Skip to content

Signed integer overflow in s_get_apply_fn #522

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
mszabo-wikia opened this issue Nov 9, 2022 · 7 comments
Closed

Signed integer overflow in s_get_apply_fn #522

mszabo-wikia opened this issue Nov 9, 2022 · 7 comments

Comments

@mszabo-wikia
Copy link
Contributor

While investigating an unrelated issue on a build of PHP + extensions compiled with sanitizers, I stumbled across the following UBSAN error, an apparent signed integer overflow:

/tmp/memcached/php_memcached.c:1442:3: runtime error: left shift of 65535 by 16 places cannot be represented in type 'int'
    #0 0x7f516eb5e44f in s_get_apply_fn /tmp/memcached/php_memcached.c:1442
    #1 0x7f516eb81e2c in php_memc_result_apply /tmp/memcached/php_memcached.c:691
    #2 0x7f516eb8441b in php_memc_mget_apply /tmp/memcached/php_memcached.c:759
    #3 0x7f516eb8ff2b in php_memc_get_impl /tmp/memcached/php_memcached.c:1492
    #4 0x5607e80b8a0e in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /usr/src/php/Zend/zend_vm_execute.h:1863
    #5 0x5607e80b8a0e in execute_ex /usr/src/php/Zend/zend_vm_execute.h:55194
    #6 0x5607e80c2515 in zend_execute /usr/src/php/Zend/zend_vm_execute.h:59522
    #7 0x5607e7ac66d0 in zend_execute_scripts /usr/src/php/Zend/zend.c:1694
    #8 0x5607e77f75a3 in php_execute_script /usr/src/php/main/main.c:2545
    #9 0x5607e81fd943 in do_cli /usr/src/php/sapi/cli/php_cli.c:949
    #10 0x5607e65a656a in main /usr/src/php/sapi/cli/php_cli.c:1337
    #11 0x7f5178b30d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
    #12 0x5607e65a7509 in _start (/usr/local/bin/php+0x2b6a509)

I would assume this does not actually break anything as existing code has likely come to rely on the undefined behavior.
I looked into what it would take to run tests with ASAN enabled, but so far it seems it may require a PHP binary itself compiled with ASAN, which is not ideal.
@sodabrew
Copy link
Contributor

What version of the extension are you using? The line numbers are off by about 50 lines from current master

@mszabo-wikia
Copy link
Contributor Author

Hey, thank you for the follow-up - this is with version 3.2.0 from PECL on PHP 8.0.25.

@mszabo-wikia
Copy link
Contributor Author

https://github.com/php-memcached-dev/php-memcached/blob/v3.2.0/php_memcached.c#L1442

@remicollet
Copy link
Collaborator

@mszabo-wikia can you test if this minor change is enough ?

diff --git a/php_memcached.c b/php_memcached.c
index 7ccc9b5..ece5440 100644
--- a/php_memcached.c
+++ b/php_memcached.c
@@ -86,7 +86,7 @@ static int php_memc_list_entry(void) {
 /****************************************
   Payload value flags
 ****************************************/
-#define MEMC_CREATE_MASK(start, n_bits) (((1 << n_bits) - 1) << start)
+#define MEMC_CREATE_MASK(start, n_bits) (((1U << n_bits) - 1) << start)
 
 #define MEMC_MASK_TYPE     MEMC_CREATE_MASK(0, 4)
 #define MEMC_MASK_INTERNAL MEMC_CREATE_MASK(4, 12)

remicollet added a commit that referenced this issue Nov 16, 2022
@remicollet
Fix #522 Signed integer overflow
2abe2a5
@remicollet
Copy link
Collaborator

ALso see pr #526 (you can try issue-522 branch)

@mszabo-wikia
Copy link
Contributor Author

Thank you, I will try out the updated branch & let you know!

@mszabo-wikia
Copy link
Contributor Author

The fixed branch seems to resolve the issue—I haven't yet had time to test to ensure it does not actually change the value of the flags, but this is promising!

@sodabrew sodabrew mentioned this issue Feb 1, 2023
Closed
m6w6 added a commit that referenced this issue Sep 26, 2024
@m6w6
prepare v3.3.0RC1
2719e1e 
- Add #515 option to locally enforce payload size limit
- Add #539 zstd support
- Add #540 compression_level option
- Mark password as a sensitive param for PHP 8.2
- Fix Windows PHP 8 compatibility
- Fix #518 Windows msgpack support
- Fix #522 signed integer overflow
- Fix #523 incorrect PHP reflection type for Memcached::cas $cas_token
- Fix #546 don't check key automatically, unless client-side verify_key is enabled
- Fix #555 incompatible pointer types (32-bit)
m6w6 added a commit that referenced this issue Oct 4, 2024
@m6w6
release v3.3.0RC1
25a192c 
    - Add #515 option to locally enforce payload size limit
    - Add #539 zstd support
    - Add #540 compression_level option
    - Mark password as a sensitive param for PHP 8.2
    - Fix Windows PHP 8 compatibility
    - Fix #518 Windows msgpack support
    - Fix #522 signed integer overflow
    - Fix #523 incorrect PHP reflection type for Memcached::cas $cas_token
    - Fix #546 don't check key automatically, unless client-side verify_key is enabled
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sodabrew @remicollet @mszabo-wikia