1 # Source: upstream |
|
2 # http://git.php.net/?p=php-src.git;a=commit;h=f06a069c462d37c2e009f6d1d93b8c8e7b713393 |
|
3 # https://bugs.php.net/bug.php?id=70365 |
|
4 |
|
5 From f06a069c462d37c2e009f6d1d93b8c8e7b713393 Mon Sep 17 00:00:00 2001 |
|
6 From: Stanislav Malyshev <[email protected]> |
|
7 Date: Tue, 1 Sep 2015 00:14:15 -0700 |
|
8 Subject: [PATCH] Fix bug #70365 - use-after-free vulnerability in |
|
9 unserialize() with SplObjectStorage |
|
10 |
|
11 --- |
|
12 ext/spl/spl_observer.c | 2 ++ |
|
13 ext/spl/tests/bug70365.phpt | 50 +++++++++++++++++++++++++++++++++++++++++++++ |
|
14 2 files changed, 52 insertions(+) |
|
15 create mode 100644 ext/spl/tests/bug70365.phpt |
|
16 |
|
17 diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c |
|
18 index 5d94a3b..6a2e321 100644 |
|
19 --- a/ext/spl/spl_observer.c |
|
20 +++ b/ext/spl/spl_observer.c |
|
21 @@ -853,6 +853,7 @@ SPL_METHOD(SplObjectStorage, unserialize) |
|
22 zval_ptr_dtor(&pentry); |
|
23 goto outexcept; |
|
24 } |
|
25 + var_push_dtor(&var_hash, &pentry); |
|
26 if(Z_TYPE_P(pentry) != IS_OBJECT) { |
|
27 zval_ptr_dtor(&pentry); |
|
28 goto outexcept; |
|
29 @@ -864,6 +865,7 @@ SPL_METHOD(SplObjectStorage, unserialize) |
|
30 zval_ptr_dtor(&pinf); |
|
31 goto outexcept; |
|
32 } |
|
33 + var_push_dtor(&var_hash, &pinf); |
|
34 } |
|
35 |
|
36 hash = spl_object_storage_get_hash(intern, getThis(), pentry, &hash_len TSRMLS_CC); |
|
37 diff --git a/ext/spl/tests/bug70365.phpt b/ext/spl/tests/bug70365.phpt |
|
38 new file mode 100644 |
|
39 index 0000000..bd57360 |
|
40 --- /dev/null |
|
41 +++ b/ext/spl/tests/bug70365.phpt |
|
42 @@ -0,0 +1,50 @@ |
|
43 +--TEST-- |
|
44 +SPL: Bug #70365 yet another use-after-free vulnerability in unserialize() with SplObjectStorage |
|
45 +--FILE-- |
|
46 +<?php |
|
47 +class obj { |
|
48 + var $ryat; |
|
49 + function __wakeup() { |
|
50 + $this->ryat = 1; |
|
51 + } |
|
52 +} |
|
53 + |
|
54 +$fakezval = ptr2str(1122334455); |
|
55 +$fakezval .= ptr2str(0); |
|
56 +$fakezval .= "\x00\x00\x00\x00"; |
|
57 +$fakezval .= "\x01"; |
|
58 +$fakezval .= "\x00"; |
|
59 +$fakezval .= "\x00\x00"; |
|
60 + |
|
61 +$inner = 'x:i:1;O:8:"stdClass":0:{},i:1;;m:a:0:{}'; |
|
62 +$exploit = 'a:5:{i:0;i:1;i:1;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;R:6;i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}'; |
|
63 + |
|
64 +$data = unserialize($exploit); |
|
65 + |
|
66 +var_dump($data); |
|
67 + |
|
68 +function ptr2str($ptr) |
|
69 +{ |
|
70 + $out = ''; |
|
71 + for ($i = 0; $i < 8; $i++) { |
|
72 + $out .= chr($ptr & 0xff); |
|
73 + $ptr >>= 8; |
|
74 + } |
|
75 + return $out; |
|
76 +} |
|
77 +--EXPECTF-- |
|
78 +array(5) { |
|
79 + [0]=> |
|
80 + int(1) |
|
81 + [1]=> |
|
82 + &int(1) |
|
83 + [2]=> |
|
84 + object(obj)#%d (1) { |
|
85 + ["ryat"]=> |
|
86 + &int(1) |
|
87 + } |
|
88 + [3]=> |
|
89 + int(1) |
|
90 + [4]=> |
|
91 + string(24) "%s" |
|
92 +} |
|
93 -- |
|
94 2.1.4 |
|
95 |
|
96 |
|