php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #81714 segfault (use-after-free) serializing finalized HashContext
Submitted: 2022-03-28 09:16 UTC Modified: 2022-03-29 09:50 UTC
From: mail at lucaswerkmeister dot de Assigned: cmb (profile)
Status: Closed Package: hash related
PHP Version: 8.1.4 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: mail at lucaswerkmeister dot de
New email:
PHP Version: OS:

 

 [2022-03-28 09:16 UTC] mail at lucaswerkmeister dot de 
Description:
------------
Attempting to serialize a finalized HashContext segfaults. Looking at the php-src code, I suspect this is a use-after-free (so a potential security vulnerability): php_hash_serialize_spec() uses hash->context after it was efree()d in PHP_FUNCTION(hash_final).

I found the issue in PHP 8.0.8 (Ubuntu 21.10 Impish Indri). 3v4l DOT org SLASH dnXnr claims the issue is present in all PHP 8 versions, including master. (In PHP 7, HashContext is not serializable.)

Tested with 'sha256' and 'md5' algos (MD5 used in test script for brevity). I assume the actual hash algorithm is irrelevant.

Test script:
---------------
<?php

$h = hash_init('md5');
hash_final($h);
serialize($h);

OR:

php -r '$h=hash_init("md5");hash_final($h);serialize($h);'

Expected result:
----------------
Some kind of error, probably. I don’t think it’s necessary for a finalized HashContext to have a valid serialization, it just shouldn’t crash.

Actual result:
--------------
Top of internal stack trace (coredumpctl gdb; memory addresses redacted):

                Stack trace of thread 918674:
                #0  0x php_hash_serialize_spec (php8.0 + 0x)
                #1  0x n/a (php8.0 + 0x)
                #2  0x xdebug_execute_internal (xdebug.so + 0x)
                #3  0x zend_call_function (php8.0 + 0x)
                #4  0x zend_call_known_function (php8.0 + 0x)
                #5  0x n/a (php8.0 + 0x)
                #6  0x php_var_serialize (php8.0 + 0x)

Without xdebug enabled:

                Stack trace of thread 919029:
                #0  0x php_hash_serialize_spec (php8.0 + 0x)
                #1  0x n/a (php8.0 + 0x)
                #2  0x zend_call_function (php8.0 + 0x)
                #3  0x zend_call_known_function (php8.0 + 0x)
                #4  0x n/a (php8.0 + 0x)
                #5  0x php_var_serialize (php8.0 + 0x)

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2022-03-28 16:49 UTC] stas@php.net
-Type: Security +Type: Bug
 [2022-03-29 09:50 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2022-03-29 09:51 UTC] cmb@php.net 
The following pull request has been associated:

Patch Name: Fix #81714: segfault when serializing finalized HashContext
On GitHub:  https://github.com/php/php-src/pull/8265
Patch:      https://github.com/php/php-src/pull/8265.patch
 [2022-04-05 11:37 UTC] git@php.net 
Automatic comment on behalf of cmb69
Revision: https://github.com/php/php-src/commit/c2eafc29f5ecf49c86e5a3cb5ba9d6beda6c5ba9
Log: Fix #81714: segfault when serializing finalized HashContext
 [2022-04-05 11:37 UTC] git@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Dec 03 17:01:29 2024 UTC