php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73154 serialize object with __sleep function crash
Submitted: 2016-09-23 17:40 UTC Modified: 2016-09-26 02:58 UTC
From: ahihibughunter at gmail dot com Assigned:
Status: Closed Package: *General Issues
PHP Version: 5.6.26 OS: Ubuntu
Private report: No CVE-ID:
 [2016-09-23 17:40 UTC] ahihibughunter at gmail dot com
Description:
------------
When php trying to serialize an object with __sleep function will lead to crash

Test script:
---------------
<?php
class a {
    public $a;
    public function __sleep() {
        $this->a=null;
        return array();
    }
}
$s = 'a:1:{i:0;O:1:"a":1:{s:1:"a";R:2;}}';
$x = unserialize($s);
serialize($x);

Expected result:
----------------
no crash

Actual result:
--------------
RAX: 0x13164a000000000
RBX: 0x7ffff7f7ddb0 --> 0x0
RCX: 0x0
RDX: 0x7fffffff9690 --> 0x0
RSI: 0x7fffffff98d0 --> 0x2
RDI: 0x7ffff7f7ddb0 --> 0x0
RBP: 0x7fffffff9560 --> 0x7fffffff9a60 --> 0x7fffffff9f60 --> 0x7fffffff9f80 --> 0x7fffffffa0e0 --> 0x7fffffffa290 (--> ...)
RSP: 0x7fffffff9540 --> 0x178f078 --> 0x0
RIP: 0xb6c82b (<zend_get_object_classname+102>: call   rax)
R8 : 0xffffefefbb0 --> 0x0
R9 : 0xffffe667d09 --> 0x0
R10: 0x0
R11: 0x7
R12: 0x7fffffff9690 --> 0x0
R13: 0x7fffffff98d0 --> 0x2
R14: 0x7fffffffa070 --> 0x7ffff7f7b258 ("a:1:{i:0;\262\367\367\377\177")
R15: 0x10007fff72ce --> 0xf4f4f404f1f1f1f1
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xb6c820 <zend_get_object_classname+91>:     mov    ecx,0x0
   0xb6c825 <zend_get_object_classname+96>:     mov    rdx,r12
   0xb6c828 <zend_get_object_classname+99>:     mov    rdi,rbx
=> 0xb6c82b <zend_get_object_classname+102>:    call   rax
   0xb6c82d <zend_get_object_classname+104>:    test   eax,eax
   0xb6c82f <zend_get_object_classname+106>:    je     0xb6c8d1 <zend_get_object_classname+268>
   0xb6c835 <zend_get_object_classname+112>:    mov    rdi,rbx
   0xb6c838 <zend_get_object_classname+115>:    call   0xb69dad <zend_get_class_entry>
Guessed arguments:
arg[0]: 0x7ffff7f7ddb0 --> 0x0
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff9540 --> 0x178f078 --> 0x0
0008| 0x7fffffff9548 --> 0x178d328 --> 0x6036000189c0 --> 0x41b58a01
0016| 0x7fffffff9550 --> 0x178f078 --> 0x0
0024| 0x7fffffff9558 --> 0x2f1e0f
0032| 0x7fffffff9560 --> 0x7fffffff9a60 --> 0x7fffffff9f60 --> 0x7fffffff9f80 --> 0x7fffffffa0e0 --> 0x7fffffffa290 (--> ...)
0040| 0x7fffffff9568 --> 0x9cb6bd (<php_var_serialize_intern+23746>:    test   eax,eax)
0048| 0x7fffffff9570 --> 0xfff00000001 --> 0x0
0056| 0x7fffffff9578 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000b6c82b in zend_get_object_classname (object=object@entry=0x7ffff7f7ddb0, class_name=class_name@entry=0x7fffffff98d0, class_name_len=class_name_len@entry=0x7fffffff9690) at /home/z/php5/Zend/zend_API.c:250
250                     Z_OBJ_HT_P(object)->get_class_name(object, class_name, class_name_len, 0 TSRMLS_CC) != SUCCESS) {
gdb-peda$ bt
#0  0x0000000000b6c82b in zend_get_object_classname (object=object@entry=0x7ffff7f7ddb0, class_name=class_name@entry=0x7fffffff98d0, class_name_len=class_name_len@entry=0x7fffffff9690) at /home/z/php5/Zend/zend_API.c:250
#1  0x00000000009cb6bd in php_var_serialize_class_name (struc=0x7ffff7f7ddb0, buf=0x7fffffffa070) at /home/z/php5/ext/standard/var.c:607
#2  php_var_serialize_class (var_hash=0x7ffff7f7b200, retval_ptr=0x7ffff7f7c540, struc=0x7ffff7f7ddb0, buf=0x7fffffffa070) at /home/z/php5/ext/standard/var.c:623
#3  php_var_serialize_intern (buf=buf@entry=0x7fffffffa070, struc=<optimized out>, var_hash=var_hash@entry=0x7ffff7f7b200) at /home/z/php5/ext/standard/var.c:813
#4  0x00000000009d0932 in php_var_serialize_intern (buf=0x7fffffffa070, struc=<optimized out>, var_hash=<optimized out>) at /home/z/php5/ext/standard/var.c:886
#5  0x00000000009d9e47 in php_var_serialize (buf=buf@entry=0x7fffffffa070, struc=<optimized out>, var_hash=var_hash@entry=0x7fffffffa030) at /home/z/php5/ext/standard/var.c:905
#6  0x00000000009da1f1 in zif_serialize (ht=<optimized out>, return_value=0x7ffff7f7dec0, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>) at /home/z/php5/ext/standard/var.c:927
#7  0x0000000000d616fc in zend_do_fcall_common_helper_SPEC (execute_data=execute_data@entry=0x7ffff7f47938) at /home/z/php5/Zend/zend_vm_execute.h:558
#8  0x0000000000d630be in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f47938) at /home/z/php5/Zend/zend_vm_execute.h:2602
#9  0x0000000000c148ad in execute_ex (execute_data=execute_data@entry=0x7ffff7f47938) at /home/z/php5/Zend/zend_vm_execute.h:363
#10 0x0000000000d5caaf in zend_execute (op_array=0x7ffff7f7adc0) at /home/z/php5/Zend/zend_vm_execute.h:388
#11 0x0000000000b67b3e in zend_execute_scripts (type=type@entry=0x8, retval=retval@entry=0x0, file_count=file_count@entry=0x3) at /home/z/php5/Zend/zend.c:1341
#12 0x0000000000a48876 in php_execute_script (primary_file=primary_file@entry=0x7fffffffcf20) at /home/z/php5/main/main.c:2613
#13 0x0000000000d6604e in do_cli (argc=argc@entry=0x2, argv=argv@entry=0x60060000ee90) at /home/z/php5/sapi/cli/php_cli.c:994
#14 0x0000000000d680d6 in main (argc=argc@entry=0x2, argv=0x60060000ee90, argv@entry=0x7fffffffe668) at /home/z/php5/sapi/cli/php_cli.c:1378
#15 0x00007ffff3da7f45 in __libc_start_main (main=0xd670a2 <main>, argc=0x2, argv=0x7fffffffe668, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe658) at libc-start.c:287
#16 0x00000000004226e9 in _start ()

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-26 02:58 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-09-26 02:58 UTC] stas@php.net
Looks like specially constructed code, not a security issue.
 [2017-01-01 18:27 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4877641962a7ad77fd3d1dac0b59de37a52659a1
Log: Fixed bug #73154
 [2017-01-01 18:27 UTC] nikic@php.net
-Status: Open +Status: Closed
 [2017-01-01 20:18 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=be4ce98bdc56f8342b28343b78e00477a344681f
Log: Fixed bug #73154
 [2017-01-01 20:18 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4877641962a7ad77fd3d1dac0b59de37a52659a1
Log: Fixed bug #73154
 [2017-01-12 09:12 UTC] krakjoe@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=be4ce98bdc56f8342b28343b78e00477a344681f
Log: Fixed bug #73154
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Jul 28 08:01:47 2017 UTC