php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #68545 NULL pointer dereference in unserialize.c:var_push_dtor
Submitted: 2014-12-03 23:10 UTC Modified: 2014-12-11 20:15 UTC
From: charlie at ceriksen dot com Assigned: ab
Status: Closed Package: Reproducible crash
PHP Version: 5.6.3 OS: Ubuntu 2.6.32/Debian 3.7
Private report: No CVE-ID:
 [2014-12-03 23:10 UTC] charlie at ceriksen dot com
Description:
------------
There's a NULL pointer deference issue in the var_push_dtor function in unserialize.c.

By running the test script, you'll get following segfault:
Program received signal SIGSEGV, Segmentation fault.
var_push_dtor (var_hashx=0x0, rval=0x7ffff7fdb858) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:62
62              var_entries *var_hash = (*var_hashx)->last_dtor;


According to 3v4l.org, it crashes on following versions(http://3v4l.org/BtYZg):
4.3.10 - 4.4.9, 5.0.3 - 5.6.3, php7@20140507 - 20141101:



Test script:
---------------
<?php 
echo unserialize('a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"b22";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";s:3:"bar";'); 
?>


Expected result:
----------------
The interpreter shouldn't crash.

Actual result:
--------------
(gdb) bt
#0  var_push_dtor (var_hashx=0x0, rval=0x7ffff7fdb7d0) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:62
#1  0x00000000004481af in process_nested_data (p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x0, ht=0x7ffff7fdb700, elements=4, objprops=0, rval=<optimized out>)
    at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:329
#2  0x0000000000fdc686 in php_var_unserialize (rval=<optimized out>, p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x0) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:815
#3  0x0000000000447436 in process_nested_data (p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x7fffffffab90, ht=0x7ffff7fdb678, elements=5, objprops=0, rval=<optimized out>)
    at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:297
#4  0x0000000000fdc686 in php_var_unserialize (rval=<optimized out>, p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x7fffffffab90) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:815
#5  0x0000000000f9884a in zif_unserialize (ht=<optimized out>, return_value=0x7ffff7fda908, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>)
    at /home/charlie/php-5.6.3/ext/standard/var.c:965
#6  0x000000000158cf5c in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7fa8110) at /home/charlie/php-5.6.3/Zend/zend_vm_execute.h:558
#7  0x0000000001483b1a in execute_ex (execute_data=0x7ffff7fa8110) at /home/charlie/php-5.6.3/Zend/zend_vm_execute.h:363
#8  0x00000000012824cd in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/charlie/php-5.6.3/Zend/zend.c:1344
#9  0x000000000105522a in php_execute_script (primary_file=0x7fffffffd1c0) at /home/charlie/php-5.6.3/main/main.c:2584
#10 0x000000000159a1ed in do_cli (argc=3, argv=0x22979a0) at /home/charlie/php-5.6.3/sapi/cli/php_cli.c:994
#11 0x000000000045052d in main (argc=3, argv=0x22979a0) at /home/charlie/php-5.6.3/sapi/cli/php_cli.c:1378
#12 0x00007ffff710976d in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#13 0x0000000000450601 in _start ()


Patches

68545_55 (last revision 2014-12-04 09:42 UTC) by ab@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-04 09:42 UTC] ab@php.net
The following patch has been added/updated:

Patch Name: 68545_55
Revision:   1417686127
URL:        https://bugs.php.net/patch-display.php?bug=68545&patch=68545_55&revision=1417686127
 [2014-12-04 09:49 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2014-12-04 09:49 UTC] ab@php.net
@charlie please test the patch. Thanks.
 [2014-12-04 13:19 UTC] charlie at ceriksen dot com
-Status: Feedback +Status: Open
 [2014-12-04 13:19 UTC] charlie at ceriksen dot com
Tested the patch on the git PHP-5.5 branch. The test case no longer crashes, and a quick fuzzing of the new version doesn't crash either. But I'll keep fuzzing it for a while to see what happens.
 [2014-12-04 15:38 UTC] ab@php.net
Thanks for the test, this issue at least should be fine then :)
 [2014-12-10 11:37 UTC] ab@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: ab
 [2014-12-13 22:29 UTC] ajf@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=13f1c276ab72cf1a8a400fd013b9289d0018a340
Log: Fixed bug #68545 NULL pointer dereference in unserialize.c
 [2014-12-13 22:30 UTC] ajf@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=13f1c276ab72cf1a8a400fd013b9289d0018a340
Log: Fixed bug #68545 NULL pointer dereference in unserialize.c
 [2014-12-13 22:31 UTC] ajf@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=13f1c276ab72cf1a8a400fd013b9289d0018a340
Log: Fixed bug #68545 NULL pointer dereference in unserialize.c
 [2014-12-15 19:00 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=13f1c276ab72cf1a8a400fd013b9289d0018a340
Log: Fixed bug #68545 NULL pointer dereference in unserialize.c
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Feb 26 14:01:37 2017 UTC