Bug#405067: [php-maint] Bug#405067: php5-cli: Segfault after infinite recursion inside pcre - random memory corruption?

sean finney seanius at debian.org
Mon Jan 1 18:36:14 CET 2007 

hi richard,

thanks for the *very* thorough report!  just so you don't think you're
being completely ignored, both ondrej and i are on vacation right now so
you probably won't see much from us for another week (or two).  any more
information you can find is greatly appreciated.


	sean

On Sat, 2006-12-30 at 22:23 +0100, Richard Atterer wrote:
> Package: php5
> Version: 5.2.0-8
> Severity: important
> Tags: security
> 
> Hello,
> 
> while developing my PHP application, I stumbled across PCRE usage which 
> crashes the PHP binary. After some trial and error, I was able to reduce 
> the problem to the attached piece of PHP code. I was able to reproduce the 
> segfault on 3 different machines running Debian, under php 5.2.0-8 
> (testing, 2 machines) and 4.3.10-18 (stable).
> 
> I also compiled versions of libpcre3 and php5-cli with debugging 
> information to get a stack trace. The topmost frames of the stack backtrace 
> follow at the end of this message. Inside libpcre3, the code recurses 
> through pcre_exec.c lines 677 and 1190 until the stack overflows.
> 
> Next, I tried to find out whether the crash is reproducible with a C 
> program. But while AFAICT the attached C program does the same as the code 
> in php-5.2.0/ext/pcre/php_pcre.c, no segfault happens. So maybe PHP 
> corrupts memory between compiling and executing the regex? I don't know! 
> :-/ Running "valgrind php5 php-5.2.0-8-segfault.php" doesn't output
> anything which looks like a PCRE-related bug.
> 
> One more thing: I also tried to trim down the example further by reducing 
> the length of the subject string. This gives weird results: When some parts 
> of the input are removed, the crash becomes "unreliable" in that executing 
> "php5 php-5.2.0-8-segfault.php" will crash sometimes and sometimes it will 
> not.
> 
> I've "anonymized" my code by replacing alphabetic characters with "x", 
> that's why it looks so weird. :)
> 
> I'm tagging this "security" as this MAY potentially be a nasty bug which 
> might allow more than just segfaults. If you disagree, feel free to remove 
> the tag.
> 
> Cheers,
> 
>   Richard
> 
> -- 
>   __   _
>   |_) /|  Richard Atterer
>   | \/¯|  http://geht.net.gibts.bei.atterer.net
>   ¯ '` ¯
> 
> #8146 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
>     eptrb=0xbf9319a4, flags=<value optimized out>, rdepth=31) at ./pcre_exec.c:677
> #8147 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9321a4,
>     flags=<value optimized out>, rdepth=30) at ./pcre_exec.c:1190
> #8148 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
>     eptrb=0xbf9321a4, flags=<value optimized out>, rdepth=29) at ./pcre_exec.c:677
> #8149 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9329a4,
>     flags=<value optimized out>, rdepth=28) at ./pcre_exec.c:1190
> #8150 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
>     eptrb=0xbf9329a4, flags=<value optimized out>, rdepth=27) at ./pcre_exec.c:677
> #8151 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9331a4,
>     flags=<value optimized out>, rdepth=26) at ./pcre_exec.c:1190
> #8152 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
>     eptrb=0xbf9331a4, flags=<value optimized out>, rdepth=25) at ./pcre_exec.c:677
> #8153 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9339a4,
> ---Type <return> to continue, or q <return> to quit---
>     flags=<value optimized out>, rdepth=24) at ./pcre_exec.c:1190
> #8154 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
>     eptrb=0xbf9339a4, flags=<value optimized out>, rdepth=23) at ./pcre_exec.c:677
> #8155 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9341a4,
>     flags=<value optimized out>, rdepth=22) at ./pcre_exec.c:1190
> #8156 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
>     eptrb=0xbf9341a4, flags=<value optimized out>, rdepth=21) at ./pcre_exec.c:677
> #8157 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9349a4,
>     flags=<value optimized out>, rdepth=20) at ./pcre_exec.c:1190
> #8158 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
>     eptrb=0xbf9349a4, flags=<value optimized out>, rdepth=19) at ./pcre_exec.c:677
> #8159 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9351a4,
>     flags=<value optimized out>, rdepth=18) at ./pcre_exec.c:1190
> #8160 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
>     eptrb=0xbf9351a4, flags=<value optimized out>, rdepth=17) at ./pcre_exec.c:677
> #8161 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9359a4,
>     flags=<value optimized out>, rdepth=16) at ./pcre_exec.c:1190
> #8162 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
>     eptrb=0xbf9359a4, flags=<value optimized out>, rdepth=15) at ./pcre_exec.c:677
> #8163 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9361a4,
>     flags=<value optimized out>, rdepth=14) at ./pcre_exec.c:1190
> #8164 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
>     eptrb=0xbf9361a4, flags=<value optimized out>, rdepth=13) at ./pcre_exec.c:677
> #8165 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9369a4,
>     flags=<value optimized out>, rdepth=12) at ./pcre_exec.c:1190
> #8166 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
>     eptrb=0xbf9369a4, flags=<value optimized out>, rdepth=11) at ./pcre_exec.c:677
> #8167 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9371a4,
>     flags=<value optimized out>, rdepth=10) at ./pcre_exec.c:1190
> #8168 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
>     eptrb=0xbf9371a4, flags=<value optimized out>, rdepth=9) at ./pcre_exec.c:677
> #8169 0xb7e2a5a7 in match (eptr=0xb72ce7a4 ";\n", ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0, eptrb=0xbf9379a4,
>     flags=<value optimized out>, rdepth=8) at ./pcre_exec.c:1190
> #8170 0xb7e29c04 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=6, md=0xbf939658, ims=0,
>     eptrb=0xbf9379a4, flags=<value optimized out>, rdepth=7) at ./pcre_exec.c:677
> #8171 0xb7e2b1d6 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=<value optimized out>, md=0xbf939658,
>     ims=0, eptrb=0xbf937da4, flags=<value optimized out>, rdepth=6) at ./pcre_exec.c:1063
> #8172 0xb7e2b1d6 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=<value optimized out>, md=0xbf939658,
>     ims=0, eptrb=0xbf9381a4, flags=<value optimized out>, rdepth=5) at ./pcre_exec.c:1063
> #8173 0xb7e2b1d6 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=<value optimized out>, md=0xbf939658,
>     ims=0, eptrb=0xbf9385a4, flags=<value optimized out>, rdepth=4) at ./pcre_exec.c:1063
> #8174 0xb7e2e004 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=<value optimized out>, md=0xbf939658,
>     ims=0, eptrb=0xbf9395a4, flags=<value optimized out>, rdepth=3) at ./pcre_exec.c:629
> #8175 0xb7e2f269 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=<value optimized out>, md=0xbf939658,
>     ims=4, eptrb=0xbf938da4, flags=<value optimized out>, rdepth=2) at ./pcre_exec.c:2932
> ---Type <return> to continue, or q <return> to quit---
> #8176 0xb7e2e004 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=<value optimized out>, md=0xbf939658,
>     ims=0, eptrb=0xbf9395a4, flags=<value optimized out>, rdepth=1) at ./pcre_exec.c:629
> #8177 0xb7e2e004 in match (eptr=<value optimized out>, ecode=<value optimized out>, offset_top=<value optimized out>, md=0xbf939658,
>     ims=0, eptrb=0xbf9395a4, flags=<value optimized out>, rdepth=0) at ./pcre_exec.c:629
> #8178 0xb7e31af3 in pcre_exec (argument_re=0x8652bf8, extra_data=0xbf9397e4,
>     subject=0xb72cd79c "<html>\n<head><?php // -*- php -*-\n/* Output sitemap info for directory at $path. Value is site-absolute and\n  must start with a slash, so supply \"/\" to output sitemap for whole\n   site. */\nfunction /"..., length=4106, start_offset=0,
>     options=0, offsets=0xb72cb9d8, offsetcount=12) at ./pcre_exec.c:3851
> #8179 0x0809be14 in php_pcre_match_impl (pce=0x8652ee8,
>     subject=0xb72cd79c "<html>\n<head><?php // -*- php -*-\n/* Output sitemap info for directory at $path. Value is site-absolute and\n  must start with a slash, so supply \"/\" to output sitemap for whole\n   site. */\nfunction /"..., subject_len=4106,
>     return_value=0xb72cb8fc, subpats=0xb72cb8e4, global=0, use_flags=0, flags=0, start_offset=0)
>     at /home/richard/deb/php-5.2.0/ext/pcre/php_pcre.c:604
> #8180 0x0809c94a in php_do_pcre_match (ht=3, return_value=0xb72cb8fc, return_value_ptr=0x6, this_ptr=0x0, return_value_used=0, global=0)
>     at /home/richard/deb/php-5.2.0/ext/pcre/php_pcre.c:462
> #8181 0x082cf83f in zend_do_fcall_common_helper_SPEC (execute_data=0xbf9399ec) at /home/richard/deb/php-5.2.0/Zend/zend_vm_execute.h:200
> #8182 0x082bf238 in execute (op_array=0xb72cb104) at /home/richard/deb/php-5.2.0/Zend/zend_vm_execute.h:92
> #8183 0x082a040c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/richard/deb/php-5.2.0/Zend/zend.c:1097
> #8184 0x0825b6e2 in php_execute_script (primary_file=0xbf93be20) at /home/richard/deb/php-5.2.0/main/main.c:1758
> #8185 0x0832f5ae in main (argc=2, argv=0xbf93bef4) at /home/richard/deb/php-5.2.0/sapi/cli/php_cli.c:1108
> 
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20070101/6c33dc77/attachment.pgp

More information about the pkg-php-maint mailing list