PHP :: Sec Bug #73052 :: Memory Corruption in During Deserialized-object Destruction

Sec Bug #73052	Memory Corruption in During Deserialized-object Destruction
Submitted:	2016-09-09 03:07 UTC	Modified:	2016-09-16 13:36 UTC
From:	taoguangchen at icloud dot com	Assigned:	stas (profile)
Status:	Closed	Package:	*General Issues
PHP Version:	5.6.25	OS:
Private report:	No	CVE-ID:	2016-7411

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	taoguangchen at icloud dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2016-09-09 03:07 UTC] taoguangchen at icloud dot com

Description:
------------
Memory Corruption in During Deserialized-object Destruction

```
if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) {
    /* We've got partially constructed object on our hands here. Wipe it. */
    if(Z_TYPE_PP(rval) == IS_OBJECT) {
       zend_hash_clean(Z_OBJPROP_PP(rval));
    }
    ZVAL_NULL(*rval);
  return 0;
}
```

If object deserialization fails, the broken-object's properties will be cleaned. But the object still stored in objects_store, then destructor call with uninitialized properties in during shutdown, that result in memory corruption. 

PoC:
```
<?php

class obj {
    var $ryat;
    public function __destruct() {
        $this->ryat = null;
    }
}

$poc = 'O:3:"obj":1:{';
unserialize($poc);

?>
```

Fix:

You need to set the broken-object's destructor_called into 1.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-09-09 11:14 UTC] taoguangchen at icloud dot com

Fix:

```
if(Z_TYPE_PP(rval) == IS_OBJECT) {
	zend_hash_clean(Z_OBJPROP_PP(rval));
+	EG(objects_store).object_buckets[Z_OBJ_HANDLE_PP(rval)].destructor_called = 1;
}
```

[2016-09-09 17:20 UTC] stas@php.net

It's not a good idea to directly access internal structures in serializer code, but I'll look for a better solution.

[2016-09-12 03:31 UTC] taoguangchen at icloud dot com

You can also consider calling zend_object_store_ctor_failed()

```
if(Z_TYPE_PP(rval) == IS_OBJECT) {
	zend_hash_clean(Z_OBJPROP_PP(rval));
+	zend_object_store_ctor_failed(*rval, TSRMLS_CC);
}
```

[2016-09-12 04:06 UTC] stas@php.net

Yes, zend_object_store_ctor_failed would be better here.

[2016-09-12 04:20 UTC] stas@php.net

-Assigned To: +Assigned To: stas

[2016-09-12 04:20 UTC] stas@php.net

The fix is in security repo as 9ed121184869100b721cf744fa2326715da0889c and in https://gist.github.com/25caa2f05e6f556ab4c0fe1684763961

please verify

[2016-09-12 04:22 UTC] stas@php.net

-CVE-ID: +CVE-ID: needed

[2016-09-13 04:04 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction

[2016-09-13 04:04 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2016-09-13 04:06 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=27876d22ef47cd8efe6230ee5cb52ab5d650c848
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction

[2016-09-13 04:09 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=27876d22ef47cd8efe6230ee5cb52ab5d650c848
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction

[2016-09-13 04:11 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=27876d22ef47cd8efe6230ee5cb52ab5d650c848
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction

[2016-09-13 09:02 UTC] ab@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction

[2016-09-15 09:30 UTC] tyrael@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ba8f3ba05f8545a243881547dcd5a1dcfe4d4fb2
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction

[2016-09-16 13:36 UTC] kaplan@php.net

-CVE-ID: needed +CVE-ID: 2016-7411

[2016-10-17 10:08 UTC] bwoebi@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction

[2016-10-17 10:08 UTC] bwoebi@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=27876d22ef47cd8efe6230ee5cb52ab5d650c848
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC