1 # Source: upstream

     2 # http://git.php.net/?p=php-src.git;a=commit;h=f06a069c462d37c2e009f6d1d93b8c8e7b713393

     3 # https://bugs.php.net/bug.php?id=70365

     4 

     5 From f06a069c462d37c2e009f6d1d93b8c8e7b713393 Mon Sep 17 00:00:00 2001

     6 From: Stanislav Malyshev <[email protected]>

     7 Date: Tue, 1 Sep 2015 00:14:15 -0700

     8 Subject: [PATCH] Fix bug #70365 - use-after-free vulnerability in

     9  unserialize() with SplObjectStorage

    10 

    11 ---

    12  ext/spl/spl_observer.c      |  2 ++

    13  ext/spl/tests/bug70365.phpt | 50 +++++++++++++++++++++++++++++++++++++++++++++

    14  2 files changed, 52 insertions(+)

    15  create mode 100644 ext/spl/tests/bug70365.phpt

    16 

    17 diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c

    18 index 5d94a3b..6a2e321 100644

    19 --- a/ext/spl/spl_observer.c

    20 +++ b/ext/spl/spl_observer.c

    21 @@ -853,6 +853,7 @@ SPL_METHOD(SplObjectStorage, unserialize)

    22  			zval_ptr_dtor(&pentry);

    23  			goto outexcept;

    24  		}

    25 +		var_push_dtor(&var_hash, &pentry);

    26  		if(Z_TYPE_P(pentry) != IS_OBJECT) {

    27  			zval_ptr_dtor(&pentry);

    28  			goto outexcept;

    29 @@ -864,6 +865,7 @@ SPL_METHOD(SplObjectStorage, unserialize)

    30  				zval_ptr_dtor(&pinf);

    31  				goto outexcept;

    32  			}

    33 +			var_push_dtor(&var_hash, &pinf);

    34  		}

    35  

    36  		hash = spl_object_storage_get_hash(intern, getThis(), pentry, &hash_len TSRMLS_CC);

    37 diff --git a/ext/spl/tests/bug70365.phpt b/ext/spl/tests/bug70365.phpt

    38 new file mode 100644

    39 index 0000000..bd57360

    40 --- /dev/null

    41 +++ b/ext/spl/tests/bug70365.phpt

    42 @@ -0,0 +1,50 @@

    43 +--TEST--

    44 +SPL: Bug #70365 yet another use-after-free vulnerability in unserialize() with SplObjectStorage

    45 +--FILE--

    46 +<?php

    47 +class obj {

    48 +	var $ryat;

    49 +	function __wakeup() {

    50 +		$this->ryat = 1;

    51 +	}

    52 +}

    53 +

    54 +$fakezval = ptr2str(1122334455);

    55 +$fakezval .= ptr2str(0);

    56 +$fakezval .= "\x00\x00\x00\x00";

    57 +$fakezval .= "\x01";

    58 +$fakezval .= "\x00";

    59 +$fakezval .= "\x00\x00";

    60 +

    61 +$inner = 'x:i:1;O:8:"stdClass":0:{},i:1;;m:a:0:{}';

    62 +$exploit = 'a:5:{i:0;i:1;i:1;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;R:6;i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}';

    63 +

    64 +$data = unserialize($exploit);

    65 +

    66 +var_dump($data);

    67 +

    68 +function ptr2str($ptr)

    69 +{

    70 +	$out = '';

    71 +	for ($i = 0; $i < 8; $i++) {

    72 +		$out .= chr($ptr & 0xff);

    73 +		$ptr >>= 8;

    74 +	}

    75 +	return $out;

    76 +}

    77 +--EXPECTF--

    78 +array(5) {

    79 +  [0]=>

    80 +  int(1)

    81 +  [1]=>

    82 +  &int(1)

    83 +  [2]=>

    84 +  object(obj)#%d (1) {

    85 +    ["ryat"]=>

    86 +    &int(1)

    87 +  }

    88 +  [3]=>

    89 +  int(1)

    90 +  [4]=>

    91 +  string(24) "%s"

    92 +}

    93 -- 

    94 2.1.4

    95 

    96