Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption

[Andrea Palazzo <andrea.palazzo () truel it>]

Hi Stas,
while I agree on what you say about the huge memory allocation needed, I 
wouldn't say this requires the ability to run arbitrary code, 
controlling str_repeat() arguments it's enough to create a corrupted 
zval and injecting an eventual payload somewhere in memory (which, 
again, is unlikely but possible).
About code execution, I haven't had the chance to focus on actual 
exploitation yet (I surely will in the near future), but as you can see 
from the original report (https://bugs.php.net/bug.php?id=69403), I 
pointed out several cases in which working on a so-crafted zval would 
lead to invalid memory access (with user controlled values as well), so 
I am pretty confident it is achievable.


On 18/05/2015 10:35, Stanislav Malyshev wrote:
> Hi!
>
> > Hi everyone,
> > this is intended as CVE Request and advisory for
> > https://bugs.php.net/bug.php?id=69403.
> I do not think this requires a CVE as this needs specially crafted PHP
> script (i.e. local access or ability to run arbitrary PHP code) and
> memory settings allowing to allocate huge (>4G) values, which seems to
> be unlikely to happen on a common production system. I am not sure how
> remote code execution vector can be provided for this issue, if you have
> an example, please clarify.
>
> Thanks,