php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #60240 invalid read/writes when unserializing specially crafted strings
Submitted: 2011-11-08 07:49 UTC Modified: 2011-12-02 11:50 UTC
From: tony2001@php.net Assigned: mike
Status: Closed Package: SPL related
PHP Version: 5.4.0beta2 OS: Linux 64bit
Private report: No CVE-ID:
 [2011-11-08 07:49 UTC] tony2001@php.net
Description:
------------
The following tests in 5_4 branch:
ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
ext/session/tests/session_decode_error2.phpt

under Valgrind show several issues that might be quite dangerous.
This issue exists in 5_4 only and is not reproducible in 5_3 branch.

Valgrind log:
==18527== Invalid read of size 1
==18527==    at 0x85E087: php_var_unserialize (var_unserializer.c:532)
==18527==    by 0x725681: ps_srlzr_decode_php (session.c:920)
==18527==    by 0x7232A8: php_session_decode (session.c:216)
==18527==    by 0x7293D7: zif_session_decode (session.c:1854)
==18527==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==18527==    by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215)
==18527==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==18527==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==18527==    by 0x90F847: php_execute_script (main.c:2414)
==18527==    by 0xAE214C: do_cli (php_cli.c:983)
==18527==    by 0xAE3064: main (php_cli.c:1356)
==18527==  Address 0xa1b0595 is 0 bytes after a block of size 5 alloc'd
==18527==    at 0x4C2683D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==18527==    by 0x963158: _emalloc (zend_alloc.c:2423)
==18527==    by 0x96371F: _estrndup (zend_alloc.c:2596)
==18527==    by 0x82D95B: zif_substr (string.c:2269)
==18527==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==18527==    by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215)
==18527==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==18527==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==18527==    by 0x90F847: php_execute_script (main.c:2414)
==18527==    by 0xAE214C: do_cli (php_cli.c:983)
==18527==    by 0xAE3064: main (php_cli.c:1356)
==18527== 
==18527== Invalid read of size 1
==18527==    at 0x85E087: php_var_unserialize (var_unserializer.c:532)
==18527==    by 0x85D455: process_nested_data (var_unserializer.re:278)
==18527==    by 0x85EC75: php_var_unserialize (var_unserializer.re:604)
==18527==    by 0x725681: ps_srlzr_decode_php (session.c:920)
==18527==    by 0x7232A8: php_session_decode (session.c:216)
==18527==    by 0x7293D7: zif_session_decode (session.c:1854)
==18527==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==18527==    by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215)
==18527==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==18527==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==18527==    by 0x90F847: php_execute_script (main.c:2414)
==18527==    by 0xAE214C: do_cli (php_cli.c:983)
==18527==  Address 0xa1be08a is 0 bytes after a block of size 10 alloc'd
==18527==    at 0x4C2683D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==18527==    by 0x963158: _emalloc (zend_alloc.c:2423)
==18527==    by 0x96371F: _estrndup (zend_alloc.c:2596)
==18527==    by 0x82D95B: zif_substr (string.c:2269)
==18527==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==18527==    by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215)
==18527==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==18527==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==18527==    by 0x90F847: php_execute_script (main.c:2414)
==18527==    by 0xAE214C: do_cli (php_cli.c:983)
==18527==    by 0xAE3064: main (php_cli.c:1356)
==18527== 
==18527== Invalid read of size 1
==18527==    at 0x85E087: php_var_unserialize (var_unserializer.c:532)
==18527==    by 0x85D5E4: process_nested_data (var_unserializer.re:292)
==18527==    by 0x85EC75: php_var_unserialize (var_unserializer.re:604)
==18527==    by 0x725681: ps_srlzr_decode_php (session.c:920)
==18527==    by 0x7232A8: php_session_decode (session.c:216)
==18527==    by 0x7293D7: zif_session_decode (session.c:1854)
==18527==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==18527==    by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215)
==18527==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==18527==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==18527==    by 0x90F847: php_execute_script (main.c:2414)
==18527==    by 0xAE214C: do_cli (php_cli.c:983)
==18527==  Address 0xa1c928e is 0 bytes after a block of size 14 alloc'd
==18527==    at 0x4C2683D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==18527==    by 0x963158: _emalloc (zend_alloc.c:2423)
==18527==    by 0x96371F: _estrndup (zend_alloc.c:2596)
==18527==    by 0x82D95B: zif_substr (string.c:2269)
==18527==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==18527==    by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215)
==18527==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==18527==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==18527==    by 0x90F847: php_execute_script (main.c:2414)
==18527==    by 0xAE214C: do_cli (php_cli.c:983)
==18527==    by 0xAE3064: main (php_cli.c:1356)
==18527== 


SplObjectStorage_unserialize_bad.mem

==32709== Invalid read of size 4
==32709==    at 0x85FC02: php_var_unserialize (zend.h:387)
==32709==    by 0x7C65A7: zim_spl_SplObjectStorage_unserialize (spl_observer.c:860)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709==  Address 0xa1b0490 is 16 bytes inside a block of size 32 free'd
==32709==    at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32709==    by 0x9631D1: _efree (zend_alloc.c:2433)
==32709==    by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439)
==32709==    by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709== 
==32709== Invalid write of size 4
==32709==    at 0x85FC0F: php_var_unserialize (zend.h:387)
==32709==    by 0x7C65A7: zim_spl_SplObjectStorage_unserialize (spl_observer.c:860)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709==  Address 0xa1b0490 is 16 bytes inside a block of size 32 free'd
==32709==    at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32709==    by 0x9631D1: _efree (zend_alloc.c:2433)
==32709==    by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439)
==32709==    by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709== 
==32709== Invalid write of size 1
==32709==    at 0x85FC2A: php_var_unserialize (zend.h:403)
==32709==    by 0x7C65A7: zim_spl_SplObjectStorage_unserialize (spl_observer.c:860)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709==  Address 0xa1b0495 is 21 bytes inside a block of size 32 free'd
==32709==    at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32709==    by 0x9631D1: _efree (zend_alloc.c:2433)
==32709==    by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439)
==32709==    by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709== 
==32709== Invalid read of size 1
==32709==    at 0x7C65CB: zim_spl_SplObjectStorage_unserialize (spl_observer.c:864)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709==  Address 0xa1b0494 is 20 bytes inside a block of size 32 free'd
==32709==    at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32709==    by 0x9631D1: _efree (zend_alloc.c:2433)
==32709==    by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439)
==32709==    by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709== 
==32709== Invalid read of size 4
==32709==    at 0x982FC8: _zval_ptr_dtor (zend.h:391)
==32709==    by 0x7C65E8: zim_spl_SplObjectStorage_unserialize (spl_observer.c:865)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709==  Address 0xa1b0490 is 16 bytes inside a block of size 32 free'd
==32709==    at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32709==    by 0x9631D1: _efree (zend_alloc.c:2433)
==32709==    by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439)
==32709==    by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709== 
==32709== Invalid write of size 4
==32709==    at 0x982FD2: _zval_ptr_dtor (zend.h:391)
==32709==    by 0x7C65E8: zim_spl_SplObjectStorage_unserialize (spl_observer.c:865)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709==  Address 0xa1b0490 is 16 bytes inside a block of size 32 free'd
==32709==    at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32709==    by 0x9631D1: _efree (zend_alloc.c:2433)
==32709==    by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439)
==32709==    by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709== 
==32709== Invalid read of size 4
==32709==    at 0x982FE4: _zval_ptr_dtor (zend.h:379)
==32709==    by 0x7C65E8: zim_spl_SplObjectStorage_unserialize (spl_observer.c:865)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709==  Address 0xa1b0490 is 16 bytes inside a block of size 32 free'd
==32709==    at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32709==    by 0x9631D1: _efree (zend_alloc.c:2433)
==32709==    by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439)
==32709==    by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709== 
==32709== Invalid read of size 8
==32709==    at 0x983009: _zval_ptr_dtor (zend_execute_API.c:437)
==32709==    by 0x7C65E8: zim_spl_SplObjectStorage_unserialize (spl_observer.c:865)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709==  Address 0xa1b0498 is 24 bytes inside a block of size 32 free'd
==32709==    at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32709==    by 0x9631D1: _efree (zend_alloc.c:2433)
==32709==    by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439)
==32709==    by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709== 
==32709== Invalid read of size 1
==32709==    at 0x98303C: _zval_ptr_dtor (zend_variables.h:32)
==32709==    by 0x7C65E8: zim_spl_SplObjectStorage_unserialize (spl_observer.c:865)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709==  Address 0xa1b0494 is 20 bytes inside a block of size 32 free'd
==32709==    at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32709==    by 0x9631D1: _efree (zend_alloc.c:2433)
==32709==    by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439)
==32709==    by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709== 
==32709== Invalid free() / delete / delete[]
==32709==    at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32709==    by 0x9631D1: _efree (zend_alloc.c:2433)
==32709==    by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439)
==32709==    by 0x7C65E8: zim_spl_SplObjectStorage_unserialize (spl_observer.c:865)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709==  Address 0xa1b0480 is 0 bytes inside a block of size 32 free'd
==32709==    at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32709==    by 0x9631D1: _efree (zend_alloc.c:2433)
==32709==    by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439)
==32709==    by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709== 


Test script:
---------------
See these tests:
ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
ext/session/tests/session_decode_error2.phpt



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-11-12 20:36 UTC] tony2001@php.net
-Type: Bug +Type: Security -Package: Session related +Package: SPL related -Private report: No +Private report: Yes
 [2011-11-12 20:36 UTC] tony2001@php.net
Ok, that session test is now fixed and the SPL problem is still there, so they were probably not related.
 [2011-11-14 20:33 UTC] tony2001@php.net
Okay, so this is definitely related somehow to the changes in SPL, not in the unserialize itself.
It looks like at least this commit is partly guilty: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_4/ext/spl/spl_observer.c?r1=299692&r2=299770

I can propose this patch: http://dev.daylessday.org/diff/spl_observer.diff

It does fix the invalid reads/writes, but the test fails with a minor diff:
020+       object(stdClass)#4 (0) {
020-       object(stdClass)#3 (0) {
 [2011-11-14 20:33 UTC] tony2001@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: mike
 [2011-12-02 11:50 UTC] mike@php.net
Automatic comment from SVN on behalf of mike
Revision: http://svn.php.net/viewvc/?view=revision&revision=320279
Log: Fixed bug #60240 (invalid read/writes when unserializing specially crafted strings)
 [2011-12-02 11:50 UTC] mike@php.net
-Status: Assigned +Status: Closed
 [2011-12-02 11:50 UTC] mike@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-04-18 09:47 UTC] laruence@php.net
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=php-src.git;a=commit;h=955cc549a058272487324e14771011e232547f37
Log: Fixed bug #60240 (invalid read/writes when unserializing specially crafted strings)
 [2012-07-24 23:38 UTC] rasmus@php.net
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=php-src.git;a=commit;h=955cc549a058272487324e14771011e232547f37
Log: Fixed bug #60240 (invalid read/writes when unserializing specially crafted strings)
 [2013-11-17 09:34 UTC] laruence@php.net
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=php-src.git;a=commit;h=955cc549a058272487324e14771011e232547f37
Log: Fixed bug #60240 (invalid read/writes when unserializing specially crafted strings)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 05:03:19 2014 UTC