PHP :: Bug #69139 :: Crash in gc_zval_possible

Bug #69139	Crash in gc_zval_possible_root on unserialize
Submitted:	2015-02-27 16:39 UTC	Modified:	2015-02-28 04:14 UTC
From:	emilio dot pinn at gmail dot com	Assigned:	laruence (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.6.6	OS:	Ubuntu 14.04.2 LTS
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	emilio dot pinn at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2015-02-27 16:39 UTC] emilio dot pinn at gmail dot com

Description:
------------
PHP versions: 5.6.6, reproduced also in 5.6.5 and 5.5.9(-1ubuntu4.6)
Reproduction:

The PHP interpreter (tested both on CLI and on apache module) crashes when unserializing a specific string. 

$ cat payload 
a:1126666:{i:0;r:1;i:-09610;r:1;i:-0;i:0;i:0;O:1:"A":2119X:i:0;i:0;i:0;i:0;i:0;O:1:"A":2116:{i:0;r:5;i:-096766610;r:1;i:-610;r:1;i:-0;i:0;i:0;O:1:"A":2119X:i:0;i:0;i:0;i:0;i:0;O:1:"A":-0;i:00;i:0;i:0;O:1:""A
$ gdb sapi/cli/php 
(gdb) run -r 'unserialize(file_get_contents("payload"));'
Starting program: /archivio/assessments/afl-php/php-5.6.6/sapi/cli/php -r 'unserialize(file_get_contents("payload"));'

Program received signal SIGSEGV, Segmentation fault.
0x00000000007e7653 in gc_zval_possible_root (zv=0x7ffff7fc3c70) at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_gc.c:143
143			GC_ZOBJ_CHECK_POSSIBLE_ROOT(zv);
(gdb) bt
#0  0x00000000007e7653 in gc_zval_possible_root (zv=0x7ffff7fc3c70) at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_gc.c:143
#1  0x00000000007a8501 in gc_zval_check_possible_root (z=0x7ffff7fc3c70) at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_gc.h:183
#2  i_zval_ptr_dtor (zval_ptr=0x7ffff7fc3c70) at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_execute.h:86
#3  _zval_ptr_dtor (zval_ptr=0x7ffff7fc6d90) at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_execute_API.c:424
#4  0x0000000000704495 in var_destroy (var_hashx=0x7fffffffc368) at /archivio/assessments/afl-php/php-5.6.6/ext/standard/var_unserializer.c:174
#5  0x00000000006f2079 in zif_unserialize (ht=1, return_value=0x7ffff7fc2e48, return_value_ptr=0x7ffff7f8e0a0, this_ptr=0x0, return_value_used=0)
    at /archivio/assessments/afl-php/php-5.6.6/ext/standard/var.c:966
#6  0x0000000000805c2a in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f8e0d8) at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_vm_execute.h:558
#7  0x000000000080da25 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f8e0d8) at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_vm_execute.h:2595
#8  0x0000000000803fed in execute_ex (execute_data=0x7ffff7f8e0d8) at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_vm_execute.h:363
#9  0x0000000000804a2a in zend_execute (op_array=0x7ffff7fc35d0) at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_vm_execute.h:388
#10 0x00000000007ab4cd in zend_eval_stringl (str=0xf8a520 "unserialize(file_get_contents(\"payload\"));", str_len=42, retval_ptr=0x0, 
    string_name=0xc6f564 "Command line code") at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_execute_API.c:1077
#11 0x00000000007ab79e in zend_eval_stringl_ex (str=0xf8a520 "unserialize(file_get_contents(\"payload\"));", str_len=42, retval_ptr=0x0, 
    string_name=0xc6f564 "Command line code", handle_exceptions=1) at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_execute_API.c:1124
#12 0x00000000007ab820 in zend_eval_string_ex (str=0xf8a520 "unserialize(file_get_contents(\"payload\"));", retval_ptr=0x0, string_name=0xc6f564 "Command line code", 
    handle_exceptions=1) at /archivio/assessments/afl-php/php-5.6.6/Zend/zend_execute_API.c:1135
#13 0x00000000008e43eb in do_cli (argc=3, argv=0xf8a490) at /archivio/assessments/afl-php/php-5.6.6/sapi/cli/php_cli.c:1034
#14 0x00000000008e550b in main (argc=3, argv=0xf8a490) at /archivio/assessments/afl-php/php-5.6.6/sapi/cli/php_cli.c:1378
(gdb) 

The crash has been found with afl-fuzz.


Test script:
---------------
Please find here a downloadable link of the payload above https://www.dropbox.com/s/mnibxz6xga0dbcr/crash_payload?dl=0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-02-28 04:14 UTC] laruence@php.net

-Assigned To: +Assigned To: laruence

[2015-02-28 04:14 UTC] laruence@php.net

a quick fix could be :

diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 8fd8e6e..7646667 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -324,8 +324,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
 		if (!php_var_unserialize(&data, p, max, var_hash TSRMLS_CC)) {
 			zval_dtor(key);
 			FREE_ZVAL(key);
-			zval_dtor(data);
-			FREE_ZVAL(data);
+			zval_ptr_dtor(&data);
 			return 0;
 		}


but I need do some more verifing

[2015-03-01 15:20 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=caebb76131ffce8ef7d8086f4eff2726c93d329f
Log: Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize)

[2015-03-01 15:20 UTC] laruence@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 16:01:28 2024 UTC