PHP :: Sec Bug #68545 :: NULL pointer dereference in unserialize.c:var_push

Sec Bug #68545	NULL pointer dereference in unserialize.c:var_push_dtor
Submitted:	2014-12-03 23:10 UTC	Modified:	2014-12-11 20:15 UTC
From:	charlie at ceriksen dot com	Assigned:	ab (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.6.3	OS:	Ubuntu 2.6.32/Debian 3.7
Private report:	No	CVE-ID:	None

View Developer Edit

[2014-12-03 23:10 UTC] charlie at ceriksen dot com

Description:
------------
There's a NULL pointer deference issue in the var_push_dtor function in unserialize.c.

By running the test script, you'll get following segfault:
Program received signal SIGSEGV, Segmentation fault.
var_push_dtor (var_hashx=0x0, rval=0x7ffff7fdb858) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:62
62              var_entries *var_hash = (*var_hashx)->last_dtor;


According to 3v4l.org, it crashes on following versions(http://3v4l.org/BtYZg):
4.3.10 - 4.4.9, 5.0.3 - 5.6.3, php7@20140507 - 20141101:



Test script:
---------------
<?php 
echo unserialize('a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"b22";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";s:3:"bar";'); 
?>


Expected result:
----------------
The interpreter shouldn't crash.

Actual result:
--------------
(gdb) bt
#0  var_push_dtor (var_hashx=0x0, rval=0x7ffff7fdb7d0) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:62
#1  0x00000000004481af in process_nested_data (p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x0, ht=0x7ffff7fdb700, elements=4, objprops=0, rval=<optimized out>)
    at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:329
#2  0x0000000000fdc686 in php_var_unserialize (rval=<optimized out>, p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x0) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:815
#3  0x0000000000447436 in process_nested_data (p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x7fffffffab90, ht=0x7ffff7fdb678, elements=5, objprops=0, rval=<optimized out>)
    at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:297
#4  0x0000000000fdc686 in php_var_unserialize (rval=<optimized out>, p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x7fffffffab90) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:815
#5  0x0000000000f9884a in zif_unserialize (ht=<optimized out>, return_value=0x7ffff7fda908, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>)
    at /home/charlie/php-5.6.3/ext/standard/var.c:965
#6  0x000000000158cf5c in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7fa8110) at /home/charlie/php-5.6.3/Zend/zend_vm_execute.h:558
#7  0x0000000001483b1a in execute_ex (execute_data=0x7ffff7fa8110) at /home/charlie/php-5.6.3/Zend/zend_vm_execute.h:363
#8  0x00000000012824cd in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/charlie/php-5.6.3/Zend/zend.c:1344
#9  0x000000000105522a in php_execute_script (primary_file=0x7fffffffd1c0) at /home/charlie/php-5.6.3/main/main.c:2584
#10 0x000000000159a1ed in do_cli (argc=3, argv=0x22979a0) at /home/charlie/php-5.6.3/sapi/cli/php_cli.c:994
#11 0x000000000045052d in main (argc=3, argv=0x22979a0) at /home/charlie/php-5.6.3/sapi/cli/php_cli.c:1378
#12 0x00007ffff710976d in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#13 0x0000000000450601 in _start ()

Patches

68545_55 (last revision 2014-12-04 09:42 UTC by ab@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-12-04 09:42 UTC] ab@php.net

The following patch has been added/updated:

Patch Name: 68545_55
Revision:   1417686127
URL:        https://bugs.php.net/patch-display.php?bug=68545&patch=68545_55&revision=1417686127

[2014-12-04 09:49 UTC] ab@php.net

-Status: Open +Status: Feedback

[2014-12-04 09:49 UTC] ab@php.net

@charlie please test the patch. Thanks.

[2014-12-04 13:19 UTC] charlie at ceriksen dot com

-Status: Feedback +Status: Open

[2014-12-04 13:19 UTC] charlie at ceriksen dot com

Tested the patch on the git PHP-5.5 branch. The test case no longer crashes, and a quick fuzzing of the new version doesn't crash either. But I'll keep fuzzing it for a while to see what happens.

[2014-12-04 15:33 UTC] ab@php.net

Related To: Bug #68483

[2014-12-04 15:38 UTC] ab@php.net

Thanks for the test, this issue at least should be fine then :)

[2014-12-10 11:37 UTC] ab@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: ab

[2014-12-13 22:29 UTC] ajf@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=13f1c276ab72cf1a8a400fd013b9289d0018a340
Log: Fixed bug #68545 NULL pointer dereference in unserialize.c

[2014-12-13 22:30 UTC] ajf@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=13f1c276ab72cf1a8a400fd013b9289d0018a340
Log: Fixed bug #68545 NULL pointer dereference in unserialize.c

[2014-12-13 22:31 UTC] ajf@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=13f1c276ab72cf1a8a400fd013b9289d0018a340
Log: Fixed bug #68545 NULL pointer dereference in unserialize.c

[2014-12-15 19:00 UTC] ab@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=13f1c276ab72cf1a8a400fd013b9289d0018a340
Log: Fixed bug #68545 NULL pointer dereference in unserialize.c

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC