Out-of-bounds read in php_parserr with user-supplied dlen

Temptationx / google-security-research

Automatically exported from code.google.com/p/google-security-research

0 stars 0 forks source link

Out-of-bounds read in php_parserr with user-supplied dlen #84

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

In ext/standard/dns.c, php_parserr parses a DNS response.

php_parserr reads a (ushort) dlen from the DNS response (the RDLENGTH field) 
and, if raw is true, uses dlen for calculating the length of the string "data" 
in the return array. Since dlen is supplied in the DNS response you can read 
and leak up to 2^16 - 4 bytes past the buffer.

Instead of dlen, it would be better to use the variable "end" from the calling 
function dns_get_record.

I haven't checked whether there are popular open-source projects using the 
"raw" boolean.
However, note that the fix for CVE-2014-4049 is incomplete because it also 
relies on dlen for bounds checking.

Original issue reported on code.google.com by groeb...@google.com on 7 Aug 2014 at 9:27

GoogleCodeExporter commented 9 years ago

Original comment by fjse...@google.com on 7 Aug 2014 at 10:22

Added labels: ISE-TPS-bug

GoogleCodeExporter commented 9 years ago

PHP confirms the report.

It is a known, private bug (https://bugs.php.net/bug.php?id=67717) and targeted 
at the next release (5.4.32).

Original comment by groeb...@google.com on 8 Aug 2014 at 7:59

GoogleCodeExporter commented 9 years ago

CVE-2014-3597

Fixed:
https://github.com/php/php-src/commit/2fefae47716d501aec41c1102f3fd4531f070b05

Released 21 Aug 2014:
http://php.net/ChangeLog-5.php

Original comment by groeb...@google.com on 6 Oct 2014 at 1:53

Changed state: Done
Added labels: CVE-2014-3597

GoogleCodeExporter commented 9 years ago

Changing status to Fixed, as that's what we use in general. Add Fixed label to 
denote date patch was available.

Derestricting because it was fixed ages ago.

Original comment by cev...@google.com on 6 Oct 2014 at 6:14

Changed state: Fixed
Added labels: Fixed-2014-Aug-21
Removed labels: Restrict-View-Commit

GoogleCodeExporter commented 9 years ago

Actually, put restriction back until I check in with @groebert if he wants 
publish his reports in general.

Original comment by cev...@google.com on 6 Oct 2014 at 6:15

Added labels: Restrict-View-Commit

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 10 Oct 2014 at 5:43

Removed labels: Restrict-View-Commit