Re: [security] PHP has DoS vuln with large decimal points

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 1/16/2011 4:18 PM, Tommy Pham wrote:
>> -----Original Message-----
>> From: Tommy Pham [mailto:tommyhp2@xxxxxxxxx]
>> Sent: Thursday, January 06, 2011 5:49 PM
>> To: 'Daevid Vincent'
>> Cc: 'php-general@xxxxxxxxxxxxx'
>> Subject: RE:  [security] PHP has DoS vuln with large decimal points
>>
>>> -----Original Message-----
>>> From: Daevid Vincent [mailto:daevid@xxxxxxxxxx]
>>> Sent: Wednesday, January 05, 2011 11:36 AM
>>> To: php-general@xxxxxxxxxxxxx
>>> Subject:  [security] PHP has DoS vuln with large decimal points
>>>
>>> The error in the way floating-point and double-precision numbers are
>>> handled sends 32-bit systems running Linux, Windows, and FreeBSD into
>>> an infinite loop that consumes 100 percent of their CPU's resources.
>>> Developers are still investigating, but they say the bug appears to
>>> affect versions 5.2 and 5.3 of PHP. They say it could be trivially
>>> exploited on many websites to cause them to crash by adding long
>> numbers to certain URLs.
>>>
>>> <?php $d = 2.2250738585072011e-308; ?>
>>>
>>> The crash is also triggered when the number is expressed without
>>> scientific notation, with 324 decimal places.
>>>
>>> Read on...
>>>
>>> http://www.theregister.co.uk/2011/01/04/weird_php_dos_vuln/
>>>
>>> --
>>> Daevid Vincent
>>> http://daevid.com
>>>
>>> There are only 11 types of people in this world. Those that think
>>> binary jokes are funny, those that don't, and those that don't know
> binary.
>>>
>>
>> "The size of a float is platform-dependent, although a maximum of ~1.8e308
>> with a precision of roughly 14 decimal digits is a common value (the 64
> bit
>> IEEE format)."  From [1].  The example given is clearly over the limit
> within
>> the PHP core.
>>
>> This sounds like what I was mentioning before, in a different thread,
> about
>> URL hacking to induce buffer overflow.
>>
>> Regards,
>> Tommy
>>
>> [1] http://www.php.net/manual/en/language.types.float.php
> 
> I found something really weird while coding a validator for floating
> protection protection.
> 
> Case 1 - known DoS / PHP hangs in infinite loop:
> 
>   $value = '2.2250738585072011e-308';
>   var_dump(floatval($value));
> 
> Case 2 - works fine:
> 
>   $value = '2.2250738585072011e-307';
> or
>   $value = '2.2250738585072011e-309';
> or
>   $value = '2.225073858507201e-308';
> 
>   var_dump(floatval($value));
> 
> I'd expect the '2.2250738585072011e-309' to hang also on my Win x64 with PHP
> FastCGI.  I haven't test it on *nix platform yet.   Could someone please
> confirm this?
> 
> Thanks,
> Tommy
> 
> 

Seems to work fine for me.

$ cat float.php
<?php

echo "Example 1\n";
$value = 2.2250738585072011e-307;
var_dump(floatval($value));
var_dump($value);

echo "Example 2\n";
$value = 2.2250738585072011e-308;
var_dump(floatval($value));
var_dump($value);

echo "Example 3\n";
$value = 2.2250738585072011e-309;
var_dump(floatval($value));
var_dump($value);

echo "Example 4\n";
$value = 2.225073858507201e-308;
var_dump(floatval($value));
var_dump($value);

?>
$ php -f float.php
Example 1
float(2.2250738585072E-307)
float(2.2250738585072E-307)
Example 2
float(2.2250738585072E-308)
float(2.2250738585072E-308)
Example 3
float(2.2250738585072E-309)
float(2.2250738585072E-309)
Example 4
float(2.2250738585072E-308)
float(2.2250738585072E-308)

$ uname -a
OpenBSD serv0.cmsws.com 4.3 GENERIC#698 i386
$ php -v
PHP 5.2.5 with Suhosin-Patch 0.9.6.2 (cli) (built: Mar 11 2008 13:08:50)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
    with Suhosin v0.9.20, Copyright (c) 2002-2006, by Hardened-PHP Project

No infinite loop.  I like my system... :)

Jim Lucas

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux