Edit report at http://bugs.php.net/bug.php?id=52550&edit=1
ID: 52550
User updated by: regehr at cs dot utah dot edu
Reported by: regehr at cs dot utah dot edu
Summary: integer undefined behaviors executed during "make
test"
Status: Analyzed
Type: Bug
Package: *General Issues
Operating System: linux
PHP Version: trunk-SVN-2010-08-06 (snap)
Block user comment: N
New Comment:
Hi-- It's not static analysis and there are no false positives. These
behaviors really happen (unless our tool is buggy, of course this is
always possible).
Yes, I should have edited out the undefined behavior that occurred
during conftest.
My copy of var_unserializer.c has this code at line 228:
result = result * 10 + cursor - '0';
It looks to me like "result * 10 + cursor" evaluates to -2147483601 and
then the subtraction overflow occurs. This is not obvious? Anyway,
this is easy to verify: put an appropriate assertion in the code and run
"make test" yourself.
Previous Comments:
------------------------------------------------------------------------
[2010-08-06 08:00:32] ras...@php.net
They don't make much sense to me. Starting from the bottom,
conftest.cpp is a
test file generated by the autoconf/libtool chain and only used during
the
configure run. So even if there was an issue in that, it really
wouldn't matter
since no user data ever gets to it, and even if it did, you are
reporting it to
the wrong project.
Next one up, ext/standard/var_unserializer.c line 228? There is no
substraction
there. But assuming it means close to line 228, it would be in the
parse_iv2()
function? I see nothing wrong with that code. The only code in it that
does
any sort of addition is:
if (cursor >= '0' && cursor <= '9') {
result = result * 10 + cursor - '0';
How exactly do you get a signed subtraction overflow from that? cursor
is
constrained and result is initialized to 0.
The 3rd last one seems to point at the same code.
There may very well be bugs hiding in there, but a static analysis full
of false
positives isn't very useful.
------------------------------------------------------------------------
[2010-08-06 07:30:29] regehr at cs dot utah dot edu
Description:
------------
I run php-trunk-201008060430's "make test" under a tool that detects
integer undefined behaviors. This is on an x86 box running Ubuntu
10.04. The list of problems is below. Some of these could be security
problems waiting to happen.
Hopefully the error messages are self-explanatory. If more details are
required, please let me know.
</home/regehr/z/php-trunk-201008060430/Zend/zend_compile.c, (5144:5)> :
Op: +, Reason : Signed Addition Overflow, BINARY OPERATION: left
(int32): 2147483640 right (int32): 9
</home/regehr/z/php-trunk-201008060430/Zend/zend_compile.c, (5144:5)> :
Op: -, Reason : Signed Subtraction Overflow, UNARY OPERATION: left
(int32): 0 right (int32): -2147483648
</home/regehr/z/php-trunk-201008060430/Zend/zend_compile.c, (5176:4)> :
Op: +, Reason : Signed Addition Overflow, BINARY OPERATION: left
(int32): 2147483640 right (int32): 8
</home/regehr/z/php-trunk-201008060430/Zend/zend_compile.c, (5176:4)> :
Op: -, Reason : Signed Subtraction Overflow, UNARY OPERATION: left
(int32): 0 right (int32): -2147483648
</home/regehr/z/php-trunk-201008060430/Zend/zend_hash.h, (350:2)> : Op:
+, Reason : Signed Addition Overflow, BINARY OPERATION: left (int32):
2147483640 right (int32): 8
</home/regehr/z/php-trunk-201008060430/Zend/zend_hash.h, (350:2)> : Op:
-, Reason : Signed Subtraction Overflow, UNARY OPERATION: left (int32):
0 right (int32): -2147483648
</home/regehr/z/php-trunk-201008060430/Zend/zend_operators.c, (1181:2)>
: Op: <<, Reason : Signed Left Shift Error: Right operand is negative or
is greater than or equal to the width of the promoted left operand,
BINARY OPERATION: left (int32): 0 right (int32): 65
</home/regehr/z/php-trunk-201008060430/Zend/zend_operators.c, (1194:2)>
: Op: >>, Reason : Signed Right Shift Error: Right operand is negative
or is greater than or equal to the width of the promoted left operand,
BINARY OPERATION: left (int32): 0 right (int32): 65
</home/regehr/z/php-trunk-201008060430/Zend/zend_operators.c, (766:31)>
: Op: +, Reason : Signed Addition Overflow, BINARY OPERATION: left
(int32): 2147483647 right (int32): 1
</home/regehr/z/php-trunk-201008060430/Zend/zend_operators.c, (828:31)>
: Op: -, Reason : Signed Subtraction Overflow, BINARY OPERATION: left
(int32): -2147483648 right (int32): 1
</home/regehr/z/php-trunk-201008060430/ext/date/lib/parse_tz.c,
(133:35)> : Op: *, Reason : Signed Multiplication Overflow, BINARY
OPERATION: left (int32): 255 right (int32): 16777216
</home/regehr/z/php-trunk-201008060430/ext/ereg/regex/regcomp.c,
(350:3)> : Op: -, Reason : Signed Subtraction Overflow, BINARY
OPERATION: left (int32): 35 right (int32): 34
</home/regehr/z/php-trunk-201008060430/ext/ereg/regex/regcomp.c,
(351:3)> : Op: -, Reason : Signed Subtraction Overflow, BINARY
OPERATION: left (int32): 35 right (int32): 33
</home/regehr/z/php-trunk-201008060430/ext/ereg/regex/regcomp.c,
(955:3)> : Op: -, Reason : Signed Subtraction Overflow, BINARY
OPERATION: left (int32): 15 right (int32): 14
</home/regehr/z/php-trunk-201008060430/ext/ereg/regex/regcomp.c,
(956:3)> : Op: -, Reason : Signed Subtraction Overflow, BINARY
OPERATION: left (int32): 15 right (int32): 13
</home/regehr/z/php-trunk-201008060430/ext/spl/php_spl.c, (748:17)> :
Op: *, Reason : Signed Multiplication Overflow, BINARY OPERATION: left
(int32): 1281072119 right (int32): 993
</home/regehr/z/php-trunk-201008060430/ext/standard/math.c, (130:24)> :
Op: -, Reason : Signed Subtraction Overflow, BINARY OPERATION: left
(int32): 14 right (int32): -2147483648
</home/regehr/z/php-trunk-201008060430/ext/standard/math.c, (693:2)> :
Op: /, Reason : Divisor is 0, BINARY OPERATION: left (double): 1.000000
right (double): 0.000000
</home/regehr/z/php-trunk-201008060430/ext/standard/rand.c, (239:10)> :
Op: *, Reason : Signed Multiplication Overflow, BINARY OPERATION: left
(int32): 1281072285 right (int32): 7685
</home/regehr/z/php-trunk-201008060430/ext/standard/rand.c, (255:10)> :
Op: *, Reason : Signed Multiplication Overflow, BINARY OPERATION: left
(int32): 1281072284 right (int32): 7583
</home/regehr/z/php-trunk-201008060430/ext/standard/rand.c, (322:16)> :
Op: *, Reason : Signed Multiplication Overflow, BINARY OPERATION: left
(int32): 1281072284 right (int32): 7581
</home/regehr/z/php-trunk-201008060430/ext/standard/rand.c, (68:13)> :
Op: *, Reason : Signed Multiplication Overflow, BINARY OPERATION: left
(int32): 1281072357 right (int32): 9099
</home/regehr/z/php-trunk-201008060430/ext/standard/string.c, (1876:7)>
: Op: -, Reason : Signed Subtraction Overflow, UNARY OPERATION: left
(int32): 0 right (int32): -2147483648
</home/regehr/z/php-trunk-201008060430/ext/standard/string.c, (1954:8)>
: Op: -, Reason : Signed Subtraction Overflow, UNARY OPERATION: left
(int32): 0 right (int32): -2147483648
</home/regehr/z/php-trunk-201008060430/ext/standard/string.c, (1986:7)>
: Op: -, Reason : Signed Subtraction Overflow, UNARY OPERATION: left
(int32): 0 right (int32): -2147483648
</home/regehr/z/php-trunk-201008060430/ext/standard/string.c, (4886:29)>
: Op: -, Reason : Signed Subtraction Overflow, BINARY OPERATION: left
(int32): -2147483647 right (int32): 9
</home/regehr/z/php-trunk-201008060430/ext/standard/string.c, (4904:19)>
: Op: +, Reason : Signed Addition Overflow, BINARY OPERATION: left
(int32): 2147483647 right (int32): 1
</home/regehr/z/php-trunk-201008060430/ext/standard/var_unserializer.c,
(228:25)> : Op: +, Reason : Signed Addition Overflow, BINARY OPERATION:
left (int32): 2147483640 right (int32): 55
</home/regehr/z/php-trunk-201008060430/ext/standard/var_unserializer.c,
(228:34)> : Op: -, Reason : Signed Subtraction Overflow, BINARY
OPERATION: left (int32): -2147483601 right (int32): 48
<conftest.cpp, (60:13)> : Op: %, Reason : Signed Modulus Error: The
first operand is INT_MIN, the second operand is -1, BINARY OPERATION:
left (int32): -2147483648 right (int32): -1
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=52550&edit=1
