From f06a069c462d37c2e009f6d1d93b8c8e7b713393 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 1 Sep 2015 00:14:15 -0700 Subject: [PATCH] Fix bug #70365 - use-after-free vulnerability in unserialize() with SplObjectStorage --- ext/spl/spl_observer.c | 2 ++ ext/spl/tests/bug70365.phpt | 50 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 ext/spl/tests/bug70365.phpt diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c index 5d94a3b..6a2e321 100644 --- a/ext/spl/spl_observer.c +++ b/ext/spl/spl_observer.c @@ -869,6 +869,7 @@ SPL_METHOD(SplObjectStorage, unserialize) zval_ptr_dtor(&pentry); goto outexcept; } + var_push_dtor(&var_hash, &pentry); if(Z_TYPE_P(pentry) != IS_OBJECT) { zval_ptr_dtor(&pentry); goto outexcept; @@ -880,6 +881,7 @@ SPL_METHOD(SplObjectStorage, unserialize) zval_ptr_dtor(&pinf); goto outexcept; } + var_push_dtor(&var_hash, &pinf); } hash = spl_object_storage_get_hash(intern, getThis(), pentry, &hash_len TSRMLS_CC); diff --git a/ext/spl/tests/bug70365.phpt b/ext/spl/tests/bug70365.phpt new file mode 100644 index 0000000..bd57360 --- /dev/null +++ b/ext/spl/tests/bug70365.phpt @@ -0,0 +1,50 @@ +--TEST-- +SPL: Bug #70365 yet another use-after-free vulnerability in unserialize() with SplObjectStorage +--FILE-- +ryat = 1; + } +} + +$fakezval = ptr2str(1122334455); +$fakezval .= ptr2str(0); +$fakezval .= "\x00\x00\x00\x00"; +$fakezval .= "\x01"; +$fakezval .= "\x00"; +$fakezval .= "\x00\x00"; + +$inner = 'x:i:1;O:8:"stdClass":0:{},i:1;;m:a:0:{}'; +$exploit = 'a:5:{i:0;i:1;i:1;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;R:6;i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}'; + +$data = unserialize($exploit); + +var_dump($data); + +function ptr2str($ptr) +{ + $out = ''; + for ($i = 0; $i < 8; $i++) { + $out .= chr($ptr & 0xff); + $ptr >>= 8; + } + return $out; +} +--EXPECTF-- +array(5) { + [0]=> + int(1) + [1]=> + &int(1) + [2]=> + object(obj)#%d (1) { + ["ryat"]=> + &int(1) + } + [3]=> + int(1) + [4]=> + string(24) "%s" +} -- 2.1.4 From 259057b2a484747a6c73ce54c4fa0f5acbd56179 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 1 Sep 2015 00:20:45 -0700 Subject: [PATCH] Fix bug #70366 - use-after-free vulnerability in unserialize() with SplDoublyLinkedList --- ext/spl/spl_dllist.c | 1 + ext/spl/tests/bug70365.phpt | 2 +- ext/spl/tests/bug70366.phpt | 54 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 ext/spl/tests/bug70366.phpt diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c index 011d7a6..ebe61c3 100644 --- a/ext/spl/spl_dllist.c +++ b/ext/spl/spl_dllist.c @@ -1219,6 +1219,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize) zval_ptr_dtor(&elem); goto error; } + var_push_dtor(&var_hash, &elem); spl_ptr_llist_push(intern->llist, elem TSRMLS_CC); } diff --git a/ext/spl/tests/bug70365.phpt b/ext/spl/tests/bug70365.phpt index bd57360..c18110e 100644 --- a/ext/spl/tests/bug70365.phpt +++ b/ext/spl/tests/bug70365.phpt @@ -1,5 +1,5 @@ --TEST-- -SPL: Bug #70365 yet another use-after-free vulnerability in unserialize() with SplObjectStorage +SPL: Bug #70365 use-after-free vulnerability in unserialize() with SplObjectStorage --FILE-- ryat = 1; + } +} + +$fakezval = ptr2str(1122334455); +$fakezval .= ptr2str(0); +$fakezval .= "\x00\x00\x00\x00"; +$fakezval .= "\x01"; +$fakezval .= "\x00"; +$fakezval .= "\x00\x00"; + +$inner = 'i:1234;:i:1;'; +$exploit = 'a:5:{i:0;i:1;i:1;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;a:1:{i:0;R:5;}i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}'; + +$data = unserialize($exploit); + +var_dump($data); + +function ptr2str($ptr) +{ + $out = ''; + for ($i = 0; $i < 8; $i++) { + $out .= chr($ptr & 0xff); + $ptr >>= 8; + } + return $out; +} +?> +--EXPECTF-- +array(5) { + [0]=> + int(1) + [1]=> + &int(1) + [2]=> + object(obj)#%d (1) { + ["ryat"]=> + &int(1) + } + [3]=> + array(1) { + [0]=> + int(1) + } + [4]=> + string(24) "%s" +} \ No newline at end of file -- 2.1.4