upstream/oracle/userland-gate: components/php/php56/patches/CVE-2015-6834

5116 867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	1	# Source: upstream
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	2	# http://git.php.net/?p=php-src.git;a=commit;h=f06a069c462d37c2e009f6d1d93b8c8e7b713393
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	3	# https://bugs.php.net/bug.php?id=70365
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	4
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	5	From f06a069c462d37c2e009f6d1d93b8c8e7b713393 Mon Sep 17 00:00:00 2001
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	6	From: Stanislav Malyshev <[email protected]>
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	7	Date: Tue, 1 Sep 2015 00:14:15 -0700
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	8	Subject: [PATCH] Fix bug #70365 - use-after-free vulnerability in
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	9	unserialize() with SplObjectStorage
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	10
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	11	---
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	12	ext/spl/spl_observer.c \| 2 ++
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	13	ext/spl/tests/bug70365.phpt \| 50 +++++++++++++++++++++++++++++++++++++++++++++
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	14	2 files changed, 52 insertions(+)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	15	create mode 100644 ext/spl/tests/bug70365.phpt
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	16
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	17	diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	18	index 5d94a3b..6a2e321 100644
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	19	--- a/ext/spl/spl_observer.c
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	20	+++ b/ext/spl/spl_observer.c
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	21	@@ -853,6 +853,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	22	zval_ptr_dtor(&pentry);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	23	goto outexcept;
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	24	}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	25	+ var_push_dtor(&var_hash, &pentry);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	26	if(Z_TYPE_P(pentry) != IS_OBJECT) {
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	27	zval_ptr_dtor(&pentry);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	28	goto outexcept;
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	29	@@ -864,6 +865,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	30	zval_ptr_dtor(&pinf);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	31	goto outexcept;
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	32	}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	33	+ var_push_dtor(&var_hash, &pinf);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	34	}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	35
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	36	hash = spl_object_storage_get_hash(intern, getThis(), pentry, &hash_len TSRMLS_CC);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	37	diff --git a/ext/spl/tests/bug70365.phpt b/ext/spl/tests/bug70365.phpt
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	38	new file mode 100644
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	39	index 0000000..bd57360
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	40	--- /dev/null
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	41	+++ b/ext/spl/tests/bug70365.phpt
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	42	@@ -0,0 +1,50 @@
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	43	+--TEST--
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	44	+SPL: Bug #70365 yet another use-after-free vulnerability in unserialize() with SplObjectStorage
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	45	+--FILE--
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	46	+<?php
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	47	+class obj {
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	48	+ var $ryat;
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	49	+ function __wakeup() {
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	50	+ $this->ryat = 1;
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	51	+ }
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	52	+}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	53	+
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	54	+$fakezval = ptr2str(1122334455);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	55	+$fakezval .= ptr2str(0);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	56	+$fakezval .= "\x00\x00\x00\x00";
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	57	+$fakezval .= "\x01";
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	58	+$fakezval .= "\x00";
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	59	+$fakezval .= "\x00\x00";
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	60	+
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	61	+$inner = 'x:i:1;O:8:"stdClass":0:{},i:1;;m:a:0:{}';
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	62	+$exploit = 'a:5:{i:0;i:1;i:1;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;R:6;i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}';
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	63	+
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	64	+$data = unserialize($exploit);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	65	+
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	66	+var_dump($data);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	67	+
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	68	+function ptr2str($ptr)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	69	+{
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	70	+ $out = '';
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	71	+ for ($i = 0; $i < 8; $i++) {
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	72	+ $out .= chr($ptr & 0xff);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	73	+ $ptr >>= 8;
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	74	+ }
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	75	+ return $out;
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	76	+}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	77	+--EXPECTF--
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	78	+array(5) {
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	79	+ [0]=>
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	80	+ int(1)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	81	+ [1]=>
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	82	+ &int(1)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	83	+ [2]=>
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	84	+ object(obj)#%d (1) {
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	85	+ ["ryat"]=>
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	86	+ &int(1)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	87	+ }
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	88	+ [3]=>
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	89	+ int(1)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	90	+ [4]=>
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	91	+ string(24) "%s"
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	92	+}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	93	--
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	94	2.1.4
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	95
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	96

author	Michael Nestler <Michael.Nestler@Oracle.COM>
	Thu, 19 Nov 2015 22:52:15 -0800
changeset 5116	867d838118ad
permissions	-rw-r--r--