: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x0fe0af386370: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x0fe0af386380: f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2
  0x0fe0af386390: 01 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 00
  0x0fe0af3863a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe0af3863b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3
  0x0fe0af3863c0: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x0fe0af3863d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe0af3863e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe0af3863f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe0af386400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1599205==ABORTING

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04
@nielsdos nielsdos mentioned this issue Oct 6, 2024
Open
@cmb69
Copy link
Member

cmb69 commented Oct 6, 2024

Simplied reproducer:

bcpow("10", "-112", 1);

@nielsdos nielsdos mentioned this issue Oct 12, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SakiTakamachi SakiTakamachi

Labels
Bug Extension: bcmath Status: Verified
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cmb69 @devnexen @SakiTakamachi @YuanchengJiang