php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81714 segfault (use-after-free) serializing finalized HashContext
Submitted: 2022-03-28 09:16 UTC Modified: 2022-03-29 09:50 UTC
From: mail at lucaswerkmeister dot de Assigned: cmb (profile)
Status: Closed Package: hash related
PHP Version: 8.1.4 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mail at lucaswerkmeister dot de
New email:
PHP Version: OS:

 

 [2022-03-28 09:16 UTC] mail at lucaswerkmeister dot de
Description:
------------
Attempting to serialize a finalized HashContext segfaults. Looking at the php-src code, I suspect this is a use-after-free (so a potential security vulnerability): php_hash_serialize_spec() uses hash->context after it was efree()d in PHP_FUNCTION(hash_final).

I found the issue in PHP 8.0.8 (Ubuntu 21.10 Impish Indri). 3v4l DOT org SLASH dnXnr claims the issue is present in all PHP 8 versions, including master. (In PHP 7, HashContext is not serializable.)

Tested with 'sha256' and 'md5' algos (MD5 used in test script for brevity). I assume the actual hash algorithm is irrelevant.

Test script:
---------------
<?php

$h = hash_init('md5');
hash_final($h);
serialize($h);

OR:

php -r '$h=hash_init("md5");hash_final($h);serialize($h);'

Expected result:
----------------
Some kind of error, probably. I don’t think it’s necessary for a finalized HashContext to have a valid serialization, it just shouldn’t crash.

Actual result:
--------------
Top of internal stack trace (coredumpctl gdb; memory addresses redacted):

                Stack trace of thread 918674:
                #0  0x php_hash_serialize_spec (php8.0 + 0x)
                #1  0x n/a (php8.0 + 0x)
                #2  0x xdebug_execute_internal (xdebug.so + 0x)
                #3  0x zend_call_function (php8.0 + 0x)
                #4  0x zend_call_known_function (php8.0 + 0x)
                #5  0x n/a (php8.0 + 0x)
                #6  0x php_var_serialize (php8.0 + 0x)

Without xdebug enabled:

                Stack trace of thread 919029:
                #0  0x php_hash_serialize_spec (php8.0 + 0x)
                #1  0x n/a (php8.0 + 0x)
                #2  0x zend_call_function (php8.0 + 0x)
                #3  0x zend_call_known_function (php8.0 + 0x)
                #4  0x n/a (php8.0 + 0x)
                #5  0x php_var_serialize (php8.0 + 0x)


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2022-03-28 16:49 UTC] stas@php.net
-Type: Security +Type: Bug
 [2022-03-29 09:50 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2022-03-29 09:51 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #81714: segfault when serializing finalized HashContext
On GitHub:  https://github.com/php/php-src/pull/8265
Patch:      https://github.com/php/php-src/pull/8265.patch
 [2022-04-05 11:37 UTC] git@php.net
Automatic comment on behalf of cmb69
Revision: https://github.com/php/php-src/commit/c2eafc29f5ecf49c86e5a3cb5ba9d6beda6c5ba9
Log: Fix #81714: segfault when serializing finalized HashContext
 [2022-04-05 11:37 UTC] git@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Thu Aug 18 17:05:49 2022 UTC