php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70767 crash after script execution
Submitted: 2015-10-22 12:01 UTC Modified: 2017-01-01 12:01 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: liska at avast dot com Assigned: nikic (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.0.1 OS: windows 7 64-bit
Private report: No CVE-ID: None
 [2015-10-22 12:01 UTC] liska at avast dot com
Description:
------------
First PoC script from #70172 causes segfault in the middle of the dump. I'm using php-7.0.0RC5-Win32-VC14-x64 thread safe.

Test script:
---------------
class obj implements Serializable
{
    private $data;

    public function serialize()
    {
        return serialize($this->data);
    }

    public function unserialize($data)
    {
        $this->data = unserialize($data);
        $this->data = 1;
    }
}

$inner = 'a:0:{}';
$exploit = 'a:2:{i:0;C:3:"obj":' . strlen($inner) . ':{' . $inner . '}i:1;R:3;}';

$data = unserialize($exploit);

for ($i = 0; $i < 5; $i++) {
    $v[$i] = 'hi' . $i;
}

var_dump($data);

Expected result:
----------------
produced by PHP 5.6.14 that contains fix to #70172

array(2) {
  [0]=>
  object(obj)#1 (1) {
    ["data":"obj":private]=>
    int(1)
  }
  [1]=>
  array(0) {
  }
}


Actual result:
--------------
array(2) {
  [0]=>
  Segmentation fault


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-10-22 13:18 UTC] laruence@php.net
-Status: Open +Status: Analyzed
 [2015-10-22 13:18 UTC] laruence@php.net
confirm this , but I don't see a easy way to fix it. the problem is, we are not using zval ** anymore.. :<
 [2015-10-23 01:22 UTC] ryat@php.net
These security patches are not merged yet to master/7.0
http://news.php.net/php.internals/87998
 [2015-10-23 08:48 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2015-10-23 08:48 UTC] laruence@php.net
maybe the 5.6 behaviors wrongly , https://3v4l.org/new

reference to a internal (external) object is not allowed.
 [2015-10-23 08:49 UTC] laruence@php.net
should be: https://3v4l.org/GcebX
 [2015-10-23 09:23 UTC] laruence@php.net
-Assigned To: laruence +Assigned To: stas
 [2015-10-23 09:23 UTC] laruence@php.net
@stas what do you think ?  since you have been working on serialize issues for some times
 [2015-10-23 23:18 UTC] ryat@php.net
@laruence reference in Serializable object is allowed. and 5.x branchs is right. 

you can see these: https://3v4l.org/HTQUL https://3v4l.org/JvrVs

you script has triggered UAF/memory corruption in php7.x, so the result is strange.
 [2015-12-31 23:56 UTC] stas@php.net
-PHP Version: 7.0.0RC5 +PHP Version: 7.0.1 -Assigned To: stas +Assigned To:
 [2015-12-31 23:56 UTC] stas@php.net
Still reproduces on 7.x, but not sure what is the cause yet. The references are allowed in serialized objects, but it's true you can mess things up if you do them maliciously. Not sure yet how to fix it.
 [2017-01-01 12:01 UTC] nikic@php.net
-Status: Analyzed +Status: Closed -Assigned To: +Assigned To: nikic
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Jan 18 20:01:23 2020 UTC