php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73147 Use After Free in unserialize()
Submitted: 2016-09-23 13:22 UTC Modified: 2016-11-02 09:25 UTC
From: taoguangchen at icloud dot com Assigned: stas
Status: Closed Package: *General Issues
PHP Version: 5.6.26 OS:
Private report: No CVE-ID: 2016-9137
 [2016-09-23 13:22 UTC] taoguangchen at icloud dot com
Description:
------------
PoC:
```
<?php

$poc = 'a:1:{i:0;O:8:"CURLFile":1:{s:4:"name";R:1;}}';
unserialize($poc);

?>
```


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-26 02:55 UTC] stas@php.net
-PHP Version: 7.0.11 +PHP Version: 5.6.26 -Assigned To: +Assigned To: stas -CVE-ID: +CVE-ID: needed
 [2016-09-26 02:55 UTC] stas@php.net
The fix is in security repo as 0e6fe3a4c96be2d3e88389a5776f878021b4c59f and in https://gist.github.com/57d761ebfeed962fe7ffb498348f2965

please verify
 [2016-09-26 11:10 UTC] taoguangchen at icloud dot com
The similar bug can be also triggered via Exception::__toString with DateInterval::__wakeup

```
ZEND_METHOD(exception, __toString)
{
...
	zend_update_property_str(base_ce, exception, "string", sizeof("string")-1, str);
```

PoC:
```
<?php

$poc = 'O:9:"Exception":2:{S:17:"\00Exception\00string";R:1;i:0;O:12:"DateInterval":1:{s:4:"days";R:1;}}';
unserialize($poc);

?>
```
 [2016-09-26 19:42 UTC] stas@php.net
Hmmm... I suspect there might be also other places, I'm not sure how to handle this problem in general, as reference allows to overwrite anything, by definition, that's how reference is supposed to work.
 [2016-09-26 22:30 UTC] taoguangchen at icloud dot com
the follow patch can fix this bug:

```
+	zval tmp;
+	ZVAL_STRINGL(&tmp, "string", sizeof("string") - 1);
+	Z_OBJ_HANDLER_P(exception, unset_property)(exception, &tmp, NULL);
+	zval_ptr_dtor(&tmp);
	zend_update_property_str(base_ce, exception, "string", sizeof("string")-1, str);
```
 [2016-09-26 22:35 UTC] stas@php.net
Yes, I know this particular one can be easily fixed. The problem is that every __wakeup that modifies any property would produce the same problem.
 [2016-09-26 22:41 UTC] taoguangchen at icloud dot com
You can handle the DateInterval::__wakeup() like PHP5.
 [2016-10-11 23:45 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0e6fe3a4c96be2d3e88389a5776f878021b4c59f
Log: Fix bug #73147: Use After Free in PHP7 unserialize()
 [2016-10-11 23:45 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-10-12 15:57 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f42cbd749cde1f91274c1d03df9024baba141a8f
Log: Fix bug #73147: Use After Free in PHP7 unserialize()
 [2016-10-12 23:26 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d13507d2e6d7c280888cc9c3cab125b347662e90
Log: Fix bug #73147: Use After Free in PHP7 unserialize()
 [2016-10-12 23:35 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0e6fe3a4c96be2d3e88389a5776f878021b4c59f
Log: Fix bug #73147: Use After Free in PHP7 unserialize()
 [2016-10-14 01:02 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=54003ab6631b489af54631a548597e8bd599b266
Log: Fix bug #73147: Use After Free in PHP7 unserialize()
 [2016-10-14 02:22 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f42cbd749cde1f91274c1d03df9024baba141a8f
Log: Fix bug #73147: Use After Free in PHP7 unserialize()
 [2016-10-14 02:23 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0e6fe3a4c96be2d3e88389a5776f878021b4c59f
Log: Fix bug #73147: Use After Free in PHP7 unserialize()
 [2016-10-14 02:23 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=54003ab6631b489af54631a548597e8bd599b266
Log: Fix bug #73147: Use After Free in PHP7 unserialize()
 [2016-10-14 06:00 UTC] tyrael@php.net
-Summary: Use After Free in PHP7 unserialize() +Summary: Use After Free in unserialize()
 [2016-10-17 10:06 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=54003ab6631b489af54631a548597e8bd599b266
Log: Fix bug #73147: Use After Free in PHP7 unserialize()
 [2016-10-17 10:07 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f42cbd749cde1f91274c1d03df9024baba141a8f
Log: Fix bug #73147: Use After Free in PHP7 unserialize()
 [2016-10-17 10:07 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0e6fe3a4c96be2d3e88389a5776f878021b4c59f
Log: Fix bug #73147: Use After Free in PHP7 unserialize()
 [2016-11-02 09:25 UTC] kaplan@php.net
-CVE-ID: needed +CVE-ID: 2016-9137
 [2016-11-02 09:25 UTC] kaplan@php.net
From CVE-assign:
"Use CVE-2016-9137 for the ext/curl/curl_file.c vulnerability that was
fixed in 5.6.27 and 7.0.12.

Use CVE-2016-9138 for the remaining security problem associated with
__wakeup that is still present in 5.6.27 and 7.0.12."
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Apr 30 01:01:34 2017 UTC