Closed
Description
Description
When the program input contains the option of "--run" , the program will cause heap buffer overflow error.
Test Environment
Ubuntu 20.04, 64 bit phpdbg (version: 8.2.1RC1 ; commit 232bc2d)
How to trigger
Compile the program with AddressSanitizer
Run command $ ./phpdbg --run $PoC
Details
ASAN report
$./phpdbg --run $PoC
[Welcome to phpdbg, the interactive PHP debugger, v8.2.0]
To get help using phpdbg type "help" and press enter
[Please report bugs to <http://bugs.php.net/report.php>]
=================================================================
==940729==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000003d0f at pc 0x0000029a7b12 bp 0x7ffc7efb0710 sp 0x7ffc7efb0708
READ of size 1 at 0x602000003d0f thread T0
#0 0x29a7b11 in phpdbg_process_print /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg_out.c:96:34
#1 0x29a6c47 in phpdbg_vprint /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg_out.c:146:8
#2 0x29a875f in phpdbg_print /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg_out.c:199:8
#3 0x28d9ce7 in php_sapi_phpdbg_ub_write /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg.c:848:9
#4 0x1934f0d in php_output_op /home/root/FuzzDateset/php/php-8.2.0/main/output.c:1083:4
#5 0x19346e5 in php_output_write /home/root/FuzzDateset/php/php-8.2.0/main/output.c:261:3
#6 0x21dc800 in ZEND_ECHO_SPEC_CONST_HANDLER /home/root/FuzzDateset/php/php-8.2.0/Zend/zend_vm_execute.h:4097:4
#7 0x22c8e38 in zend_vm_call_opcode_handler /home/root/FuzzDateset/php/php-8.2.0/Zend/zend_vm_execute.h:64558:8
#8 0x291c9b0 in phpdbg_execute_ex /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg_prompt.c:1819:21
#9 0x1dd9667 in zend_execute /home/root/FuzzDateset/php/php-8.2.0/Zend/zend_vm_execute.h:60380:2
#10 0x2900f0e in phpdbg_do_run /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg_prompt.c:883:4
#11 0x28d570d in main /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg.c:1600:8
#12 0x7f42b3e8c082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#13 0x60296d in _start (/home/root/randomFuzz/php/phpdbg/phpdbg_b_s_r/phpdbg+0x60296d)
0x602000003d0f is located 1 bytes to the left of 1-byte region [0x602000003d10,0x602000003d11)
allocated by thread T0 here:
#0 0x67f11d in malloc (/home/root/randomFuzz/php/phpdbg/phpdbg_b_s_r/phpdbg+0x67f11d)
#1 0x7f42b3ef3c47 in __vasprintf_internal /build/glibc-SzIz7B/glibc-2.31/libio/vasprintf.c:71:30
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/FuzzDateset/php/php-8.2.0/sapi/phpdbg/phpdbg_out.c:96:34 in phpdbg_process_print
Shadow bytes around the buggy address:
0x0c047fff8750: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 00 00
0x0c047fff8760: fa fa 05 fa fa fa 05 fa fa fa 04 fa fa fa 01 fa
0x0c047fff8770: fa fa 01 fa fa fa fd fa fa fa fd fd fa fa 00 fa
0x0c047fff8780: fa fa 00 fa fa fa fd fd fa fa fd fa fa fa fd fd
0x0c047fff8790: fa fa fd fd fa fa fd fa fa fa fd fd fa fa 00 fa
=>0x0c047fff87a0: fa[fa]01 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff87b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff87c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff87d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff87e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff87f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==940729==ABORTING
The URL of PoC is PoC
PHP Version
PHP 8.2.1RC1
Operating System
Ubuntu 20.04