php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #67538 SPL Iterators use-after-free
Submitted: 2014-06-29 14:54 UTC Modified: 2014-07-03 02:49 UTC
From: research at insighti dot org Assigned: laruence (profile)
Status: Closed Package: SPL related
PHP Version: Irrelevant OS: *
Private report: No CVE-ID: 2014-4670
View Developer Edit
 [2014-06-29 14:54 UTC] research at insighti dot org 
Description:
------------
SPL provides a set of iterators to traverse over objects (including internal iterators).
Changes in the object are not projected to the object iterators.
This results in iterators pointing to freed memory.
Calling next on the iterator triggers use-after-free.

Please use CVE-2014-4670 for this bug.

Test script:
---------------
<?php
$list = new SplDoublyLinkedList();
$list->push('a');
$list->push('b');

$list->rewind();
$list->offsetUnset(0);
$list->push('c');
$list->offsetUnset(0);
$list->next();

Actual result:
--------------
$ USE_ZEND_ALLOC=0 valgrind /opt/php/5.5.14/bin/php test.php
==14274== Memcheck, a memory error detector
==14274== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==14274== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==14274== Command: /opt/php/5.5.14/bin/php test.php
==14274==
==14274== Invalid read of size 4
==14274==    at 0x8367BCC: spl_dllist_it_helper_move_forward (spl_dllist.c:989)
==14274==    by 0x852E1B1: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==14274==    by 0x84F0935: execute_ex (zend_vm_execute.h:363)
==14274==    by 0x8488C71: zend_execute_scripts (zend.c:1316)
==14274==    by 0x842943A: php_execute_script (main.c:2506)
==14274==    by 0x8531447: do_cli (php_cli.c:994)
==14274==    by 0x808149B: main (php_cli.c:1378)
==14274==  Address 0x716b748 is 8 bytes inside a block of size 16 free'd
==14274==    at 0x402750C: free (vg_replace_malloc.c:427)
==14274==    by 0x83688FF: zim_spl_SplDoublyLinkedList_offsetUnset (spl_dllist.c:922)
==14274==    by 0x852E1B1: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==14274==    by 0x84F0935: execute_ex (zend_vm_execute.h:363)
==14274==    by 0x8488C71: zend_execute_scripts (zend.c:1316)
==14274==    by 0x842943A: php_execute_script (main.c:2506)
==14274==    by 0x8531447: do_cli (php_cli.c:994)
==14274==    by 0x808149B: main (php_cli.c:1378)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-06-29 19:20 UTC] stas@php.net
-Type: Security +Type: Bug
 [2014-07-02 09:58 UTC] laruence@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=df78c48354f376cf419d7a97f88ca07d572f00fb
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 [2014-07-02 09:58 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2014-07-02 12:45 UTC] research at insighti dot org 
Please use CVE-2014-4670, the bug is in fact exploitable - not sure why was it made public before release of a patched version.

It's not remotely exploitable, however, shared environments relying on PHP security features (open_basedir, safe_mode in older PHPs, disable_functions and similar) are affected. We're ready to provide PoC is needed.
 [2014-07-03 02:48 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2014-07-03 02:49 UTC] laruence@php.net
-CVE-ID: +CVE-ID: 2014-4670
 [2014-07-07 15:22 UTC] dmitry@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=df78c48354f376cf419d7a97f88ca07d572f00fb
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 [2014-07-21 09:31 UTC] ab@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=df78c48354f376cf419d7a97f88ca07d572f00fb
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 [2014-07-21 10:02 UTC] ab@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=df78c48354f376cf419d7a97f88ca07d572f00fb
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 [2014-07-25 05:59 UTC] stas@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=61e0f8599d4e2a222ec49781e5be90fbbc1cd65b
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 [2014-07-30 09:52 UTC] tyrael@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=61e0f8599d4e2a222ec49781e5be90fbbc1cd65b
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 [2014-07-30 09:52 UTC] tyrael@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=df78c48354f376cf419d7a97f88ca07d572f00fb
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 [2014-08-04 08:26 UTC] ab@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=61e0f8599d4e2a222ec49781e5be90fbbc1cd65b
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 [2014-08-04 08:43 UTC] ab@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=61e0f8599d4e2a222ec49781e5be90fbbc1cd65b
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 [2014-08-04 09:59 UTC] dmitry@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=61e0f8599d4e2a222ec49781e5be90fbbc1cd65b
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 [2014-10-07 23:13 UTC] stas@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=61e0f8599d4e2a222ec49781e5be90fbbc1cd65b
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 [2014-10-07 23:24 UTC] stas@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=61e0f8599d4e2a222ec49781e5be90fbbc1cd65b
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Oct 29 10:00:01 2025 UTC