From 673fd26b1acb9f892f3e65854c0dd36a297708ae Mon Sep 17 00:00:00 2001 From: Wilfred Hughes Date: Mon, 6 Mar 2023 16:46:52 -0800 Subject: [PATCH] This fixes a bug in PHP/HH's crypt_blowfish implementation that can cause a short salt to return an invalid result Associated CVE is CVE-2023-0567. --- hphp/test/slow/ext_string/t143363292.php | 12 +++++ hphp/test/slow/ext_string/t143363292.php.expectf | 69 ++++++++++++++++++++++++ hphp/test/slow/ext_string/t143363292.php.runif | 2 + hphp/test/slow/ext_string/t76103217.php.expect | 2 +- hphp/zend/crypt-blowfish.cpp | 8 --- 5 files changed, 84 insertions(+), 9 deletions(-) create mode 100644 hphp/test/slow/ext_string/t143363292.php create mode 100644 hphp/test/slow/ext_string/t143363292.php.expectf create mode 100644 hphp/test/slow/ext_string/t143363292.php.runif diff --git a/hphp/test/slow/ext_string/t143363292.php b/hphp/test/slow/ext_string/t143363292.php new file mode 100644 index 00000000000..e07709cbbef --- /dev/null +++ b/hphp/test/slow/ext_string/t143363292.php @@ -0,0 +1,12 @@ +> function main(): void { + for ($i = 0; $i < 23; $i++) { + $salt = '$2y$04$' . str_repeat('0', $i) . '$'; + $result = crypt("foo", $salt); + var_dump($salt); + var_dump($result); + var_dump($result === $salt); + } + +} diff --git a/hphp/test/slow/ext_string/t143363292.php.expectf b/hphp/test/slow/ext_string/t143363292.php.expectf new file mode 100644 index 00000000000..1722c9ecc57 --- /dev/null +++ b/hphp/test/slow/ext_string/t143363292.php.expectf @@ -0,0 +1,69 @@ +string(8) "$2y$04$$" +string(2) "*0" +bool(false) +string(9) "$2y$04$0$" +string(2) "*0" +bool(false) +string(10) "$2y$04$00$" +string(2) "*0" +bool(false) +string(11) "$2y$04$000$" +string(2) "*0" +bool(false) +string(12) "$2y$04$0000$" +string(2) "*0" +bool(false) +string(13) "$2y$04$00000$" +string(2) "*0" +bool(false) +string(14) "$2y$04$000000$" +string(2) "*0" +bool(false) +string(15) "$2y$04$0000000$" +string(2) "*0" +bool(false) +string(16) "$2y$04$00000000$" +string(2) "*0" +bool(false) +string(17) "$2y$04$000000000$" +string(2) "*0" +bool(false) +string(18) "$2y$04$0000000000$" +string(2) "*0" +bool(false) +string(19) "$2y$04$00000000000$" +string(2) "*0" +bool(false) +string(20) "$2y$04$000000000000$" +string(2) "*0" +bool(false) +string(21) "$2y$04$0000000000000$" +string(2) "*0" +bool(false) +string(22) "$2y$04$00000000000000$" +string(2) "*0" +bool(false) +string(23) "$2y$04$000000000000000$" +string(2) "*0" +bool(false) +string(24) "$2y$04$0000000000000000$" +string(2) "*0" +bool(false) +string(25) "$2y$04$00000000000000000$" +string(2) "*0" +bool(false) +string(26) "$2y$04$000000000000000000$" +string(2) "*0" +bool(false) +string(27) "$2y$04$0000000000000000000$" +string(2) "*0" +bool(false) +string(28) "$2y$04$00000000000000000000$" +string(2) "*0" +bool(false) +string(29) "$2y$04$000000000000000000000$" +string(2) "*0" +bool(false) +string(30) "$2y$04$0000000000000000000000$" +string(60) "$2y$04$000000000000000000000u2a2UpVexIt9k3FMJeAVr3c04F5tcI8K" +bool(false) diff --git a/hphp/test/slow/ext_string/t143363292.php.runif b/hphp/test/slow/ext_string/t143363292.php.runif new file mode 100644 index 00000000000..fa30564e0e7 --- /dev/null +++ b/hphp/test/slow/ext_string/t143363292.php.runif @@ -0,0 +1,2 @@ +function crypt +const CRYPT_BLOWFISH diff --git a/hphp/test/slow/ext_string/t76103217.php.expect b/hphp/test/slow/ext_string/t76103217.php.expect index e4cff2a4627..a400568e0af 100644 --- a/hphp/test/slow/ext_string/t76103217.php.expect +++ b/hphp/test/slow/ext_string/t76103217.php.expect @@ -1,2 +1,2 @@ string(4) "KjA=" -string(12) "JDJ4JDEwJCQ1" +string(4) "KjA=" diff --git a/hphp/zend/crypt-blowfish.cpp b/hphp/zend/crypt-blowfish.cpp index 80d72ea3f18..02a8cb2a620 100644 --- a/hphp/zend/crypt-blowfish.cpp +++ b/hphp/zend/crypt-blowfish.cpp @@ -380,7 +380,6 @@ static unsigned char BF_atoi64[0x60] = { #define BF_safe_atoi64(dst, src) \ { \ tmp = (unsigned char)(src); \ - if (tmp == '$') break; /* PHP hack */ \ if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \ tmp = BF_atoi64[tmp]; \ if (tmp > 63) return -1; \ @@ -394,10 +393,6 @@ static int BF_decode(BF_word *dst, const char *src, int size) const unsigned char *sptr = (const unsigned char *)src; unsigned int tmp, c1, c2, c3, c4; - if (size <= 0) { - return -1; - } - do { BF_safe_atoi64(c1, *sptr++); BF_safe_atoi64(c2, *sptr++); @@ -412,9 +407,6 @@ static int BF_decode(BF_word *dst, const char *src, int size) *dptr++ = ((c3 & 0x03) << 6) | c4; } while (dptr < end); - while (dptr < end) /* PHP hack */ - *dptr++ = 0; - return 0; } -- 2.11.4.GIT