php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62836 Seg fault or broken object references on unserialize()
Submitted: 2012-08-16 08:59 UTC Modified: 2012-08-18 04:13 UTC
Votes:7
Avg. Score:4.7 ± 0.5
Reproduced:6 of 6 (100.0%)
Same Version:6 (100.0%)
Same OS:6 (100.0%)
From: daniel dot beardsley at gmail dot com Assigned: laruence (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.4.5 OS: CentOS
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: daniel dot beardsley at gmail dot com
New email:
PHP Version: OS:

 

 [2012-08-16 08:59 UTC] daniel dot beardsley at gmail dot com
Description:
------------
Occurs on php 5.4.0, but not on 5.3 (I'll try on other versions soon).
Please run this test from /tmp/serialize/run_tests.sh (see bottom for 
explanation)

## Description ##

If calling unserialize() somehow calls back into user code (i.e. autoloading a
class while unserializing it) and user code does another unserialize() (no 
matter what it is), object references in the outer unserialization process won't 
be restored correctly. Sometimes the outer call can result in a Segmentation 
Fault instead of just broken references.

In particular, object refrerences will often be replaced with a seemingly random
value from your serialized object graph (or NULL).

The call stack at the time of the problem looks like this:

  #0 /tmp/serialize/setup.php(6): unserialize('i:4');
  #1 [internal function]: __autoload('A')
  #2 /tmp/serialize/unserialize_autoload.php(4): unserialize('O:1:"A":4:
{s:1:...')
  #3 {main}

The unserialize call in frame #2 returns incorrect results because of the 
"recursive" unserialize call in frame #0.

Note:
For reasons that completely escape me, this code seems dependent on the literal 
path it's run from.  Some paths hide the bug, some cause failure, and some cause 
a SegFault.  It's consistent on a per-path basis, but I found no pattern.  

Test script:
---------------
https://gist.github.com/3353895

Expected result:
----------------
Before and After output should be the same. Last line of output should read: 
"Passed, no differences"

Before Serialization:
class A#1 (4) {
  public $b =>
  class B#2 (0) {
  }
  public $b1 =>
  class B#2 (0) {
  }
  public $c =>
  class B#3 (0) {
  }
  public $c1 =>
  class B#3 (0) {
  }
}

Actual result:
--------------
After Serialization:
class A#1 (4) {
  public $b =>
  class B#2 (0) {
  }
  public $b1 =>
  string(2) "1\000"
  public $c =>
  class B#3 (0) {
  }
  public $c1 =>
  NULL
}


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-08-16 18:44 UTC] james at ifixit dot com
I've just reproduced this on a build from master, at commit 
b5305d267b6c3b1b09ab0ba4ecf4f66edc5d4077 .

root 11:37:49 serialize > php --version
PHP 5.5.0-dev (cli) (built: Aug 16 2012 11:37:55)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
root 11:39:37 serialize > ./run_test.sh
./run_test.sh: line 3:  2267 Segmentation fault      php 
unserialize_autoload.php > after.out
Original ==========
in autoload: A
in autoload: B
object(A)#1 (4) {
  ["b"]=>
  object(B)#2 (0) {
  }
  ["b1"]=>
  object(B)#2 (0) {
  }
  ["c"]=>
  object(B)#3 (0) {
  }
  ["c1"]=>
  object(B)#3 (0) {
  }
}

Unserialized ======
in autoload: A
in autoload: B
object(A)#1 (4) {
  ["b"]=>
  object(B)#2 (0) {
  }
  ["b1"]=>
  object(B)#2 (0) {
  }
  ["c"]=>
  object(B)#3 (0) {
  }
  ["c1"]=>
  NULL
}

Diff ==============
14,15c14
<   object(B)#3 (0) {
<   }
---
>   NULL
FAILED ============

I built php with the following configure line:

./configure  --host=i686-redhat-linux-gnu --build=i686-redhat-linux-gnu \
--target=i386-redhat-linux --program-prefix= --prefix=/usr --exec-prefix=/usr \
--bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share \
--includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec \
--localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man \
--infodir=/usr/share/info --with-libdir=lib64 --with-config-file-path=/etc \
--with-config-file-scan-dir=/etc/php.d --disable-debug --with-pic \
--disable-rpath --with-bz2 --with-curl --with-exec-dir=/usr/bin \
--with-freetype-dir=/usr --with-png-dir=/usr --enable-gd-native-ttf \
--without-gdbm --with-gettext --with-gmp --with-iconv --with-jpeg-dir=/usr \
--with-openssl --with-pcre-regex=/usr --with-zlib --with-layout=GNU \
--enable-exif --enable-ftp --enable-magic-quotes --enable-sockets \
--enable-sysvsem --enable-sysvshm --enable-sysvmsg --enable-wddx \
--with-kerberos  --enable-shmop --enable-calendar \
--without-sqlite --with-libxml-dir=/usr \
--enable-pcntl --with-imap=/usr/lib64 \
--with-imap-ssl=/usr/local/ssl/include/openssl --enable-mbstring \
--enable-mbregex --with-gd --enable-bcmath --with-xmlrpc=shared \
--with-mysql=mysqlnd --with-mysqli=mysqlnd \
--enable-dom --enable-soap=shared --with-xsl=shared,/usr \
--enable-xmlreader=shared --enable-xmlwriter=shared --with-readline \
--with-mcrypt=/usr/local/include/mcrypt --with-mhash --with-tidy=shared,/usr \
--enable-sigchild --enable-intl --with-apxs2=/usr/sbin/apxs \
--enable-fpm --with-fpm-user=apache --with-fpm-group=apache
 [2012-08-17 10:26 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0b23da1c74c52a819b728c78c66c182511223355
Log: Fixed bug #62836 (Seg fault or broken object references on unserialize())
 [2012-08-17 10:30 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0b23da1c74c52a819b728c78c66c182511223355
Log: Fixed bug #62836 (Seg fault or broken object references on unserialize())
 [2012-08-18 04:13 UTC] laruence@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-08-18 04:13 UTC] laruence@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence
 [2014-10-07 23:23 UTC] stas@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=0b23da1c74c52a819b728c78c66c182511223355
Log: Fixed bug #62836 (Seg fault or broken object references on unserialize())
 [2014-10-07 23:33 UTC] stas@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=0b23da1c74c52a819b728c78c66c182511223355
Log: Fixed bug #62836 (Seg fault or broken object references on unserialize())
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 23 08:01:28 2024 UTC