php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72860 wddx_deserialize use-after-free
Submitted: 2016-08-16 22:42 UTC Modified: 2016-09-16 13:39 UTC
From: fernando at null-life dot com Assigned: stas (profile)
Status: Closed Package: WDDX related
PHP Version: 5.6.25 OS: *
Private report: No CVE-ID: 2016-7413
 [2016-08-16 22:42 UTC] fernando at null-life dot com
Description:
------------
When WDDX tries to deserialize "recordset" element, use after free happens if close tag for the field is not found. This happens only when field names are set.

Test script:
---------------
<?php

$xml=<<<XML
<?xml version='1.0'?>
<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
<wddxPacket version='1.0'>
       <recordset fieldNames='F'>
               <field name='F'>
       </recordset>
</wddxPacket>
XML;

var_dump(wddx_deserialize($xml));

Expected result:
----------------
No crash

Actual result:
--------------
USE_ZEND_ALLOC=0 /home/operac/build2/bin/php -n wdx13.php
=================================================================
==31491==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300004caf0 at pc 0x0000018c8492 bp 0x7ffe96410330 sp 0x7ffe96410320
READ of size 4 at 0x60300004caf0 thread T0
    #0 0x18c8491 in zval_delref_p /home/operac/build2/php-src-56/Zend/zend.h:411
    #1 0x18c8491 in i_zval_ptr_dtor /home/operac/build2/php-src-56/Zend/zend_execute.h:76
    #2 0x18c8491 in _zval_ptr_dtor /home/operac/build2/php-src-56/Zend/zend_execute_API.c:424
    #3 0x15c7840 in wddx_stack_destroy /home/operac/build2/php-src-56/ext/wddx/wddx.c:234
    #4 0x15c7840 in php_wddx_deserialize_ex /home/operac/build2/php-src-56/ext/wddx/wddx.c:1192
    #5 0x15c878d in zif_wddx_deserialize /home/operac/build2/php-src-56/ext/wddx/wddx.c:1391
    #6 0x1d5c3e3 in zend_do_fcall_common_helper_SPEC /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:558
    #7 0x1c0568c in execute_ex /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:363
    #8 0x194d3d2 in zend_execute_scripts /home/operac/build2/php-src-56/Zend/zend.c:1341
    #9 0x169b32f in php_execute_script /home/operac/build2/php-src-56/main/main.c:2613
    #10 0x1d653b6 in do_cli /home/operac/build2/php-src-56/sapi/cli/php_cli.c:994
    #11 0x4550a0 in main /home/operac/build2/php-src-56/sapi/cli/php_cli.c:1378
    #12 0x7f5378c6182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x4556b8 in _start (/home/operac/build2/bin/php+0x4556b8)

0x60300004caf0 is located 16 bytes inside of 32-byte region [0x60300004cae0,0x60300004cb00)
freed by thread T0 here:
    #0 0x7f537b22b2ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x19a93ae in zend_hash_destroy /home/operac/build2/php-src-56/Zend/zend_hash.c:548
    #2 0x193e4f0 in _zval_dtor_func /home/operac/build2/php-src-56/Zend/zend_variables.c:45
    #3 0x18c8305 in _zval_dtor /home/operac/build2/php-src-56/Zend/zend_variables.h:35
    #4 0x18c8305 in i_zval_ptr_dtor /home/operac/build2/php-src-56/Zend/zend_execute.h:79
    #5 0x18c8305 in _zval_ptr_dtor /home/operac/build2/php-src-56/Zend/zend_execute_API.c:424
    #6 0x15c7840 in wddx_stack_destroy /home/operac/build2/php-src-56/ext/wddx/wddx.c:234
    #7 0x15c7840 in php_wddx_deserialize_ex /home/operac/build2/php-src-56/ext/wddx/wddx.c:1192
    #8 0x15c878d in zif_wddx_deserialize /home/operac/build2/php-src-56/ext/wddx/wddx.c:1391
    #9 0x1d5c3e3 in zend_do_fcall_common_helper_SPEC /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:558
    #10 0x1c0568c in execute_ex /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:363
    #11 0x194d3d2 in zend_execute_scripts /home/operac/build2/php-src-56/Zend/zend.c:1341
    #12 0x169b32f in php_execute_script /home/operac/build2/php-src-56/main/main.c:2613
    #13 0x1d653b6 in do_cli /home/operac/build2/php-src-56/sapi/cli/php_cli.c:994
    #14 0x4550a0 in main /home/operac/build2/php-src-56/sapi/cli/php_cli.c:1378
    #15 0x7f5378c6182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7f537b22b602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x15b4277 in php_wddx_push_element /home/operac/build2/php-src-56/ext/wddx/wddx.c:876
    #2 0x15ec5d3 in _start_element_handler /home/operac/build2/php-src-56/ext/xml/compat.c:84
    #3 0x7f53799bda20 in xmlParseStartTag (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x45a20)

SUMMARY: AddressSanitizer: heap-use-after-free /home/operac/build2/php-src-56/Zend/zend.h:411 zval_delref_p

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-06 06:43 UTC] stas@php.net
-Assigned To: +Assigned To: stas -CVE-ID: +CVE-ID: needed
 [2016-09-06 06:43 UTC] stas@php.net
The fix is in security repo as ee552853ff4d72f626102025133e2cd1575043ee and in https://gist.github.com/4f730c88f90c15b0216e8651af525972

please verify
 [2016-09-12 07:48 UTC] stas@php.net
-PHP Version: 7.0.9 +PHP Version: 5.6.25
 [2016-09-13 04:04 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b88393f08a558eec14964a55d3c680fe67407712
Log: Fix bug #72860: wddx_deserialize use-after-free
 [2016-09-13 04:04 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-09-13 04:06 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=060ab26cfe2f25bc59eb2de593e11cea84ef70b0
Log: Fix bug #72860: wddx_deserialize use-after-free
 [2016-09-13 04:09 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=060ab26cfe2f25bc59eb2de593e11cea84ef70b0
Log: Fix bug #72860: wddx_deserialize use-after-free
 [2016-09-13 04:11 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=060ab26cfe2f25bc59eb2de593e11cea84ef70b0
Log: Fix bug #72860: wddx_deserialize use-after-free
 [2016-09-13 09:02 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b88393f08a558eec14964a55d3c680fe67407712
Log: Fix bug #72860: wddx_deserialize use-after-free
 [2016-09-15 09:30 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=780daee62b55995a10f8e849159eff0a25bacb9d
Log: Fix bug #72860: wddx_deserialize use-after-free
 [2016-09-16 13:39 UTC] kaplan@php.net
-CVE-ID: needed +CVE-ID: 2016-7413
 [2016-10-17 10:08 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b88393f08a558eec14964a55d3c680fe67407712
Log: Fix bug #72860: wddx_deserialize use-after-free
 [2016-10-17 10:08 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=060ab26cfe2f25bc59eb2de593e11cea84ef70b0
Log: Fix bug #72860: wddx_deserialize use-after-free
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 09:01:32 2024 UTC