php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67538 SPL Iterators use-after-free
Submitted: 2014-06-29 14:54 UTC Modified: 2014-07-03 02:49 UTC
From: research at insighti dot org Assigned: laruence
Status: Closed Package: SPL related
PHP Version: Irrelevant OS: *
Private report: No CVE-ID: 2014-4670
 [2014-06-29 14:54 UTC] research at insighti dot org
Description:
------------
SPL provides a set of iterators to traverse over objects (including internal iterators).
Changes in the object are not projected to the object iterators.
This results in iterators pointing to freed memory.
Calling next on the iterator triggers use-after-free.

Please use CVE-2014-4670 for this bug.

Test script:
---------------
<?php
$list = new SplDoublyLinkedList();
$list->push('a');
$list->push('b');

$list->rewind();
$list->offsetUnset(0);
$list->push('c');
$list->offsetUnset(0);
$list->next();

Actual result:
--------------
$ USE_ZEND_ALLOC=0 valgrind /opt/php/5.5.14/bin/php test.php
==14274== Memcheck, a memory error detector
==14274== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==14274== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==14274== Command: /opt/php/5.5.14/bin/php test.php
==14274==
==14274== Invalid read of size 4
==14274==    at 0x8367BCC: spl_dllist_it_helper_move_forward (spl_dllist.c:989)
==14274==    by 0x852E1B1: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==14274==    by 0x84F0935: execute_ex (zend_vm_execute.h:363)
==14274==    by 0x8488C71: zend_execute_scripts (zend.c:1316)
==14274==    by 0x842943A: php_execute_script (main.c:2506)
==14274==    by 0x8531447: do_cli (php_cli.c:994)
==14274==    by 0x808149B: main (php_cli.c:1378)
==14274==  Address 0x716b748 is 8 bytes inside a block of size 16 free'd
==14274==    at 0x402750C: free (vg_replace_malloc.c:427)
==14274==    by 0x83688FF: zim_spl_SplDoublyLinkedList_offsetUnset (spl_dllist.c:922)
==14274==    by 0x852E1B1: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==14274==    by 0x84F0935: execute_ex (zend_vm_execute.h:363)
==14274==    by 0x8488C71: zend_execute_scripts (zend.c:1316)
==14274==    by 0x842943A: php_execute_script (main.c:2506)
==14274==    by 0x8531447: do_cli (php_cli.c:994)
==14274==    by 0x808149B: main (php_cli.c:1378)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-06-29 19:20 UTC] stas@php.net
-Type: Security +Type: Bug
 [2014-07-02 09:58 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=df78c48354f376cf419d7a97f88ca07d572f00fb
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 [2014-07-02 09:58 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2014-07-02 12:45 UTC] research at insighti dot org
Please use CVE-2014-4670, the bug is in fact exploitable - not sure why was it made public before release of a patched version.

It's not remotely exploitable, however, shared environments relying on PHP security features (open_basedir, safe_mode in older PHPs, disable_functions and similar) are affected. We're ready to provide PoC is needed.
 [2014-07-03 02:48 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2014-07-03 02:49 UTC] laruence@php.net
-CVE-ID: +CVE-ID: 2014-4670
 [2014-07-07 15:22 UTC] dmitry@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=df78c48354f376cf419d7a97f88ca07d572f00fb
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 [2014-07-21 09:31 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=df78c48354f376cf419d7a97f88ca07d572f00fb
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 [2014-07-21 10:02 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=df78c48354f376cf419d7a97f88ca07d572f00fb
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 [2014-07-25 05:59 UTC] stas@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=61e0f8599d4e2a222ec49781e5be90fbbc1cd65b
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 [2014-07-30 09:52 UTC] tyrael@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=61e0f8599d4e2a222ec49781e5be90fbbc1cd65b
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 [2014-07-30 09:52 UTC] tyrael@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=df78c48354f376cf419d7a97f88ca07d572f00fb
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 [2014-08-04 08:26 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=61e0f8599d4e2a222ec49781e5be90fbbc1cd65b
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 [2014-08-04 08:43 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=61e0f8599d4e2a222ec49781e5be90fbbc1cd65b
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 [2014-08-04 09:59 UTC] dmitry@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=61e0f8599d4e2a222ec49781e5be90fbbc1cd65b
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 [2014-10-07 23:13 UTC] stas@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=61e0f8599d4e2a222ec49781e5be90fbbc1cd65b
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 [2014-10-07 23:24 UTC] stas@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=61e0f8599d4e2a222ec49781e5be90fbbc1cd65b
Log: Fixed Bug #67538 (SPL Iterators use-after-free)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC