php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72195 pg_pconnect/pg_connect cause use-after-free
Submitted: 2016-05-11 12:31 UTC Modified: 2016-05-11 16:16 UTC
From: fernando at null-life dot com Assigned:
Status: Closed Package: *General Issues
PHP Version: 7.0.6 OS: Linux
Private report: No CVE-ID:
 [2016-05-11 12:31 UTC] fernando at null-life dot com
Description:
------------
This was tested on 32 bits. 

pg_pconnect/pg_connect seems to be freeing the value passed as string connection, but when this value it's an array value, this can still be referenced and causes use-after-free.

In the sample $val is an empty array, but after calling pg_pconnect and other function (tempnam in this testcases) it will be invalid and overwritten with other values.

From the script output 47464544, this comes from the GFED value in the tempnam call result.

Test script:
---------------
<?php

$val = [];
$var1 = $val;
printf("%x\n", count($val));
@pg_pconnect($var1, "2", "3", "4");
$var1 = "";
tempnam('/tmp', 'ABCDEFGHI');
printf("%x\n", count($val));

Expected result:
----------------
0
0

Actual result:
--------------
0
47464544
php: /home/user/php-7.0/Zend/zend_gc.c:226: gc_possible_root: Assertion `(ref)->gc.u.v.type == 7 || (ref)->gc.u.v.type == 8' failed.
Aborted

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-11 16:16 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-05-12 05:16 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3c0341e6f9c802ff50cc4eb08e6b90793d033aad
Log: Fixed bug #72195 (pg_pconnect/pg_connect cause use-after-free)
 [2016-05-12 05:16 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3c0341e6f9c802ff50cc4eb08e6b90793d033aad
Log: Fixed bug #72195 (pg_pconnect/pg_connect cause use-after-free)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC