PHP :: Bug #81992 :: SplFixedArray::setSize() causes use-after-free

Bug #81992

SplFixedArray::setSize() causes use-after-free

Submitted:

2023-05-10 11:39 UTC

Modified:

2023-05-25 22:36 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

cyberguru007 at yandex dot ru

Assigned:

Status:

Closed

Package:

SPL related

PHP Version:

8.2.6RC1

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

[2023-05-10 11:39 UTC] cyberguru007 at yandex dot ru

Description:
------------
The root cause of this bug is similar to bug #80663.
There is a problem when __destruct called in the middle of SplFixedArray resizing. There is no check that size of internal storage was changed.
In function static void spl_fixedarray_resize(spl_fixedarray *array, zend_long size) the case when size = 0 was fixed in #80663, but similar case when size < array->size was not fixed. It causes use-after-free.
The bug can be triggered locally, or remotely, for example using unserialize(), and cause code execution.

The bug exists in PHP versions from End of life 7.4.* to latest 8.2.*

Test script:
---------------
<?php
class InvalidDestructor {
    public function __destruct() {
        global $obj;
        $a = str_repeat('A', 100);
        var_dump($obj[2]);
    }
}

$obj = new SplFixedArray(5);
$obj[2] = str_repeat('B', 100);
$obj[3] = new InvalidDestructor();
$obj->setSize(2);


Expected result:
----------------
string(100) "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"

Actual result:
--------------
string(100) "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

Patches

patch_for_php_8.2.5 (last revision 2023-05-10 11:39 UTC by cyberguru007 at yandex dot ru)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2023-05-25 22:36 UTC] stas@php.net

-Type: Security +Type: Bug

[2023-08-14 19:39 UTC] git@php.net

Automatic comment on behalf of nielsdos
Revision: https://github.com/php/php-src/commit/b71c6b2c6c11547cf7bd11a6109b34e9cb0792b1
Log: Fix #81992: SplFixedArray::setSize() causes use-after-free

[2023-08-14 19:39 UTC] git@php.net

-Status: Open +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 28 08:01:28 2024 UTC