PHP :: Bug #69139 :: Crash in gc_zval_possible

Bug #69139	Crash in gc_zval_possible_root on unserialize
Submitted:	2015-02-27 16:39 UTC	Modified:	2015-02-28 04:14 UTC
From:	emilio dot pinn at gmail dot com	Assigned:	laruence (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.6.6	OS:	Ubuntu 14.04.2 LTS
Private report:	No	CVE-ID:	None

View Developer Edit

[2015-02-27 16:39 UTC] emilio dot pinn at gmail dot com

Description:
------------
PHP versions: 5.6.6, reproduced also in 5.6.5 and 5.5.9(-1ubuntu4.6)
Reproduction:

The PHP interpreter (tested both on CLI and on apache module) crashes when unserializing a specific string. 

$ cat payload 
a:1126666:{i:0;r:1;i:-09610;r:1;i:-0;i:0;i:0;O:1:"A":2119X:i:0;i:0;i:0;i:0;i:0;O:1:"A":2116:{i:0;r:5;i:-096766610;r:1;i:-610;r:1;i:-0;i:0;i:0;O:1:"A":2119X:i:0;i:0;i:0;i:0;i:0;O:1:"A":-0;i:00;i:0;i:0;O:1:""A
$ gdb sapi/cli/php 
(gdb) run -r 'unserialize(file_get_contents("payload"));'
Starting program: /archivio/assessments/afl-php/php-5.6.6/sapi/cli/php -r 'unserialize(file_get_contents("payload"));'

Program received signal SIGSEGV, Segmentation fault.
0x00000000007e7653 in gc_zval_possible_root (zv=0x7ffff7fc3c70) at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_gc.c:143
143			GC_ZOBJ_CHECK_POSSIBLE_ROOT(zv);
(gdb) bt
#0  0x00000000007e7653 in gc_zval_possible_root (zv=0x7ffff7fc3c70) at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_gc.c:143
#1  0x00000000007a8501 in gc_zval_check_possible_root (z=0x7ffff7fc3c70) at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_gc.h:183
#2  i_zval_ptr_dtor (zval_ptr=0x7ffff7fc3c70) at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_execute.h:86
#3  _zval_ptr_dtor (zval_ptr=0x7ffff7fc6d90) at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_execute_API.c:424
#4  0x0000000000704495 in var_destroy (var_hashx=0x7fffffffc368) at /archivio/assessments/afl-php/php-5.6.6/ext/standard/var_unserializer.c:174
#5  0x00000000006f2079 in zif_unserialize (ht=1, return_value=0x7ffff7fc2e48, return_value_ptr=0x7ffff7f8e0a0, this_ptr=0x0, return_value_used=0)
    at /archivio/assessments/afl-php/php-5.6.6/ext/standard/var.c:966
#6  0x0000000000805c2a in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f8e0d8) at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_vm_execute.h:558
#7  0x000000000080da25 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f8e0d8) at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_vm_execute.h:2595
#8  0x0000000000803fed in execute_ex (execute_data=0x7ffff7f8e0d8) at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_vm_execute.h:363
#9  0x0000000000804a2a in zend_execute (op_array=0x7ffff7fc35d0) at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_vm_execute.h:388
#10 0x00000000007ab4cd in zend_eval_stringl (str=0xf8a520 "unserialize(file_get_contents(\"payload\"));", str_len=42, retval_ptr=0x0, 
    string_name=0xc6f564 "Command line code") at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_execute_API.c:1077
#11 0x00000000007ab79e in zend_eval_stringl_ex (str=0xf8a520 "unserialize(file_get_contents(\"payload\"));", str_len=42, retval_ptr=0x0, 
    string_name=0xc6f564 "Command line code", handle_exceptions=1) at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_execute_API.c:1124
#12 0x00000000007ab820 in zend_eval_string_ex (str=0xf8a520 "unserialize(file_get_contents(\"payload\"));", retval_ptr=0x0, string_name=0xc6f564 "Command line code", 
    handle_exceptions=1) at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_execute_API.c:1135
#13 0x00000000008e43eb in do_cli (argc=3, argv=0xf8a490) at /archivio/assessments/afl-php/php-5.6.6/sapi/cli/php_cli.c:1034
#14 0x00000000008e550b in main (argc=3, argv=0xf8a490) at /archivio/assessments/afl-php/php-5.6.6/sapi/cli/php_cli.c:1378
(gdb) 

The crash has been found with afl-fuzz.


Test script:
---------------
Please find here a downloadable link of the payload above https://www.dropbox.com/s/mnibxz6xga0dbcr/crash_payload?dl=0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-02-28 04:14 UTC] laruence@php.net

-Assigned To: +Assigned To: laruence

[2015-02-28 04:14 UTC] laruence@php.net

a quick fix could be :

diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 8fd8e6e..7646667 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -324,8 +324,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
 		if (!php_var_unserialize(&data, p, max, var_hash TSRMLS_CC)) {
 			zval_dtor(key);
 			FREE_ZVAL(key);
-			zval_dtor(data);
-			FREE_ZVAL(data);
+			zval_ptr_dtor(&data);
 			return 0;
 		}


but I need do some more verifing

[2015-03-01 15:20 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=caebb76131ffce8ef7d8086f4eff2726c93d329f
Log: Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize)

[2015-03-01 15:20 UTC] laruence@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Oct 30 22:00:01 2025 UTC