From 7381b6accc5559b2de039af3a22f6ec1003b03b3 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 1 Aug 2015 21:45:19 -0700
Subject: [PATCH] Fixed bug #70166 - Use After Free Vulnerability in
unserialize() with SPLArrayObject
---
ext/spl/spl_array.c | 3 +++
ext/spl/tests/bug70166.phpt | 29 +++++++++++++++++++++++++++++
2 files changed, 32 insertions(+)
create mode 100644 ext/spl/tests/bug70166.phpt
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index a37eced..86608c0 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1773,6 +1773,7 @@ SPL_METHOD(Array, unserialize)
goto outexcept;
}
+ var_push_dtor(&var_hash, &pflags);
--p; /* for ';' */
flags = Z_LVAL_P(pflags);
/* flags needs to be verified and we also need to verify whether the next
@@ -1796,6 +1797,7 @@ SPL_METHOD(Array, unserialize)
if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) {
goto outexcept;
}
+ var_push_dtor(&var_hash, &intern->array);
}
if (*p != ';') {
goto outexcept;
@@ -1814,6 +1816,7 @@ SPL_METHOD(Array, unserialize)
goto outexcept;
}
+ var_push_dtor(&var_hash, &pmembers);
/* copy members */
if (!intern->std.properties) {
rebuild_object_properties(&intern->std);
diff --git a/ext/spl/tests/bug70166.phpt b/ext/spl/tests/bug70166.phpt
new file mode 100644
index 0000000..51a3596
--- /dev/null
+++ b/ext/spl/tests/bug70166.phpt
@@ -0,0 +1,29 @@
+--TEST--
+SPL: Bug #70166 Use After Free Vulnerability in unserialize() with SPLArrayObject
+--FILE--
+<?php
+$inner = 'x:i:1;a:0:{};m:a:0:{}';
+$exploit = 'a:2:{i:0;C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}i:1;R:5;}';
+
+$data = unserialize($exploit);
+
+for($i = 0; $i < 5; $i++) {
+ $v[$i] = 'hi'.$i;
+}
+
+var_dump($data);
+?>
+===DONE===
+--EXPECTF--
+array(2) {
+ [0]=>
+ object(ArrayObject)#%d (1) {
+ ["storage":"ArrayObject":private]=>
+ array(0) {
+ }
+ }
+ [1]=>
+ array(0) {
+ }
+}
+===DONE===
--
2.1.4
From c2e197e4efc663ca55f393bf0e799848842286f3 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 1 Aug 2015 21:12:38 -0700
Subject: [PATCH] Fix bug #70168 - Use After Free Vulnerability in
unserialize() with SplObjectStorage
---
ext/spl/spl_observer.c | 68 +++++++++++++++++++++++----------------------
ext/spl/tests/bug70168.phpt | 19 +++++++++++++
2 files changed, 54 insertions(+), 33 deletions(-)
create mode 100644 ext/spl/tests/bug70168.phpt
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
index da9110b..5d94a3b 100644
--- a/ext/spl/spl_observer.c
+++ b/ext/spl/spl_observer.c
@@ -848,6 +848,7 @@ SPL_METHOD(SplObjectStorage, unserialize
goto outexcept;
}
+ var_push_dtor(&var_hash, &pcount);
--p; /* for ';' */
count = Z_LVAL_P(pcount);
@@ -919,6 +920,7 @@ SPL_METHOD(SplObjectStorage, unserialize
goto outexcept;
}
+ var_push_dtor(&var_hash, &pmembers);
/* copy members */
if (!intern->std.properties) {
rebuild_object_properties(&intern->std);
diff --git a/ext/spl/tests/bug70168.phpt b/ext/spl/tests/bug70168.phpt
new file mode 100644
index 0000000..192f0f3
--- /dev/null
+++ b/ext/spl/tests/bug70168.phpt
@@ -0,0 +1,19 @@
+--TEST--
+SPL: Bug #70168 Use After Free Vulnerability in unserialize() with SplObjectStorage
+--FILE--
+<?php
+$inner = 'x:i:1;O:8:"stdClass":0:{};m:a:0:{}';
+$exploit = 'a:2:{i:0;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:1;R:3;}';
+
+$data = unserialize($exploit);
+
+for($i = 0; $i < 5; $i++) {
+ $v[$i] = 'hi'.$i;
+}
+
+var_dump($data[1]);
+?>
+===DONE===
+--EXPECT--
+int(1)
+===DONE===
--
2.1.4
From 863bf294feb9ad425eadb94f288bc7f18673089d Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 1 Aug 2015 21:51:08 -0700
Subject: [PATCH] Fixed bug #70169 (Use After Free Vulnerability in
unserialize() with SplDoublyLinkedList)
---
ext/spl/spl_dllist.c | 25 +++++++++++++------------
ext/spl/tests/bug70169.phpt | 30 ++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+), 12 deletions(-)
create mode 100644 ext/spl/tests/bug70169.phpt
diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
index b5ddfc0..011d7a6 100644
--- a/ext/spl/spl_dllist.c
+++ b/ext/spl/spl_dllist.c
@@ -1207,6 +1207,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize)
zval_ptr_dtor(&flags);
goto error;
}
+ var_push_dtor(&var_hash, &flags);
intern->flags = Z_LVAL_P(flags);
zval_ptr_dtor(&flags);
diff --git a/ext/spl/tests/bug70169.phpt b/ext/spl/tests/bug70169.phpt
new file mode 100644
index 0000000..9d814be
--- /dev/null
+++ b/ext/spl/tests/bug70169.phpt
@@ -0,0 +1,30 @@
+--TEST--
+SPL: Bug #70169 Use After Free Vulnerability in unserialize() with SplDoublyLinkedList
+--FILE--
+<?php
+$inner = 'i:1;';
+$exploit = 'a:2:{i:0;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:1;R:3;}';
+
+$data = unserialize($exploit);
+
+for($i = 0; $i < 5; $i++) {
+ $v[$i] = 'hi'.$i;
+}
+
+var_dump($data);
+?>
+===DONE===
+--EXPECTF--
+array(2) {
+ [0]=>
+ object(SplDoublyLinkedList)#%d (2) {
+ ["flags":"SplDoublyLinkedList":private]=>
+ int(1)
+ ["dllist":"SplDoublyLinkedList":private]=>
+ array(0) {
+ }
+ }
+ [1]=>
+ int(1)
+}
+===DONE===
--
2.1.4