- Notifications
You must be signed in to change notification settings - Fork8k
Closed
Labels
Description
Description
When the program input contains the option of "--run" , the program will cause heap buffer overflow error.
Test Environment
Ubuntu 20.04, 64 bit phpdbg (version: 8.2.1RC1 ; commit232bc2d)
How to trigger
Compile the program with AddressSanitizer
Run command $ ./phpdbg --run $PoC
Details
ASAN report
$./phpdbg --run $PoC
[Welcome to phpdbg, the interactive PHP debugger, v8.2.0]To get help using phpdbg type "help" and press enter[Please report bugs to <http://bugs.php.net/report.php>]===================================================================940729==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000003d0f at pc 0x0000029a7b12 bp 0x7ffc7efb0710 sp 0x7ffc7efb0708READ of size 1 at 0x602000003d0f thread T0 #0 0x29a7b11 in phpdbg_process_print /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg_out.c:96:34 #1 0x29a6c47 in phpdbg_vprint /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg_out.c:146:8 #2 0x29a875f in phpdbg_print /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg_out.c:199:8 #3 0x28d9ce7 in php_sapi_phpdbg_ub_write /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg.c:848:9 #4 0x1934f0d in php_output_op /home/root/FuzzDateset/php/php-8.2.0/main/output.c:1083:4 #5 0x19346e5 in php_output_write /home/root/FuzzDateset/php/php-8.2.0/main/output.c:261:3 #6 0x21dc800 in ZEND_ECHO_SPEC_CONST_HANDLER /home/root/FuzzDateset/php/php-8.2.0/Zend/zend_vm_execute.h:4097:4 #7 0x22c8e38 in zend_vm_call_opcode_handler /home/root/FuzzDateset/php/php-8.2.0/Zend/zend_vm_execute.h:64558:8 #8 0x291c9b0 in phpdbg_execute_ex /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg_prompt.c:1819:21 #9 0x1dd9667 in zend_execute /home/root/FuzzDateset/php/php-8.2.0/Zend/zend_vm_execute.h:60380:2 #10 0x2900f0e in phpdbg_do_run /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg_prompt.c:883:4 #11 0x28d570d in main /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg.c:1600:8 #12 0x7f42b3e8c082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 #13 0x60296d in _start (/home/root/randomFuzz/php/phpdbg/phpdbg_b_s_r/phpdbg+0x60296d)0x602000003d0f is located 1 bytes to the left of 1-byte region [0x602000003d10,0x602000003d11)allocated by thread T0 here: #0 0x67f11d in malloc (/home/root/randomFuzz/php/phpdbg/phpdbg_b_s_r/phpdbg+0x67f11d) #1 0x7f42b3ef3c47 in __vasprintf_internal /build/glibc-SzIz7B/glibc-2.31/libio/vasprintf.c:71:30SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg_out.c:96:34 in phpdbg_process_printShadow bytes around the buggy address: 0x0c047fff8750: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 00 00 0x0c047fff8760: fa fa 05 fa fa fa 05 fa fa fa 04 fa fa fa 01 fa 0x0c047fff8770: fa fa 01 fa fa fa fd fa fa fa fd fd fa fa 00 fa 0x0c047fff8780: fa fa 00 fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8790: fa fa fd fd fa fa fd fa fa fa fd fd fa fa 00 fa=>0x0c047fff87a0: fa[fa]01 fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff87b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff87c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff87d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff87e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff87f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa faShadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb==940729==ABORTINGThe URL of PoC isPoC
PHP Version
PHP 8.2.1RC1
Operating System
Ubuntu 20.04