php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73052 Memory Corruption in During Deserialized-object Destruction
Submitted: 2016-09-09 03:07 UTC Modified: 2016-09-16 13:36 UTC
From: taoguangchen at icloud dot com Assigned: stas
Status: Closed Package: *General Issues
PHP Version: 5.6.25 OS:
Private report: No CVE-ID: 2016-7411
 [2016-09-09 03:07 UTC] taoguangchen at icloud dot com
Description:
------------
Memory Corruption in During Deserialized-object Destruction

```
if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) {
    /* We've got partially constructed object on our hands here. Wipe it. */
    if(Z_TYPE_PP(rval) == IS_OBJECT) {
       zend_hash_clean(Z_OBJPROP_PP(rval));
    }
    ZVAL_NULL(*rval);
  return 0;
}
```

If object deserialization fails, the broken-object's properties will be cleaned. But the object still stored in objects_store, then destructor call with uninitialized properties in during shutdown, that result in memory corruption. 

PoC:
```
<?php

class obj {
    var $ryat;
    public function __destruct() {
        $this->ryat = null;
    }
}

$poc = 'O:3:"obj":1:{';
unserialize($poc);

?>
```

Fix:

You need to set the broken-object's destructor_called into 1.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-09 11:14 UTC] taoguangchen at icloud dot com
Fix:

```
if(Z_TYPE_PP(rval) == IS_OBJECT) {
	zend_hash_clean(Z_OBJPROP_PP(rval));
+	EG(objects_store).object_buckets[Z_OBJ_HANDLE_PP(rval)].destructor_called = 1;
}
```
 [2016-09-09 17:20 UTC] stas@php.net
It's not a good idea to directly access internal structures in serializer code, but I'll look for a better solution.
 [2016-09-12 03:31 UTC] taoguangchen at icloud dot com
You can also consider calling zend_object_store_ctor_failed()

```
if(Z_TYPE_PP(rval) == IS_OBJECT) {
	zend_hash_clean(Z_OBJPROP_PP(rval));
+	zend_object_store_ctor_failed(*rval, TSRMLS_CC);
}
```
 [2016-09-12 04:06 UTC] stas@php.net
Yes, zend_object_store_ctor_failed would be better here.
 [2016-09-12 04:20 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-09-12 04:20 UTC] stas@php.net
The fix is in security repo as 9ed121184869100b721cf744fa2326715da0889c and in https://gist.github.com/25caa2f05e6f556ab4c0fe1684763961

please verify
 [2016-09-12 04:22 UTC] stas@php.net
-CVE-ID: +CVE-ID: needed
 [2016-09-13 04:04 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction
 [2016-09-13 04:04 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-09-13 04:06 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=27876d22ef47cd8efe6230ee5cb52ab5d650c848
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction
 [2016-09-13 04:09 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=27876d22ef47cd8efe6230ee5cb52ab5d650c848
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction
 [2016-09-13 04:11 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=27876d22ef47cd8efe6230ee5cb52ab5d650c848
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction
 [2016-09-13 09:02 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction
 [2016-09-15 09:30 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ba8f3ba05f8545a243881547dcd5a1dcfe4d4fb2
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction
 [2016-09-16 13:36 UTC] kaplan@php.net
-CVE-ID: needed +CVE-ID: 2016-7411
 [2016-10-17 10:08 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction
 [2016-10-17 10:08 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=27876d22ef47cd8efe6230ee5cb52ab5d650c848
Log: Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC