php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73917 var_dump recursion protection does not work for objects which create debug info
Submitted: 2017-01-12 07:02 UTC Modified: 2017-01-16 11:16 UTC
From: varsleak at gmail dot com Assigned: nikic (profile)
Status: Closed Package: *General Issues
PHP Version: 5.6Git-2017-01-12 (Git) OS: Ubuntu 1604
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2017-01-12 07:02 UTC] varsleak at gmail dot com 
Description:
------------
The cli/php crashed when call unserizlize & var_dump, the gdb backtrace is below.

➜  cli git:(master) ✗ ./php5630RC1git -n -v 
PHP 5.6.30RC1 (cli) (built: Jan 11 2017 17:54:55) 
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
➜  cli git:(master) ✗ gdb ./php5630RC1git
...
(gdb) set args ./crash.php
...
Program received signal SIGSEGV, Segmentation fault.
xbuf_format_converter (xbuf=xbuf@entry=0x7fffff7ff830, fmt=fmt@entry=0xb7cbaa "%s\n%s: %s in %s on line %d\n%s", ap=ap@entry=0x7fffff7ff880) at /home/varsleak/github/php-src/main/spprintf.c:204
warning: Source file is more recent than executable.
204	
(gdb) backtrace full 5
#0  xbuf_format_converter (xbuf=xbuf@entry=0x7fffff7ff830, fmt=fmt@entry=0xb7cbaa "%s\n%s: %s in %s on line %d\n%s", ap=ap@entry=0x7fffff7ff880) at /home/varsleak/github/php-src/main/spprintf.c:204
        s = 0x0
        s_len = <error reading variable s_len (Cannot access memory at address 0x7fffff7fefa4)>
        free_zcopy = <error reading variable free_zcopy (Cannot access memory at address 0x7fffff7fefa8)>
        zvp = <optimized out>
        zcopy = <error reading variable zcopy (Cannot access memory at address 0x7fffff7fefb0)>
        min_width = 0
        precision = 0
        adjust = <optimized out>
        pad_char = <optimized out>
        prefix_char = <optimized out>
        fp_num = <optimized out>
        i_num = 0
        ui_num = 0
        num_buf = <error reading variable num_buf (Cannot access memory at address 0x7fffff7fefe0)>
        char_buf = <error reading variable char_buf (Cannot access memory at address 0x7fffff7fefd0)>
        lconv = 0x0
        modifier = <optimized out>
        alternate_form = <optimized out>
        print_sign = <optimized out>
        print_blank = <optimized out>
        adjust_precision = <optimized out>
        adjust_width = <optimized out>
        is_negative = <error reading variable is_negative (Cannot access memory at address 0x7fffff7fefac)>
#1  0x0000000000698349 in vspprintf (pbuf=pbuf@entry=0x7fffff7ff878, max_len=max_len@entry=0, format=format@entry=0xb7cbaa "%s\n%s: %s in %s on line %d\n%s", ap=ap@entry=0x7fffff7ff880)
    at /home/varsleak/github/php-src/main/spprintf.c:821
        xbuf = {c = 0x0, len = 0, a = 0}
#2  0x00000000006902dd in php_printf (format=format@entry=0xb7cbaa "%s\n%s: %s in %s on line %d\n%s") at /home/varsleak/github/php-src/main/main.c:756
        args = <error reading variable args (Attempt to dereference a generic pointer.)>
        ret = <optimized out>
        buffer = 0x696f30 <xbuf_format_converter+1456> "D\205$$L\211s\btF\213D$TA9\307~=H\213;D\211\372)\302H\205\377\017\204j\n"
        size = <optimized out>
#3  0x00000000006915cf in php_error_cb (type=2, error_filename=<optimized out>, error_lineno=11, format=<optimized out>, args=<optimized out>) at /home/varsleak/github/php-src/main/main.c:1189
        prepend_string = 0x0
        append_string = <optimized out>
        error_type_str = <optimized out>
        buffer = 0x1fbf010 "var_dump(): Invalid State Error"
        buffer_len = 31
        display = <optimized out>
#4  0x00000000006f87dc in zend_error (type=type@entry=2, format=format@entry=0xb7cbc5 "%s") at /home/varsleak/github/php-src/Zend/zend.c:1142
        args = <error reading variable args (Attempt to dereference a generic pointer.)>
        usr_copy = <error reading variable usr_copy (Attempt to dereference a generic pointer.)>
        params = <optimized out>
        retval = 0x0
        z_error_type = 0x7fffff7ffc68
        z_error_message = 0x0
        z_error_filename = 0x13
        z_error_lineno = 0x1
        z_context = 0x2
        error_filename = 0x7ffff7fb8f80 "/home/varsleak/php569rc/bin/crash.php"
        error_lineno = <optimized out>
        orig_user_error_handler = 0x11
        in_compilation = <optimized out>
        saved_class_entry = <optimized out>
(More stack frames follow...)


I replace var_dump with print_r,but the program into the death cycle.

Test script:
---------------
<?php

	$data = 'O:9:"DOMEntity":1:0S:19:"\00Exception\00previous";R:1;}';

	$unstr = unserialize($data);

	var_dump($unstr);
	// print_r($unstr);
?>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-13 12:23 UTC] cmb@php.net
-Summary: php crashed when call unserizlize & var_dump +Summary: php crashed when call unserialize & var_dump
 [2017-01-16 06:58 UTC] stas@php.net
-Summary: php crashed when call unserialize & var_dump +Summary: var_dump recursion protection does not work for objects which create debug info -Type: Security +Type: Bug
 [2017-01-16 06:58 UTC] stas@php.net 
The issue here is that var_dump recursion protection does not work for self-referential objects that create its own debug info, since var_dump relies on apply count and apply count is created afresh each time. Not a security issue though.
 [2017-01-16 11:16 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2017-01-16 11:16 UTC] nikic@php.net 
As this has been classified as not a security issue, I'm closing this bug report, as the issue has been resolved in actively supported versions of PHP (7.0+). In PHP 7 we're using the apply count on the object instead.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Jun 01 09:01:31 2024 UTC