1451700 – (CVE-2017-8923) CVE-2017-8923 php: Overflowing the length of string causes crash

Bug 1451700 (CVE-2017-8923) - CVE-2017-8923 php: Overflowing the length of string causes crash

Summary: CVE-2017-8923 php: Overflowing the length of string causes crash

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2017-8923
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1451701
Blocks:	1451702 2020490
TreeView+	depends on / blocked

Reported:	2017-05-17 10:25 UTC by Adam Mariš
Modified:	2021-11-19 15:45 UTC (History)
CC List:	7 users (show)
Fixed In Version:	php 7.4.24, php 8.0.11
Doc Type:	If docs needed, set a value
Doc Text:	An integer overflow vulnerability in PHP can lead to a buffer overflow when constructing extremely long strings with the ".=" operator. In unusual circumstances, this could be used by an attacker to cause an application to crash or possibly have other consequences.
Clone Of:
Environment:
Last Closed:	2017-07-05 05:34:05 UTC
Embargoed:

Attachments	(Terms of Use)

Description Adam Mariš 2017-05-17 10:25:02 UTC

The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to string objects that result in a negative length, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging a script's use of .= with a long string.

Upstream bug:

https://bugs.php.net/bug.php?id=74577

Comment 1 Adam Mariš 2017-05-17 10:25:23 UTC

Created php tracking bugs for this issue:

Affects: fedora-all [bug 1451701]

Comment 2 Huzaifa S. Sidhpurwala 2017-07-05 05:34:05 UTC

This seems to be a flaw in handling very large strings. It is unlikely that this flaw will be triggered by malicious user input, therefore this has very limited security impact.

Comment 3 Tomas Hoger 2021-11-16 22:53:44 UTC

This issue got fixed upstream via the following upstream bug:

https://bugs.php.net/bug.php?id=73122

Upstream commit:

https://github.com/php/php-src/commit/f1ce8d5f5839cb2069ea37ff424fb96b8cd6932d

The fix was applied in versions 7.4.24 and 8.0.11:

https://www.php.net/ChangeLog-7.php#7.4.24
https://www.php.net/ChangeLog-8.php#8.0.11

The fix depends on the following fix:

https://bugs.php.net/bug.php?id=74960
https://github.com/php/php-src/commit/760ff841a14160f25348f7969985cb8a2c4da3cc

Note that upstream does not seem to be planning to apply this fix for PHP 7.3, as they do not consider the issue to be a security flaw:

https://bugs.php.net/bug.php?id=73122#1629209263

That classification may be based on the fact that this problem can only be triggered when running with memory_limit higher than 2GB or no memory limit, while the default limit is 128MB:

https://www.php.net/manual/en/ini.core.php#ini.memory-limit

However, it may also be based on the fact that upstream bug report #73122 only mentions strlen() function returning an incorrect value without triggering any crash as noted in the upstream bug report #74577.

To trigger the overflow, a script has to attempt to concatenate a string with more than 2^31 characters to itself.  Being able to trigger that in a non-malicious script seems unlikely.

Another mitigating factor is that the 2^31 limit only applies to 32-bit systems.  On 64-bit systems, string would have to be 2^63 characters long, which would not be possible with current hardware.  Only 64-bit builds of PHP are provided for Red Hat Enterprise Linux 7 and later.

Note You need to log in before you can comment on or make changes to this bug.