PHP :: Sec Bug #73052 :: Memory Corruption in During Deserialized-object Destruction

Sec Bug #73052	Memory Corruption in During Deserialized-object Destruction
Submitted:	2016-09-09 03:07 UTC	Modified:	2016-09-16 13:36 UTC
From:	taoguangchen at icloud dot com	Assigned:	stas (profile)
Status:	Closed	Package:	*General Issues
PHP Version:	5.6.25	OS:
Private report:	No	CVE-ID:	2016-7411

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	taoguangchen at icloud dot com
New email:
PHP Version:		OS:

New Comment:

[2016-09-09 03:07 UTC] taoguangchen at icloud dot com

Description:
------------
Memory Corruption in During Deserialized-object Destruction

```
if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) {
    /* We've got partially constructed object on our hands here. Wipe it. */
    if(Z_TYPE_PP(rval) == IS_OBJECT) {
       zend_hash_clean(Z_OBJPROP_PP(rval));
    }
    ZVAL_NULL(*rval);
  return 0;
}
```

If object deserialization fails, the broken-object's properties will be cleaned. But the object still stored in objects_store, then destructor call with uninitialized properties in during shutdown, that result in memory corruption. 

PoC:
```
<?php

class obj {
    var $ryat;
    public function __destruct() {
        $this->ryat = null;
    }
}

$poc = 'O:3:"obj":1:{';
unserialize($poc);

?>
```

Fix:

You need to set the broken-object's destructor_called into 1.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-09-09 11:14 UTC] taoguangchen at icloud dot com

Fix:

```
if(Z_TYPE_PP(rval) == IS_OBJECT) {
	zend_hash_clean(Z_OBJPROP_PP(rval));
+	EG(objects_store).object_buckets[Z_OBJ_HANDLE_PP(rval)].destructor_called = 1;
}
```

[2016-09-09 17:20 UTC] stas@php.net

It's not a good idea to directly access internal structures in serializer code, but I'll look for a better solution.

[2016-09-12 03:31 UTC] taoguangchen at icloud dot com

You can also consider calling zend_object_store_ctor_failed()

```
if(Z_TYPE_PP(rval) == IS_OBJECT) {
	zend_hash_clean(Z_OBJPROP_PP(rval));
+	zend_object_store_ctor_failed(*rval, TSRMLS_CC);
}
```

[2016-09-12 04:06 UTC] stas@php.net

Yes, zend_object_store_ctor_failed would be better here.

[2016-09-12 04:20 UTC] stas@php.net

-Assigned To: +Assigned To: stas

[2016-09-12 04:20 UTC] stas@php.net

The fix is in security repo as 9ed121184869100b721cf744fa2326715da0889c and in https://gist.github.com/25caa2f05e6f556ab4c0fe1684763961

please verify

[2016-09-12 04:22 UTC] stas@php.net

-CVE-ID: +CVE-ID: needed

[2016-09-13 04:04 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction

[2016-09-13 04:04 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2016-09-13 04:06 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=27876d22ef47cd8efe6230ee5cb52ab5d650c848
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction

[2016-09-13 04:09 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=27876d22ef47cd8efe6230ee5cb52ab5d650c848
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction

[2016-09-13 04:11 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=27876d22ef47cd8efe6230ee5cb52ab5d650c848
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction

[2016-09-13 09:02 UTC] ab@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction

[2016-09-15 09:30 UTC] tyrael@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ba8f3ba05f8545a243881547dcd5a1dcfe4d4fb2
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction

[2016-09-16 13:36 UTC] kaplan@php.net

-CVE-ID: needed +CVE-ID: 2016-7411

[2016-10-17 10:08 UTC] bwoebi@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction

[2016-10-17 10:08 UTC] bwoebi@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=27876d22ef47cd8efe6230ee5cb52ab5d650c848
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jan 28 23:01:28 2025 UTC