[php-maint] Bug#405067: php5-cli: Segfault after infinite recursion inside pcre - random memory corruption?

Richard Atterer atterer at debian.org
Sat Dec 30 21:23:06 UTC 2006 

Package: php5
Version: 5.2.0-8
Severity: important
Tags: security

Hello,

while developing my PHP application, I stumbled across PCRE usage which 
crashes the PHP binary. After some trial and error, I was able to reduce 
the problem to the attached piece of PHP code. I was able to reproduce the 
segfault on 3 different machines running Debian, under php 5.2.0-8 
(testing, 2 machines) and 4.3.10-18 (stable).

I also compiled versions of libpcre3 and php5-cli with debugging 
information to get a stack trace. The topmost frames of the stack backtrace 
follow at the end of this message. Inside libpcre3, the code recurses 
through pcre_exec.c lines 677 and 1190 until the stack overflows.

Next, I tried to find out whether the crash is reproducible with a C 
program. But while AFAICT the attached C program does the same as the code 
in php-5.2.0/ext/pcre/php_pcre.c, no segfault happens. So maybe PHP 
corrupts memory between compiling and executing the regex? I don't know! 
:-/ Running "valgrind php5 php-5.2.0-8-segfault.php" doesn't output
anything which looks like a PCRE-related bug.

One more thing: I also tried to trim down the example further by reducing 
the length of the subject string. This gives weird results: When some parts 
of the input are removed, the crash becomes "unreliable" in that executing 
"php5 php-5.2.0-8-segfault.php" will crash sometimes and sometimes it will 
not.

I've "anonymized" my code by replacing alphabetic characters with "x", 
that's why it looks so weird. :)

I'm tagging this "security" as this MAY potentially be a nasty bug which 
might allow more than just segfaults. If you disagree, feel free to remove 
the tag.

Cheers,

  Richard

-- 
  __   _
  |_) /|  Richard Atterer
  | \/¯|  http://geht.net.gibts.bei.atterer.net
  ¯ '` ¯

#8146 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
    eptrb=0xbf9319a4, flags=<value optimized out>, rdepth=31) at ./pcre_exec.c:677
#8147 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9321a4,
    flags=<value optimized out>, rdepth=30) at ./pcre_exec.c:1190
#8148 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
    eptrb=0xbf9321a4, flags=<value optimized out>, rdepth=29) at ./pcre_exec.c:677
#8149 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9329a4,
    flags=<value optimized out>, rdepth=28) at ./pcre_exec.c:1190
#8150 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
    eptrb=0xbf9329a4, flags=<value optimized out>, rdepth=27) at ./pcre_exec.c:677
#8151 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9331a4,
    flags=<value optimized out>, rdepth=26) at ./pcre_exec.c:1190
#8152 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
    eptrb=0xbf9331a4, flags=<value optimized out>, rdepth=25) at ./pcre_exec.c:677
#8153 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9339a4,
---Type <return> to continue, or q <return> to quit---
    flags=<value optimized out>, rdepth=24) at ./pcre_exec.c:1190
#8154 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
    eptrb=0xbf9339a4, flags=<value optimized out>, rdepth=23) at ./pcre_exec.c:677
#8155 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9341a4,
    flags=<value optimized out>, rdepth=22) at ./pcre_exec.c:1190
#8156 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
    eptrb=0xbf9341a4, flags=<value optimized out>, rdepth=21) at ./pcre_exec.c:677
#8157 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9349a4,
    flags=<value optimized out>, rdepth=20) at ./pcre_exec.c:1190
#8158 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
    eptrb=0xbf9349a4, flags=<value optimized out>, rdepth=19) at ./pcre_exec.c:677
#8159 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9351a4,
    flags=<value optimized out>, rdepth=18) at ./pcre_exec.c:1190
#8160 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
    eptrb=0xbf9351a4, flags=<value optimized out>, rdepth=17) at ./pcre_exec.c:677
#8161 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9359a4,
    flags=<value optimized out>, rdepth=16) at ./pcre_exec.c:1190
#8162 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
    eptrb=0xbf9359a4, flags=<value optimized out>, rdepth=15) at ./pcre_exec.c:677
#8163 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9361a4,
    flags=<value optimized out>, rdepth=14) at ./pcre_exec.c:1190
#8164 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
    eptrb=0xbf9361a4, flags=<value optimized out>, rdepth=13) at ./pcre_exec.c:677
#8165 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9369a4,
    flags=<value optimized out>, rdepth=12) at ./pcre_exec.c:1190
#8166 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
    eptrb=0xbf9369a4, flags=<value optimized out>, rdepth=11) at ./pcre_exec.c:677
#8167 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9371a4,
    flags=<value optimized out>, rdepth=10) at ./pcre_exec.c:1190
#8168 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
    eptrb=0xbf9371a4, flags=<value optimized out>, rdepth=9) at ./pcre_exec.c:677
#8169 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9379a4,
    flags=<value optimized out>, rdepth=8) at ./pcre_exec.c:1190
#8170 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
    eptrb=0xbf9379a4, flags=<value optimized out>, rdepth=7) at ./pcre_exec.c:677
#8171 0xb7e2b1d6 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=<value optimized out>, md=0xbf939658,
    ims=0, eptrb=0xbf937da4, flags=<value optimized out>, rdepth=6) at ./pcre_exec.c:1063
#8172 0xb7e2b1d6 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=<value optimized out>, md=0xbf939658,
    ims=0, eptrb=0xbf9381a4, flags=<value optimized out>, rdepth=5) at ./pcre_exec.c:1063
#8173 0xb7e2b1d6 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=<value optimized out>, md=0xbf939658,
    ims=0, eptrb=0xbf9385a4, flags=<value optimized out>, rdepth=4) at ./pcre_exec.c:1063
#8174 0xb7e2e004 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=<value optimized out>, md=0xbf939658,
    ims=0, eptrb=0xbf9395a4, flags=<value optimized out>, rdepth=3) at ./pcre_exec.c:629
#8175 0xb7e2f269 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=<value optimized out>, md=0xbf939658,
    ims=4, eptrb=0xbf938da4, flags=<value optimized out>, rdepth=2) at ./pcre_exec.c:2932
---Type <return> to continue, or q <return> to quit---
#8176 0xb7e2e004 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=<value optimized out>, md=0xbf939658,
    ims=0, eptrb=0xbf9395a4, flags=<value optimized out>, rdepth=1) at ./pcre_exec.c:629
#8177 0xb7e2e004 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=<value optimized out>, md=0xbf939658,
    ims=0, eptrb=0xbf9395a4, flags=<value optimized out>, rdepth=0) at ./pcre_exec.c:629
#8178 0xb7e31af3 in pcre_exec (argument_re=0x8652bf8, extra_data=0xbf9397e4,
    subject=0xb72cd79c "<html>\n<head><?php // -*- php -*-\n/* Output sitemap info for directory at $path. Value is site-absolute and\n  must start with a slash, so supply \"/\" to output sitemap for whole\n   site. */\nfunction /"..., length=4106, start_offset=0,
    options=0, offsets=0xb72cb9d8, offsetcount=12) at ./pcre_exec.c:3851
#8179 0x0809be14 in php_pcre_match_impl (pce=0x8652ee8,
    subject=0xb72cd79c "<html>\n<head><?php // -*- php -*-\n/* Output sitemap info for directory at $path. Value is site-absolute and\n  must start with a slash, so supply \"/\" to output sitemap for whole\n   site. */\nfunction /"..., subject_len=4106,
    return_value=0xb72cb8fc, subpats=0xb72cb8e4, global=0, use_flags=0, flags=0, start_offset=0)
    at /home/richard/deb/php-5.2.0/ext/pcre/php_pcre.c:604
#8180 0x0809c94a in php_do_pcre_match (ht=3, return_value=0xb72cb8fc, return_value_ptr=0x6, this_ptr=0x0, return_value_used=0, global=0)
    at /home/richard/deb/php-5.2.0/ext/pcre/php_pcre.c:462
#8181 0x082cf83f in zend_do_fcall_common_helper_SPEC (execute_data=0xbf9399ec) at /home/richard/deb/php-5.2.0/Zend/zend_vm_execute.h:200
#8182 0x082bf238 in execute (op_array=0xb72cb104) at /home/richard/deb/php-5.2.0/Zend/zend_vm_execute.h:92
#8183 0x082a040c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/richard/deb/php-5.2.0/Zend/zend.c:1097
#8184 0x0825b6e2 in php_execute_script (primary_file=0xbf93be20) at /home/richard/deb/php-5.2.0/main/main.c:1758
#8185 0x0832f5ae in main (argc=2, argv=0xbf93bef4) at /home/richard/deb/php-5.2.0/sapi/cli/php_cli.c:1108

-------------- next part --------------
A non-text attachment was scrubbed...
Name: php-5.2.0-8-segfault.php
Type: application/x-httpd-php
Size: 4421 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20061230/230b53e6/php-5.2.0-8-segfault.php
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pcre-segfault.c
Type: text/x-csrc
Size: 5377 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20061230/230b53e6/pcre-segfault.c

More information about the pkg-php-maint mailing list