php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73257 pointer to uninitialized memory passed to unserialize
Submitted: 2016-10-06 13:07 UTC Modified: 2016-12-30 09:05 UTC
From: yannayl at checkpoint dot com Assigned: stas
Status: Closed Package: SPL related
PHP Version: 7.0.11 OS:
Private report: No CVE-ID: 2016-7480
 [2016-10-06 13:07 UTC] yannayl at checkpoint dot com
Description:
------------
In SplObjectStorage::unserialize, pointer to uninitialized variable is passed to php_var_unserialize which may lead to code execution.

In SplObjectStorage::unserialize the variables entry and inf are defined on the stack. Then, they are passed as first argument (rval) to php_var_unserialize 
which ultimately invokes php_var_unserialize_internal with the same arguments.
In php_var_unserialize_internal, if the parsed element is a reference (R:), then zval_ptr_dtor is invoked with the given pointer. Thus, trying to destroy an uninitialized variable.

This issue may lead to memory corruption and undefined behavior (I think it can lead to remote code execution but don't have a demo yet).

Since the values of uninitialized variables depends on optimization, no test script it provided. However, I did manage to crash it randomly on Ubuntu 16.04 x86-64.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-06 13:10 UTC] yannayl at checkpoint dot com
Patch
```
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
index 4ad0c6d..bdd95bd 100644
--- a/ext/spl/spl_observer.c
+++ b/ext/spl/spl_observer.c
@@ -763,6 +763,9 @@ SPL_METHOD(SplObjectStorage, unserialize)
 	spl_SplObjectStorageElement *element;
 	zend_long count;
 
+	ZVAL_UNDEF(&entry);
+	ZVAL_UNDEF(&inf);
+
 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &buf, &buf_len) == FAILURE) {
 		return;
 	}
@@ -813,15 +816,14 @@ SPL_METHOD(SplObjectStorage, unserialize)
 				zval_ptr_dtor(&entry);
 				goto outexcept;
 			}
-		} else {
-			ZVAL_UNDEF(&inf);
-		}
+		} 
 
 		if (spl_object_storage_get_hash(&key, intern, getThis(), &entry) == FAILURE) {
 			zval_ptr_dtor(&entry);
 			zval_ptr_dtor(&inf);
 			goto outexcept;
 		}
+
 		pelement = spl_object_storage_get(intern, &key);
 		spl_object_storage_free_hash(intern, &key);
 		if (pelement) {
```
 [2016-10-11 05:56 UTC] stas@php.net
-PHP Version: 7.1Git-2016-10-06 (Git) +PHP Version: 7.0.11
 [2016-10-11 05:56 UTC] stas@php.net
The fix is in security repo as 61cdd1255d5b9c8453be71aacbbf682796ac77d4 and in https://gist.github.com/878035c897be04617d38f15449b59797

please verify
 [2016-10-11 05:57 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-10-11 23:52 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=61cdd1255d5b9c8453be71aacbbf682796ac77d4
Log: Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
 [2016-10-11 23:52 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-10-12 14:26 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=61cdd1255d5b9c8453be71aacbbf682796ac77d4
Log: Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
 [2016-10-13 10:39 UTC] yannayl at checkpoint dot com
looks good
 [2016-10-14 01:02 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f901dce57548cf1ef63578966ee16fa11509adcf
Log: Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
 [2016-10-14 02:23 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=61cdd1255d5b9c8453be71aacbbf682796ac77d4
Log: Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
 [2016-10-14 02:23 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f901dce57548cf1ef63578966ee16fa11509adcf
Log: Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
 [2016-10-17 10:07 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f901dce57548cf1ef63578966ee16fa11509adcf
Log: Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
 [2016-10-17 10:07 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=61cdd1255d5b9c8453be71aacbbf682796ac77d4
Log: Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
 [2016-10-31 10:19 UTC] yannayl at checkpoint dot com
Assigned cve: CVE-2016-7480
Please associate it with this bug.
 [2016-12-30 09:05 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2016-7480
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Feb 28 14:01:40 2017 UTC