DoS: Infinite loop processing 2.2250738585072011e-308

Bug #697181 reported by Paul Sladen on 2011-01-04
292
This bug affects 6 people
Affects Status Importance Assigned to Milestone
php
Unknown
Unknown
php5 (Debian)
Fix Released
Unknown
php5 (Fedora)
Fix Released
Medium
php5 (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Steve Beattie
Maverick
Undecided
Steve Beattie
Natty
Undecided
Unassigned

Bug Description

Binary package hint: php5

Processing certain textual forms of MAX_FLOAT leads to an infinite loop/hang/DoS:

  php -r "print 2.2250738585072011e-308;"

hangs indefinitely, whereas:

  php -r "print 2.2250738585072010e-308;"

returns immediately.

Confirmed for natty/php5-cli=5.3.3-1ubuntu11

Fixed in new upstream releases:

  http://www.php.net/ChangeLog-5.php#5.3.5
  http://www.php.net/releases/5_2_17.php

Paul Sladen (sladen) on 2011-01-04
visibility: private → public
description: updated
UndiFineD (k.dejong) wrote :

Confirmed on Ubuntu 10.10+ 32bit

php --version
PHP 5.3.3-1ubuntu9.1 with Suhosin-Patch (cli) (built: Oct 15 2010 14:17:04)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
    with Suhosin v0.9.31, Copyright (c) 2007-2010, by SektionEins GmbH

see also:
http://www.exploringbinary.com/php-hangs-on-numeric-value-2-2250738585072011e-308/

Changed in php5 (Ubuntu):
status: New → Confirmed
Paul Sladen (sladen) on 2011-01-04
Changed in php5 (Ubuntu Maverick):
status: New → Confirmed
Changed in php5 (Ubuntu Lucid):
status: New → Incomplete

Confirmed in Ubuntu 10.04 "lucid" using:
    echo '<?php $d = 2.2250738585072011e-308; ?>' | time -p php5
which hangs.

Ubuntu 8.04 "hardy" does not hang.

Changed in php5 (Ubuntu Lucid):
status: Incomplete → Confirmed

A flaw in how PHP handled the numeric value 2.2250738585072011e-308 was reported [1]. If a script were to assign this value to a variable, it could cause PHP to hang (infinite loop). This issue has been fixed in upstream PHP [2] 5.2.17 and 5.3.5.

[1] http://bugs.php.net/53632
[2] http://svn.php.net/viewvc?view=revision&revision=307095

I have not been able to reproduce this on RHEL4 (4.3.9) or RHEL5 (5.1.6) on x86. I have reproduced it on RHEL6 (5.3.2) and Fedora 14 (5.3.4), both x86. It does not reproduce on Fedora 14 x86_64, so this is x86-only.

Please add also

r307168 | pajoye | 2011-01-06 18:08:46 +0100 (czw) | 1 linia

- fix vc6 random behavior for Fix bug #53632 with x87 fpu

Note that upstream has put up a checking script to see if your system is vulnerable: http://www.php.net/distributions/test_bug53632.txt

Paul Sladen (sladen) on 2011-01-07
description: updated

Michal, r307168 is MSVC-specific and won't have any effect on Linux.

Changed in php5 (Ubuntu Maverick):
assignee: nobody → Steve Beattie (sbeattie)
Changed in php5 (Ubuntu Lucid):
assignee: nobody → Steve Beattie (sbeattie)
Steve Beattie (sbeattie) wrote :

I've confirmed that marking the double variables as volatile in maverick's php causes the infinite loop not to get triggered on i386 (and think I understand why that's the case). However, attempts to reproduce the issue with php from 9.10 (karmic), 8.04 (hardy), and 6.06 (dapper) fail for no apparent reason -- the zend_strtod.c code is nearly identical between karmic and lucid's versions. Does anyone have an indication as to what's different that woul cause this issue not to be triggered on older releases? Thanks.

Daniel Hahler (blueyed) wrote :

Maybe it is related to some compiler flags? (e.g. it can be worked around by using "-ffloat-store" in CFLAGS).
See http://news.ycombinator.com/item?id=2066084 for more discussion.

Daniel Hahler (blueyed) on 2011-01-07
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.3.3-1ubuntu12

---------------
php5 (5.3.3-1ubuntu12) natty; urgency=low

  * debian/patches/fix-upstream-bug53632.patch: Fix infinite loop bug (php bug #53632)
    (LP: #697181)
 -- Chuck Short <email address hidden> Fri, 07 Jan 2011 12:57:59 -0500

Changed in php5 (Ubuntu Natty):
status: Confirmed → Fix Released
Changed in php5 (Debian):
status: Unknown → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.3.3-1ubuntu9.2

---------------
php5 (5.3.3-1ubuntu9.2) maverick-security; urgency=low

  * SECURITY UPDATE: open_basedir bypass
    - debian/patches/php5-CVE-2010-3436.patch: more strict checking in
      php_check_specific_open_basedir()
    - CVE-2010-3436
  * SECURITY UPDATE: NULL pointer dereference crash
    - debian/patches/php5-CVE-2010-3709.patch: check for NULL when
      getting zip comment
    - CVE-2010-3709
  * SECURITY UPDATE: memory consumption denial of service
    - debian/patches/php5-CVE-2010-3710.patch: check for email address
      longer than RFC 2821 allows
    - CVE-2010-3710
  * SECURITY UPDATE: xml decode bypass
    - debian/patches/php5-CVE-2010-3870.patch: improve utf8 decoding
    - CVE-2010-3870
  * SECURITY UPDATE: memory disclosure
    - debian/patches/php5-CVE-2010-4156.patch: check for excessive
      length in mb_strcut()
    - CVE-2010-4156
  * SECURITY UPDATE: integer overflow can cause an application crash
    - debian/patches/php5-CVE-2010-4409.patch: fix invalid args in
      NumberFormatter::getSymbol()
    - CVE-2010-4409
  * SECURITY UPDATE: infinite loop/denial of service when dealing with
    certain textual forms of MAX_FLOAT (LP: #697181)
    - debian/patches/php5-CVE-2010-4645.patch: treat local doubles
      as volatile to avoid x87 registers in zend_strtod()
    - CVE-2010-4645
 -- Steve Beattie <email address hidden> Wed, 05 Jan 2011 22:45:19 -0800

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.3.2-1ubuntu4.6

---------------
php5 (5.3.2-1ubuntu4.6) lucid-security; urgency=low

  * SECURITY UPDATE: open_basedir bypass
    - debian/patches/php5-CVE-2010-3436.patch: more strict checking in
      php_check_specific_open_basedir()
    - CVE-2010-3436
  * SECURITY UPDATE: NULL pointer dereference crash
    - debian/patches/php5-CVE-2010-3709.patch: check for NULL when
      getting zip comment
    - CVE-2010-3709
  * SECURITY UPDATE: memory consumption denial of service
    - debian/patches/php5-CVE-2010-3710.patch: check for email address
      longer than RFC 2821 allows
    - CVE-2010-3710
  * SECURITY UPDATE: xml decode bypass
    - debian/patches/php5-CVE-2010-3870.patch: improve utf8 decoding
    - CVE-2010-3870
  * SECURITY UPDATE: integer overflow can cause an application crash
    - debian/patches/php5-CVE-2010-4409.patch: fix invalid args in
      NumberFormatter::getSymbol()
    - CVE-2010-4409
  * SECURITY UPDATE: infinite loop/denial of service when dealing with
    certain textual forms of MAX_FLOAT (LP: #697181)
    - debian/patches/php5-CVE-2010-4645.patch: treat local doubles
      as volatile to avoid x87 registers in zend_strtod()
    - CVE-2010-4645
 -- Steve Beattie <email address hidden> Fri, 07 Jan 2011 10:56:23 -0800

Changed in php5 (Ubuntu Lucid):
status: Confirmed → Fix Released
Changed in php5 (Ubuntu Maverick):
status: Confirmed → Fix Released

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0195 https://rhn.redhat.com/errata/RHSA-2011-0195.html

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0196 https://rhn.redhat.com/errata/RHSA-2011-0196.html

Statement:

This issue leads to a temporary denial of service (high CPU consumption) when a PHP script handles numeric values from untrusted user input. It does not affect the versions of PHP as shipped with Red Hat Enterprise Linux 3, 4 or 5. It did affect the PHP 5.3 (php53) package on Red Hat Enterprise Linux 5.

Changed in php5 (Fedora):
importance: Unknown → Medium
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.