php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73029 Missing type check when unserializing SplArray
Submitted: 2016-09-06 09:45 UTC Modified: 2016-09-16 13:41 UTC
From: ahihibughunter at gmail dot com Assigned: stas (profile)
Status: Closed Package: SPL related
PHP Version: 5.6.26RC1 OS: ALL
Private report: No CVE-ID: 2016-7417
 [2016-09-06 09:45 UTC] ahihibughunter at gmail dot com
Description:
------------
The return value is not checked and used on spl_array_get_dimension_ptr_ptr

static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object, zval *offset, int type TSRMLS_DC) /* {{{ */
{
....
HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC); <--- here is not check ht with NULL

} 

Test script:
---------------
<?php
$a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}';
$m = unserialize($a);
$x = $m[2];
?>

Expected result:
----------------
No crash

Actual result:
--------------
$ gdb /data/php-src-PHP-5.6.26/sapi/cli/php
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
(gdb) r se.php
Starting program: /data/php-src-PHP-5.6.26/sapi/cli/php se.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000ac08e3 in _zend_is_inconsistent (ht=0x0, file=0x10d3b78 "/data/php-src-PHP-5.6.26/Zend/zend_hash.c",
    line=938) at /data/php-src-PHP-5.6.26/Zend/zend_hash.c:60
60              if (ht->inconsistent==HT_OK) {
(gdb) bt
#0  0x0000000000ac08e3 in _zend_is_inconsistent (ht=0x0, file=0x10d3b78 "/data/php-src-PHP-5.6.26/Zend/zend_hash.c",
    line=938) at /data/php-src-PHP-5.6.26/Zend/zend_hash.c:60
#1  0x0000000000ac3625 in zend_hash_index_find (ht=0x0, h=2, pData=0x7fffffffaaf0)
    at /data/php-src-PHP-5.6.26/Zend/zend_hash.c:938
#2  0x000000000089621a in spl_array_get_dimension_ptr_ptr (check_inherited=1, object=0x7ffff7fc50b8,
    offset=0x7ffff7fc7940, type=0) at /data/php-src-PHP-5.6.26/ext/spl/spl_array.c:357
#3  0x000000000089664b in spl_array_read_dimension_ex (check_inherited=1, object=0x7ffff7fc50b8,
    offset=0x7ffff7fc7940, type=0) at /data/php-src-PHP-5.6.26/ext/spl/spl_array.c:406
#4  0x000000000089679b in spl_array_read_dimension (object=0x7ffff7fc50b8, offset=0x7ffff7fc7940, type=0)
    at /data/php-src-PHP-5.6.26/ext/spl/spl_array.c:434
#5  0x0000000000af40b6 in zend_fetch_dimension_address_read (result=0x7ffff7f901e0, container=0x7ffff7fc50b8,
    dim=0x7ffff7fc7940, dim_type=1, type=0) at /data/php-src-PHP-5.6.26/Zend/zend_execute.c:1364
#6  0x0000000000b4ae0a in ZEND_FETCH_DIM_R_SPEC_CV_CONST_HANDLER (execute_data=0x7ffff7f90260)
    at /data/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:32849
#7  0x0000000000af5196 in execute_ex (execute_data=0x7ffff7f90260)
    at /data/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:363
#8  0x0000000000af521f in zend_execute (op_array=0x7ffff7fc5fd8)
    at /data/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:388
#9  0x0000000000ab0372 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /data/php-src-PHP-5.6.26/Zend/zend.c:1341
#10 0x0000000000a15aa2 in php_execute_script (primary_file=0x7fffffffd200)
    at /data/php-src-PHP-5.6.26/main/main.c:2613
#11 0x0000000000b64a18 in do_cli (argc=2, argv=0x1460a90) at /data/php-src-PHP-5.6.26/sapi/cli/php_cli.c:994
#12 0x0000000000b65d71 in main (argc=2, argv=0x1460a90) at /data/php-src-PHP-5.6.26/sapi/cli/php_cli.c:1378

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-12 02:53 UTC] stas@php.net
-Summary: _zend_is_inconsistent null dereference +Summary: Missing type check when unserializing SplArray
 [2016-09-12 03:38 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-09-12 03:38 UTC] stas@php.net
The fix is in security repo as 6d16288150be33392a3249e417a0929881feb9a2 and in https://gist.github.com/b243ac0ce783c0d286d2619e3d6651d6

please verify
 [2016-09-12 04:23 UTC] stas@php.net
-CVE-ID: +CVE-ID: needed
 [2016-09-12 05:13 UTC] ahihibughunter at gmail dot com
This patch look OK.
 [2016-09-13 04:04 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ecb7f58a069be0dec4a6131b6351a761f808f22e
Log: Fix bug #73029 - Missing type check when unserializing SplArray
 [2016-09-13 04:04 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-09-13 04:06 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=022e75cba104c52ccfb494ce224c2c4d0ff2dddc
Log: Fix bug #73029 - Missing type check when unserializing SplArray
 [2016-09-13 04:09 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=022e75cba104c52ccfb494ce224c2c4d0ff2dddc
Log: Fix bug #73029 - Missing type check when unserializing SplArray
 [2016-09-13 04:11 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=022e75cba104c52ccfb494ce224c2c4d0ff2dddc
Log: Fix bug #73029 - Missing type check when unserializing SplArray
 [2016-09-13 09:02 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ecb7f58a069be0dec4a6131b6351a761f808f22e
Log: Fix bug #73029 - Missing type check when unserializing SplArray
 [2016-09-15 09:30 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=589cfc7d0ebbc2399b6cbac3351ae26d569e9600
Log: Fix bug #73029 - Missing type check when unserializing SplArray
 [2016-09-16 13:41 UTC] kaplan@php.net
-CVE-ID: needed +CVE-ID: 2016-7417
 [2016-10-17 10:08 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ecb7f58a069be0dec4a6131b6351a761f808f22e
Log: Fix bug #73029 - Missing type check when unserializing SplArray
 [2016-10-17 10:08 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=022e75cba104c52ccfb494ce224c2c4d0ff2dddc
Log: Fix bug #73029 - Missing type check when unserializing SplArray
 [2021-05-31 09:38 UTC] hu dot chuckie at gmail dot com
The following pull request has been associated:

Patch Name: Add commit ID to build info
On GitHub:  https://github.com/php/doc-base/pull/17
Patch:      https://github.com/php/doc-base/pull/17.patch
 [2021-05-31 09:39 UTC] hu dot chuckie at gmail dot com
The following pull request has been associated:

Patch Name: 新增过滤器相关的翻译
On GitHub:  https://github.com/php/doc-zh/pull/17
Patch:      https://github.com/php/doc-zh/pull/17.patch
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 17:01:29 2024 UTC