php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71850 packed hashtable covert to a hash
Submitted: 2016-03-18 03:42 UTC Modified: 2016-03-19 14:23 UTC
From: niubl at knownsec dot com Assigned:
Status: Duplicate Package: Scripting Engine problem
PHP Version: 7.0.5RC1 OS: inux kali
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
31 - 16 = ?
Subscribe to this entry?

 
 [2016-03-18 03:42 UTC] niubl at knownsec dot com
Description:
------------
when a array's packed hashtable covert to a hash and it is going to be assign a reference($array[2]) to object($array[3]) , it fail to change the object's type to a reference, so it get a crash when the array deal the reference as a object. 

it is a security problem?

my english is soso and hope you can understand.

Test script:
---------------
<?php 

class TestX {
  var $i;
}

class TestY {
  var $A = array();

  function __construct() {

    $obj = new TestX(2);
    $this->A[3] = $obj;
    $this->A[3] = &$this->A[2];
  }
}

$before = new TestY();
//var_dump($before);
$ser = serialize($before);
?>

Expected result:
----------------
object(TestY)#1 (1) {
  ["A"]=>
  array(2) {
    [3]=>
    &NULL
    [2]=>
    &NULL
  }
}


Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000000c08 in ?? ()
(gdb) bt full
#0  0x0000000000000c08 in ?? ()
No symbol table info available.
#1  0x0000000000648af4 in php_var_serialize_intern (buf=0x7fffffffa820, struc=0x7ffff385eca0, var_hash=0x7ffff3803040) at /root/Desktop/php-src/ext/standard/var.c:847
        serialized_data = 0x0
        serialized_length = 4245278497
        retval = {
          value = {
            lval = 0, 
            dval = 0, 
            counted = 0x0, 
            str = 0x0, 
            arr = 0x0, 
            obj = 0x0, 
            res = 0x0, 
            ref = 0x0, 
            ast = 0x0, 
            zv = 0x0, 
            ptr = 0x0, 
            ce = 0x0, 
            func = 0x0, 
            ww = {
              w1 = 0, 
              w2 = 0
            }
          }, 
          u1 = {
            v = {
              type = 72 'H', 
              type_flags = 166 '\246', 
              const_flags = 255 '\377', 
              reserved = 255 '\377'
---Type <return> to continue, or q <return> to quit---
            }, 
            type_info = 4294944328
          }, 
          u2 = {
            var_flags = 32767, 
            next = 32767, 
            cache_slot = 32767, 
            lineno = 32767, 
            num_args = 32767, 
            fe_pos = 32767, 
            fe_iter_idx = 32767, 
            access_flags = 32767
          }
        }
        fname = {
          value = {
            lval = 4245278497, 
            dval = 2.0974462623962614e-314, 
            counted = 0xfd09cf21, 
            str = 0xfd09cf21, 
            arr = 0xfd09cf21, 
            obj = 0xfd09cf21, 
            res = 0xfd09cf21, 
            ref = 0xfd09cf21, 
            ast = 0xfd09cf21, 
            zv = 0xfd09cf21, 
            ptr = 0xfd09cf21, 
            ce = 0xfd09cf21, 
            func = 0xfd09cf21, 
            ww = {
              w1 = 4245278497, 
---Type <return> to continue, or q <return> to quit---
              w2 = 0
            }
          }, 
          u1 = {
            v = {
              type = 60 '<', 
              type_flags = 39 '\'', 
              const_flags = 244 '\364', 
              reserved = 3 '\003'
            }, 
            type_info = 66332476
          }, 
          u2 = {
            var_flags = 0, 
            next = 0, 
            cache_slot = 0, 
            lineno = 0, 
            num_args = 0, 
            fe_pos = 0, 
            fe_iter_idx = 0, 
            access_flags = 0
          }
        }
        res = <optimized out>
        ce = <optimized out>
        myht = <optimized out>
#2  0x0000000000648f52 in php_var_serialize_intern (buf=0x7fffffffa820, struc=0x7ffff3857338, var_hash=0x7ffff3803040) at /root/Desktop/php-src/ext/standard/var.c:944
        _z = 0x7ffff385eca0
        _p = 0x7ffff385eca0
        _end = 0x7ffff385ece0
        key = <optimized out>
---Type <return> to continue, or q <return> to quit---
        data = 0x7ffff385eca0
        index = <optimized out>
        i = <optimized out>
        incomplete_class = 0 '\000'
        myht = <optimized out>
#3  0x0000000000648f52 in php_var_serialize_intern (buf=0x7fffffffa820, struc=0x7ffff3814180, var_hash=0x7ffff3803040) at /root/Desktop/php-src/ext/standard/var.c:944
        _z = 0x7ffff3857338
        _p = 0x7ffff385eb60
        _end = 0x7ffff385eb80
        key = <optimized out>
        data = 0x7ffff3857338
        index = <optimized out>
        i = <optimized out>
        incomplete_class = 0 '\000'
        myht = <optimized out>
#4  0x000000000064cba8 in php_var_serialize_intern (var_hash=<optimized out>, struc=<optimized out>, buf=0x7fffffffa820, buf@entry=0x7fffffffa7e0) at /root/Desktop/php-src/ext/standard/var.c:968
No locals.
#5  php_var_serialize (buf=buf@entry=0x7fffffffa820, struc=<optimized out>, data=data@entry=0x7fffffffa818) at /root/Desktop/php-src/ext/standard/var.c:966
No locals.
#6  0x000000000064cc54 in zif_serialize (execute_data=<optimized out>, return_value=0x7ffff3814100) at /root/Desktop/php-src/ext/standard/var.c:984
        struc = 0x7ffff3814180
        var_hash = 0x7ffff3803040
        buf = {
          s = 0x7ffff3874300, 
          a = 231
        }
#7  0x0000000000727abd in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER () at /root/Desktop/php-src/Zend/zend_vm_execute.h:640
        call = 0x7ffff3814120
        fbc = <optimized out>
        ret = <optimized out>
#8  0x000000000070eb1b in execute_ex (ex=<optimized out>) at /root/Desktop/php-src/Zend/zend_vm_execute.h:423
---Type <return> to continue, or q <return> to quit---
        orig_opline = 0x7ffff387f000
        orig_execute_data = 0x0
#9  0x000000000076ea07 in zend_execute (op_array=0x7ffff387f000, op_array@entry=0x7ffff385eae0, return_value=return_value@entry=0x7ffff3814030) at /root/Desktop/php-src/Zend/zend_vm_execute.h:467
        execute_data = 0x7ffff3814030
#10 0x00000000006d0be4 in zend_execute_scripts (type=type@entry=8, retval=0x7ffff3814030, retval@entry=0x0, file_count=file_count@entry=3) at /root/Desktop/php-src/Zend/zend.c:1427
        files = <error reading variable files (Attempt to dereference a generic pointer.)>
        i = 1
        file_handle = 0x7fffffffce50
        op_array = 0x7ffff385eae0
#11 0x0000000000674080 in php_execute_script (primary_file=primary_file@entry=0x7fffffffce50) at /root/Desktop/php-src/main/main.c:2487
        realfile = "/root/Desktop/crashes/crashes.2016-03-14-08_18_19/test1.php\000\000\000\000\000(\000\000\000\000\000\000\000\a\000\000\000\000\000\000\000`\000\000\000\000\000\000\000\220\000\000\000\000\000\000\000\a\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\061\000\000\000\377\177\000\000\000\000\000\000\000\000\000\000[\000\000\000n", '\000' <repeats 15 times>, "n", '\000' <repeats 19 times>, "w\000\000\000|\000\000\000(\000\000\000\000\000\000\000\000<\312\366\377\177\000\000`\000\000\000\000\000\000\000"...
        __orig_bailout = 0x7fffffffcec0
        __bailout = {{
            __jmpbuf = {0, 5509280956322737466, 15629472, 12167384, 1, 140737488347224, 5509280959705443642, -5509280140708876998}, 
            __mask_was_saved = 0, 
            __saved_mask = {
              __val = {0, 0, 0, 0, 0, 0, 15362560, 15415648, 0, 0, 2, 22, 64, 2, 0, 48}
            }
          }}
        prepend_file_p = 0x0
        append_file_p = 0x0
        prepend_file = {
          handle = {
            fd = 0, 
            fp = 0x0, 
            stream = {
              handle = 0x0, 
              isatty = 0, 
              mmap = {
---Type <return> to continue, or q <return> to quit---
                len = 0, 
                pos = 0, 
                map = 0x0, 
                buf = 0x0, 
                old_handle = 0x0, 
                old_closer = 0x0
              }, 
              reader = 0x0, 
              fsizer = 0x0, 
              closer = 0x0
            }
          }, 
          filename = 0x0, 
          opened_path = 0x0, 
          type = ZEND_HANDLE_FILENAME, 
          free_filename = 0 '\000'
        }
        append_file = {
          handle = {
            fd = 0, 
            fp = 0x0, 
            stream = {
              handle = 0x0, 
              isatty = 0, 
              mmap = {
                len = 0, 
                pos = 0, 
                map = 0x0, 
                buf = 0x0, 
                old_handle = 0x0, 
                old_closer = 0x0
---Type <return> to continue, or q <return> to quit---
              }, 
              reader = 0x0, 
              fsizer = 0x0, 
              closer = 0x0
            }
          }, 
          filename = 0x0, 
          opened_path = 0x0, 
          type = ZEND_HANDLE_FILENAME, 
          free_filename = 0 '\000'
        }
        old_cwd = 0x7fffffffa970 ""
        retval = 0
#12 0x0000000000770624 in do_cli (argc=2, argv=0xee7c50) at /root/Desktop/php-src/sapi/cli/php_cli.c:974
        __orig_bailout = 0x7fffffffe060
        __bailout = {{
            __jmpbuf = {15415648, 5509280957797559610, 0, 0, 0, 140737488347224, 5509280956320640314, -5509280284273218246}, 
            __mask_was_saved = 0, 
            __saved_mask = {
              __val = {12047014, 12047038, 11943101, 11943122, 12047051, 12047071, 12047088, 12047652, 12047109, 12047123, 12047145, 12047164, 12047191, 12047220, 0, 0}
            }
          }}
        c = <optimized out>
        file_handle = {
          handle = {
            fd = -209231856, 
            fp = 0x7ffff3876010, 
            stream = {
              handle = 0x7ffff3876010, 
              isatty = 0, 
              mmap = {
---Type <return> to continue, or q <return> to quit---
                len = 260, 
                pos = 0, 
                map = 0x7ffff7fed000, 
                buf = 0x7ffff7fed000 <error: Cannot access memory at address 0x7ffff7fed000>, 
                old_handle = 0xfeaee0, 
                old_closer = 0x6ec1e0 <zend_stream_stdio_closer>
              }, 
              reader = 0x6ec210 <zend_stream_stdio_reader>, 
              fsizer = 0x6ec180 <zend_stream_stdio_fsizer>, 
              closer = 0x6ec100 <zend_stream_mmap_closer>
            }
          }, 
          filename = 0xee7ca0 "/root/Desktop/crashes/crashes.2016-03-14-08_18_19/test1.php", 
          opened_path = 0x0, 
          type = ZEND_HANDLE_MAPPED, 
          free_filename = 0 '\000'
        }
        behavior = <optimized out>
        reflection_what = 0x0
        request_started = 1
        exit_status = 0
        php_optarg = 0x0
        php_optind = 2
        exec_direct = <optimized out>
        exec_run = <optimized out>
        exec_begin = <optimized out>
        exec_end = <optimized out>
        arg_free = <optimized out>
        arg_excp = <optimized out>
        script_file = <optimized out>
        translated_path = 0xfeb310 "/root/Desktop/crashes/crashes.2016-03-14-08_18_19/test1.php"
---Type <return> to continue, or q <return> to quit---
        lineno = 1
        param_error = 0x0
#13 0x000000000042a7c8 in main (argc=2, argv=0xee7c50) at /root/Desktop/php-src/sapi/cli/php_cli.c:1345
        __orig_bailout = 0x0
        __bailout = {{
            __jmpbuf = {15415648, 5509280957797559610, 0, 0, 0, 140737488347224, 5509280955867655482, -5509280384737678022}, 
            __mask_was_saved = 0, 
            __saved_mask = {
              __val = {4131212846, 4294967295, 140737330963030, 140737330106872, 140737353968088, 140737333836888, 140737330552649, 0, 140737330537295, 0, 0, 72704, 72752, 4352, 18446744073709547520, 1}
            }
          }}
        c = <optimized out>
        exit_status = 0
        module_started = 1
        sapi_started = 1
        php_optarg = 0x0
        php_optind = 1
        use_extended_info = 0
        ini_path_override = 0x0
        ini_entries = 0xee7f10 "html_errors=0\nregister_argc_argv=1\nimplicit_flush=1\noutput_buffering=0\nmax_execution_time=0\nmax_input_time=-1\n"
        ini_entries_len = 0
        ini_ignore = 0
        sapi_module = <optimized out>


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-03-19 05:54 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-03-19 05:54 UTC] stas@php.net
Not a security issue.
 [2016-03-19 05:55 UTC] stas@php.net
-Package: Unknown/Other Function +Package: Scripting Engine problem
 [2016-03-19 14:23 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2016-03-19 14:23 UTC] nikic@php.net
Duplicate of bug #71539.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Oct 15 04:01:27 2019 UTC