From f06a069c462d37c2e009f6d1d93b8c8e7b713393 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 1 Sep 2015 00:14:15 -0700
Subject: [PATCH] Fix bug #70365 - use-after-free vulnerability in
unserialize() with SplObjectStorage
---
ext/spl/spl_observer.c | 2 ++
ext/spl/tests/bug70365.phpt | 50 +++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 52 insertions(+)
create mode 100644 ext/spl/tests/bug70365.phpt
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
index 5d94a3b..6a2e321 100644
--- a/ext/spl/spl_observer.c
+++ b/ext/spl/spl_observer.c
@@ -869,6 +869,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
zval_ptr_dtor(&pentry);
goto outexcept;
}
+ var_push_dtor(&var_hash, &pentry);
if(Z_TYPE_P(pentry) != IS_OBJECT) {
zval_ptr_dtor(&pentry);
goto outexcept;
@@ -880,6 +881,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
zval_ptr_dtor(&pinf);
goto outexcept;
}
+ var_push_dtor(&var_hash, &pinf);
}
hash = spl_object_storage_get_hash(intern, getThis(), pentry, &hash_len TSRMLS_CC);
diff --git a/ext/spl/tests/bug70365.phpt b/ext/spl/tests/bug70365.phpt
new file mode 100644
index 0000000..bd57360
--- /dev/null
+++ b/ext/spl/tests/bug70365.phpt
@@ -0,0 +1,50 @@
+--TEST--
+SPL: Bug #70365 yet another use-after-free vulnerability in unserialize() with SplObjectStorage
+--FILE--
+<?php
+class obj {
+ var $ryat;
+ function __wakeup() {
+ $this->ryat = 1;
+ }
+}
+
+$fakezval = ptr2str(1122334455);
+$fakezval .= ptr2str(0);
+$fakezval .= "\x00\x00\x00\x00";
+$fakezval .= "\x01";
+$fakezval .= "\x00";
+$fakezval .= "\x00\x00";
+
+$inner = 'x:i:1;O:8:"stdClass":0:{},i:1;;m:a:0:{}';
+$exploit = 'a:5:{i:0;i:1;i:1;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;R:6;i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}';
+
+$data = unserialize($exploit);
+
+var_dump($data);
+
+function ptr2str($ptr)
+{
+ $out = '';
+ for ($i = 0; $i < 8; $i++) {
+ $out .= chr($ptr & 0xff);
+ $ptr >>= 8;
+ }
+ return $out;
+}
+--EXPECTF--
+array(5) {
+ [0]=>
+ int(1)
+ [1]=>
+ &int(1)
+ [2]=>
+ object(obj)#%d (1) {
+ ["ryat"]=>
+ &int(1)
+ }
+ [3]=>
+ int(1)
+ [4]=>
+ string(24) "%s"
+}
--
2.1.4
From 259057b2a484747a6c73ce54c4fa0f5acbd56179 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 1 Sep 2015 00:20:45 -0700
Subject: [PATCH] Fix bug #70366 - use-after-free vulnerability in
unserialize() with SplDoublyLinkedList
---
ext/spl/spl_dllist.c | 1 +
ext/spl/tests/bug70365.phpt | 2 +-
ext/spl/tests/bug70366.phpt | 54 +++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 56 insertions(+), 1 deletion(-)
create mode 100644 ext/spl/tests/bug70366.phpt
diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
index 011d7a6..ebe61c3 100644
--- a/ext/spl/spl_dllist.c
+++ b/ext/spl/spl_dllist.c
@@ -1219,6 +1219,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize)
zval_ptr_dtor(&elem);
goto error;
}
+ var_push_dtor(&var_hash, &elem);
spl_ptr_llist_push(intern->llist, elem TSRMLS_CC);
}
diff --git a/ext/spl/tests/bug70365.phpt b/ext/spl/tests/bug70365.phpt
index bd57360..c18110e 100644
--- a/ext/spl/tests/bug70365.phpt
+++ b/ext/spl/tests/bug70365.phpt
@@ -1,5 +1,5 @@
--TEST--
-SPL: Bug #70365 yet another use-after-free vulnerability in unserialize() with SplObjectStorage
+SPL: Bug #70365 use-after-free vulnerability in unserialize() with SplObjectStorage
--FILE--
<?php
class obj {
diff --git a/ext/spl/tests/bug70366.phpt b/ext/spl/tests/bug70366.phpt
new file mode 100644
index 0000000..c9aa584
--- /dev/null
+++ b/ext/spl/tests/bug70366.phpt
@@ -0,0 +1,54 @@
+--TEST--
+SPL: Bug #70366 use-after-free vulnerability in unserialize() with SplDoublyLinkedList
+--FILE--
+<?php
+class obj {
+ var $ryat;
+ function __wakeup() {
+ $this->ryat = 1;
+ }
+}
+
+$fakezval = ptr2str(1122334455);
+$fakezval .= ptr2str(0);
+$fakezval .= "\x00\x00\x00\x00";
+$fakezval .= "\x01";
+$fakezval .= "\x00";
+$fakezval .= "\x00\x00";
+
+$inner = 'i:1234;:i:1;';
+$exploit = 'a:5:{i:0;i:1;i:1;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;a:1:{i:0;R:5;}i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}';
+
+$data = unserialize($exploit);
+
+var_dump($data);
+
+function ptr2str($ptr)
+{
+ $out = '';
+ for ($i = 0; $i < 8; $i++) {
+ $out .= chr($ptr & 0xff);
+ $ptr >>= 8;
+ }
+ return $out;
+}
+?>
+--EXPECTF--
+array(5) {
+ [0]=>
+ int(1)
+ [1]=>
+ &int(1)
+ [2]=>
+ object(obj)#%d (1) {
+ ["ryat"]=>
+ &int(1)
+ }
+ [3]=>
+ array(1) {
+ [0]=>
+ int(1)
+ }
+ [4]=>
+ string(24) "%s"
+}
\ No newline at end of file
--
2.1.4