PHP :: Bug #81714 :: segfault (use-after-free) serializing finalized HashContext

Bug #81714	segfault (use-after-free) serializing finalized HashContext
Submitted:	2022-03-28 09:16 UTC	Modified:	2022-03-29 09:50 UTC
From:	mail at lucaswerkmeister dot de	Assigned:	cmb (profile)
Status:	Closed	Package:	hash related
PHP Version:	8.1.4	OS:	Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	mail at lucaswerkmeister dot de
New email:
PHP Version:		OS:

New/Additional Comment:

[2022-03-28 09:16 UTC] mail at lucaswerkmeister dot de

Description:
------------
Attempting to serialize a finalized HashContext segfaults. Looking at the php-src code, I suspect this is a use-after-free (so a potential security vulnerability): php_hash_serialize_spec() uses hash->context after it was efree()d in PHP_FUNCTION(hash_final).

I found the issue in PHP 8.0.8 (Ubuntu 21.10 Impish Indri). 3v4l DOT org SLASH dnXnr claims the issue is present in all PHP 8 versions, including master. (In PHP 7, HashContext is not serializable.)

Tested with 'sha256' and 'md5' algos (MD5 used in test script for brevity). I assume the actual hash algorithm is irrelevant.

Test script:
---------------
<?php

$h = hash_init('md5');
hash_final($h);
serialize($h);

OR:

php -r '$h=hash_init("md5");hash_final($h);serialize($h);'

Expected result:
----------------
Some kind of error, probably. I don’t think it’s necessary for a finalized HashContext to have a valid serialization, it just shouldn’t crash.

Actual result:
--------------
Top of internal stack trace (coredumpctl gdb; memory addresses redacted):

                Stack trace of thread 918674:
                #0  0x php_hash_serialize_spec (php8.0 + 0x)
                #1  0x n/a (php8.0 + 0x)
                #2  0x xdebug_execute_internal (xdebug.so + 0x)
                #3  0x zend_call_function (php8.0 + 0x)
                #4  0x zend_call_known_function (php8.0 + 0x)
                #5  0x n/a (php8.0 + 0x)
                #6  0x php_var_serialize (php8.0 + 0x)

Without xdebug enabled:

                Stack trace of thread 919029:
                #0  0x php_hash_serialize_spec (php8.0 + 0x)
                #1  0x n/a (php8.0 + 0x)
                #2  0x zend_call_function (php8.0 + 0x)
                #3  0x zend_call_known_function (php8.0 + 0x)
                #4  0x n/a (php8.0 + 0x)
                #5  0x php_var_serialize (php8.0 + 0x)

Patches

Add a Patch

Pull Requests

Pull requests:

Fix #81714: segfault when serializing finalized HashContext (php-src/8265)

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2022-03-28 16:49 UTC] stas@php.net

-Type: Security +Type: Bug

[2022-03-29 09:50 UTC] cmb@php.net

-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb

[2022-03-29 09:51 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #81714: segfault when serializing finalized HashContext
On GitHub:  https://github.com/php/php-src/pull/8265
Patch:      https://github.com/php/php-src/pull/8265.patch

[2022-04-05 11:37 UTC] git@php.net

Automatic comment on behalf of cmb69
Revision: https://github.com/php/php-src/commit/c2eafc29f5ecf49c86e5a3cb5ba9d6beda6c5ba9
Log: Fix #81714: segfault when serializing finalized HashContext

[2022-04-05 11:37 UTC] git@php.net

-Status: Verified +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 01:01:28 2024 UTC