|
 |
af9dc8 |
From 646572d6d3847d68124b03936719f60936b49a38 Mon Sep 17 00:00:00 2001
|
|
|
af9dc8 |
From: Stanislav Malyshev <stas@php.net>
|
|
|
af9dc8 |
Date: Tue, 17 Mar 2015 13:20:22 -0700
|
|
|
af9dc8 |
Subject: [PATCH] Fixed bug #68976 - Use After Free Vulnerability in
|
|
|
af9dc8 |
unserialize()
|
|
|
af9dc8 |
|
|
|
af9dc8 |
---
|
|
|
af9dc8 |
NEWS | 3 +-
|
|
|
af9dc8 |
ext/standard/var_unserializer.c | 63 ++++++++++++++++++++--------------------
|
|
|
af9dc8 |
ext/standard/var_unserializer.re | 1 +
|
|
|
af9dc8 |
3 files changed, 35 insertions(+), 32 deletions(-)
|
|
|
af9dc8 |
|
|
|
af9dc8 |
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
|
|
|
af9dc8 |
index f114080..ee0cac4 100644
|
|
|
af9dc8 |
--- a/ext/standard/var_unserializer.c
|
|
|
af9dc8 |
+++ b/ext/standard/var_unserializer.c
|
|
|
af9dc8 |
@@ -315,6 +315,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
|
|
|
af9dc8 |
zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
|
|
|
af9dc8 |
sizeof data, NULL);
|
|
|
af9dc8 |
}
|
|
|
af9dc8 |
+ var_push_dtor(var_hash, &data);
|
|
|
af9dc8 |
|
|
|
af9dc8 |
zval_dtor(key);
|
|
|
af9dc8 |
FREE_ZVAL(key);
|
|
|
af9dc8 |
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
|
|
|
af9dc8 |
index f04fc74..abac77c 100644
|
|
|
af9dc8 |
--- a/ext/standard/var_unserializer.re
|
|
|
af9dc8 |
+++ b/ext/standard/var_unserializer.re
|
|
|
af9dc8 |
@@ -321,6 +321,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
|
|
|
af9dc8 |
zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
|
|
|
af9dc8 |
sizeof data, NULL);
|
|
|
af9dc8 |
}
|
|
|
af9dc8 |
+ var_push_dtor(var_hash, &data);
|
|
|
af9dc8 |
|
|
|
af9dc8 |
zval_dtor(key);
|
|
|
af9dc8 |
FREE_ZVAL(key);
|
|
|
af9dc8 |
--
|
|
|
af9dc8 |
2.1.4
|
|
|
af9dc8 |
|
|
|
af9dc8 |
From 8b14d3052ffcffa17d6e2be652f20e18f8f562ad Mon Sep 17 00:00:00 2001
|
|
|
af9dc8 |
From: Stanislav Malyshev <stas@php.net>
|
|
|
af9dc8 |
Date: Tue, 17 Mar 2015 17:03:46 -0700
|
|
|
af9dc8 |
Subject: [PATCH] add test for bug #68976
|
|
|
af9dc8 |
|
|
|
af9dc8 |
---
|
|
|
af9dc8 |
ext/standard/tests/serialize/bug68976.phpt | 37 ++++++++++++++++++++++++++++++
|
|
|
af9dc8 |
1 file changed, 37 insertions(+)
|
|
|
af9dc8 |
create mode 100644 ext/standard/tests/serialize/bug68976.phpt
|
|
|
af9dc8 |
|
|
|
af9dc8 |
diff --git a/ext/standard/tests/serialize/bug68976.phpt b/ext/standard/tests/serialize/bug68976.phpt
|
|
|
af9dc8 |
new file mode 100644
|
|
|
af9dc8 |
index 0000000..a79a953
|
|
|
af9dc8 |
--- /dev/null
|
|
|
af9dc8 |
+++ b/ext/standard/tests/serialize/bug68976.phpt
|
|
|
af9dc8 |
@@ -0,0 +1,37 @@
|
|
|
af9dc8 |
+--TEST--
|
|
|
af9dc8 |
+Bug #68976 Use After Free Vulnerability in unserialize()
|
|
|
af9dc8 |
+--FILE--
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
+class evilClass {
|
|
|
af9dc8 |
+ public $name;
|
|
|
af9dc8 |
+ function __wakeup() {
|
|
|
af9dc8 |
+ unset($this->name);
|
|
|
af9dc8 |
+ }
|
|
|
af9dc8 |
+}
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
+$fakezval = pack(
|
|
|
af9dc8 |
+ 'IIII',
|
|
|
af9dc8 |
+ 0x00100000,
|
|
|
af9dc8 |
+ 0x00000400,
|
|
|
af9dc8 |
+ 0x00000000,
|
|
|
af9dc8 |
+ 0x00000006
|
|
|
af9dc8 |
+);
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
+$data = unserialize('a:2:{i:0;O:9:"evilClass":1:{s:4:"name";a:2:{i:0;i:1;i:1;i:2;}}i:1;R:4;}');
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
+for($i = 0; $i < 5; $i++) {
|
|
|
af9dc8 |
+ $v[$i] = $fakezval.$i;
|
|
|
af9dc8 |
+}
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
+var_dump($data);
|
|
|
af9dc8 |
+?>
|
|
|
af9dc8 |
+===DONE===
|
|
|
af9dc8 |
+--EXPECTF--
|
|
|
af9dc8 |
+array(2) {
|
|
|
af9dc8 |
+ [0]=>
|
|
|
af9dc8 |
+ object(evilClass)#1 (0) {
|
|
|
af9dc8 |
+ }
|
|
|
af9dc8 |
+ [1]=>
|
|
|
af9dc8 |
+ int(1)
|
|
|
af9dc8 |
+}
|
|
|
af9dc8 |
+===DONE===
|
|
|
af9dc8 |
--
|
|
|
af9dc8 |
2.1.4
|
|
|
af9dc8 |
|