php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81992 SplFixedArray::setSize() causes use-after-free
Submitted: 2023-05-10 11:39 UTC Modified: 2023-05-25 22:36 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: cyberguru007 at yandex dot ru Assigned:
Status: Closed Package: SPL related
PHP Version: 8.2.6RC1 OS: Linux
Private report: No CVE-ID: None
 [2023-05-10 11:39 UTC] cyberguru007 at yandex dot ru
Description:
------------
The root cause of this bug is similar to bug #80663.
There is a problem when __destruct called in the middle of SplFixedArray resizing. There is no check that size of internal storage was changed.
In function static void spl_fixedarray_resize(spl_fixedarray *array, zend_long size) the case when size = 0 was fixed in #80663, but similar case when size < array->size was not fixed. It causes use-after-free.
The bug can be triggered locally, or remotely, for example using unserialize(), and cause code execution.

The bug exists in PHP versions from End of life 7.4.* to latest 8.2.*

Test script:
---------------
<?php
class InvalidDestructor {
    public function __destruct() {
        global $obj;
        $a = str_repeat('A', 100);
        var_dump($obj[2]);
    }
}

$obj = new SplFixedArray(5);
$obj[2] = str_repeat('B', 100);
$obj[3] = new InvalidDestructor();
$obj->setSize(2);


Expected result:
----------------
string(100) "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"

Actual result:
--------------
string(100) "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

Patches

patch_for_php_8.2.5 (last revision 2023-05-10 11:39 UTC by cyberguru007 at yandex dot ru)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2023-05-25 22:36 UTC] stas@php.net
-Type: Security +Type: Bug
 [2023-08-14 19:39 UTC] git@php.net
Automatic comment on behalf of nielsdos
Revision: https://github.com/php/php-src/commit/b71c6b2c6c11547cf7bd11a6109b34e9cb0792b1
Log: Fix #81992: SplFixedArray::setSize() causes use-after-free
 [2023-08-14 19:39 UTC] git@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Jun 14 04:01:35 2024 UTC