From f06a069c462d37c2e009f6d1d93b8c8e7b713393 Mon Sep 17 00:00:00 2001

From: Stanislav Malyshev <stas@php.net>

Date: Tue, 1 Sep 2015 00:14:15 -0700

Subject: [PATCH] Fix bug #70365 - use-after-free vulnerability in

 unserialize() with SplObjectStorage

---

 ext/spl/spl_observer.c      |  2 ++

 ext/spl/tests/bug70365.phpt | 50 +++++++++++++++++++++++++++++++++++++++++++++

 2 files changed, 52 insertions(+)

 create mode 100644 ext/spl/tests/bug70365.phpt

diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c

index 5d94a3b..6a2e321 100644

--- a/ext/spl/spl_observer.c

+++ b/ext/spl/spl_observer.c

@@ -869,6 +869,7 @@ SPL_METHOD(SplObjectStorage, unserialize)

 			zval_ptr_dtor(&pentry);

 			goto outexcept;

 		}

+		var_push_dtor(&var_hash, &pentry);

 		if(Z_TYPE_P(pentry) != IS_OBJECT) {

 			zval_ptr_dtor(&pentry);

 			goto outexcept;

@@ -880,6 +881,7 @@ SPL_METHOD(SplObjectStorage, unserialize)

 				zval_ptr_dtor(&pinf);

 				goto outexcept;

 			}

+			var_push_dtor(&var_hash, &pinf);

 		}

 		hash = spl_object_storage_get_hash(intern, getThis(), pentry, &hash_len TSRMLS_CC);

diff --git a/ext/spl/tests/bug70365.phpt b/ext/spl/tests/bug70365.phpt

new file mode 100644

index 0000000..bd57360

--- /dev/null

+++ b/ext/spl/tests/bug70365.phpt

@@ -0,0 +1,50 @@

+--TEST--

+SPL: Bug #70365 yet another use-after-free vulnerability in unserialize() with SplObjectStorage

+--FILE--

+

+class obj {

+	var $ryat;

+	function __wakeup() {

+		$this->ryat = 1;

+	}

+}

+

+$fakezval = ptr2str(1122334455);

+$fakezval .= ptr2str(0);

+$fakezval .= "\x00\x00\x00\x00";

+$fakezval .= "\x01";

+$fakezval .= "\x00";

+$fakezval .= "\x00\x00";

+

+$inner = 'x:i:1;O:8:"stdClass":0:{},i:1;;m:a:0:{}';

+$exploit = 'a:5:{i:0;i:1;i:1;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;R:6;i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}';

+

+$data = unserialize($exploit);

+

+var_dump($data);

+

+function ptr2str($ptr)

+{

+	$out = '';

+	for ($i = 0; $i < 8; $i++) {

+		$out .= chr($ptr & 0xff);

+		$ptr >>= 8;

+	}

+	return $out;

+}

+--EXPECTF--

+array(5) {

+  [0]=>

+  int(1)

+  [1]=>

+  &int(1)

+  [2]=>

+  object(obj)#%d (1) {

+    ["ryat"]=>

+    &int(1)

+  }

+  [3]=>

+  int(1)

+  [4]=>

+  string(24) "%s"

+}

-- 

2.1.4

From 259057b2a484747a6c73ce54c4fa0f5acbd56179 Mon Sep 17 00:00:00 2001

From: Stanislav Malyshev <stas@php.net>

Date: Tue, 1 Sep 2015 00:20:45 -0700

Subject: [PATCH] Fix bug #70366 - use-after-free vulnerability in

 unserialize() with SplDoublyLinkedList

---

 ext/spl/spl_dllist.c        |  1 +

 ext/spl/tests/bug70365.phpt |  2 +-

 ext/spl/tests/bug70366.phpt | 54 +++++++++++++++++++++++++++++++++++++++++++++

 3 files changed, 56 insertions(+), 1 deletion(-)

 create mode 100644 ext/spl/tests/bug70366.phpt

diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c

index 011d7a6..ebe61c3 100644

--- a/ext/spl/spl_dllist.c

+++ b/ext/spl/spl_dllist.c

@@ -1219,6 +1219,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize)

 			zval_ptr_dtor(&elem);

 			goto error;

 		}

+		var_push_dtor(&var_hash, &elem);

 		spl_ptr_llist_push(intern->llist, elem TSRMLS_CC);

 	}

diff --git a/ext/spl/tests/bug70365.phpt b/ext/spl/tests/bug70365.phpt

index bd57360..c18110e 100644

--- a/ext/spl/tests/bug70365.phpt

+++ b/ext/spl/tests/bug70365.phpt

@@ -1,5 +1,5 @@

 --TEST--

-SPL: Bug #70365 yet another use-after-free vulnerability in unserialize() with SplObjectStorage

+SPL: Bug #70365 use-after-free vulnerability in unserialize() with SplObjectStorage

 --FILE--

 class obj {

diff --git a/ext/spl/tests/bug70366.phpt b/ext/spl/tests/bug70366.phpt

new file mode 100644

index 0000000..c9aa584

--- /dev/null

+++ b/ext/spl/tests/bug70366.phpt

@@ -0,0 +1,54 @@

+--TEST--

+SPL: Bug #70366 use-after-free vulnerability in unserialize() with SplDoublyLinkedList

+--FILE--

+

+class obj {

+	var $ryat;

+	function __wakeup() {

+		$this->ryat = 1;

+	}

+}

+

+$fakezval = ptr2str(1122334455);

+$fakezval .= ptr2str(0);

+$fakezval .= "\x00\x00\x00\x00";

+$fakezval .= "\x01";

+$fakezval .= "\x00";

+$fakezval .= "\x00\x00";

+

+$inner = 'i:1234;:i:1;';

+$exploit = 'a:5:{i:0;i:1;i:1;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;a:1:{i:0;R:5;}i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}';

+

+$data = unserialize($exploit);

+

+var_dump($data);

+

+function ptr2str($ptr)

+{

+	$out = '';

+	for ($i = 0; $i < 8; $i++) {

+		$out .= chr($ptr & 0xff);

+		$ptr >>= 8;

+	}

+	return $out;

+}

+?>

+--EXPECTF--

+array(5) {

+  [0]=>

+  int(1)

+  [1]=>

+  &int(1)

+  [2]=>

+  object(obj)#%d (1) {

+    ["ryat"]=>

+    &int(1)

+  }

+  [3]=>

+  array(1) {

+    [0]=>

+    int(1)

+  }

+  [4]=>

+  string(24) "%s"

+}

\ No newline at end of file

-- 

2.1.4