|
1 # Source: upstream |
|
2 # http://git.php.net/?p=php-src.git;a=commit;h=863bf294feb9ad425eadb94f288bc7f18673089d |
|
3 # https://bugs.php.net/bug.php?id=70169 |
|
4 |
|
5 From 863bf294feb9ad425eadb94f288bc7f18673089d Mon Sep 17 00:00:00 2001 |
|
6 From: Stanislav Malyshev <[email protected]> |
|
7 Date: Sat, 1 Aug 2015 21:51:08 -0700 |
|
8 Subject: [PATCH] Fixed bug #70169 (Use After Free Vulnerability in |
|
9 unserialize() with SplDoublyLinkedList) |
|
10 |
|
11 --- |
|
12 ext/spl/spl_dllist.c | 25 +++++++++++++------------ |
|
13 ext/spl/tests/bug70169.phpt | 30 ++++++++++++++++++++++++++++++ |
|
14 2 files changed, 43 insertions(+), 12 deletions(-) |
|
15 create mode 100644 ext/spl/tests/bug70169.phpt |
|
16 |
|
17 diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c |
|
18 index b5ddfc0..011d7a6 100644 |
|
19 --- a/ext/spl/spl_dllist.c |
|
20 +++ b/ext/spl/spl_dllist.c |
|
21 @@ -500,7 +500,7 @@ static int spl_dllist_object_count_elements(zval *object, long *count TSRMLS_DC) |
|
22 |
|
23 *count = spl_ptr_llist_count(intern->llist); |
|
24 return SUCCESS; |
|
25 -} |
|
26 +} |
|
27 /* }}} */ |
|
28 |
|
29 static HashTable* spl_dllist_object_get_debug_info(zval *obj, int *is_temp TSRMLS_DC) /* {{{{ */ |
|
30 @@ -571,7 +571,7 @@ SPL_METHOD(SplDoublyLinkedList, push) |
|
31 spl_ptr_llist_push(intern->llist, value TSRMLS_CC); |
|
32 |
|
33 RETURN_TRUE; |
|
34 -} |
|
35 +} |
|
36 /* }}} */ |
|
37 |
|
38 /* {{{ proto bool SplDoublyLinkedList::unshift(mixed $value) U |
|
39 @@ -614,7 +614,7 @@ SPL_METHOD(SplDoublyLinkedList, pop) |
|
40 } |
|
41 |
|
42 RETURN_ZVAL(value, 1, 1); |
|
43 -} |
|
44 +} |
|
45 /* }}} */ |
|
46 |
|
47 /* {{{ proto mixed SplDoublyLinkedList::shift() U |
|
48 @@ -637,7 +637,7 @@ SPL_METHOD(SplDoublyLinkedList, shift) |
|
49 } |
|
50 |
|
51 RETURN_ZVAL(value, 1, 1); |
|
52 -} |
|
53 +} |
|
54 /* }}} */ |
|
55 |
|
56 /* {{{ proto mixed SplDoublyLinkedList::top() U |
|
57 @@ -1051,7 +1051,7 @@ static void spl_dllist_it_move_forward(zend_object_iterator *iter TSRMLS_DC) /* |
|
58 SPL_METHOD(SplDoublyLinkedList, key) |
|
59 { |
|
60 spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC); |
|
61 - |
|
62 + |
|
63 if (zend_parse_parameters_none() == FAILURE) { |
|
64 return; |
|
65 } |
|
66 @@ -1065,7 +1065,7 @@ SPL_METHOD(SplDoublyLinkedList, key) |
|
67 SPL_METHOD(SplDoublyLinkedList, prev) |
|
68 { |
|
69 spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC); |
|
70 - |
|
71 + |
|
72 if (zend_parse_parameters_none() == FAILURE) { |
|
73 return; |
|
74 } |
|
75 @@ -1079,7 +1079,7 @@ SPL_METHOD(SplDoublyLinkedList, prev) |
|
76 SPL_METHOD(SplDoublyLinkedList, next) |
|
77 { |
|
78 spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC); |
|
79 - |
|
80 + |
|
81 if (zend_parse_parameters_none() == FAILURE) { |
|
82 return; |
|
83 } |
|
84 @@ -1093,7 +1093,7 @@ SPL_METHOD(SplDoublyLinkedList, next) |
|
85 SPL_METHOD(SplDoublyLinkedList, valid) |
|
86 { |
|
87 spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC); |
|
88 - |
|
89 + |
|
90 if (zend_parse_parameters_none() == FAILURE) { |
|
91 return; |
|
92 } |
|
93 @@ -1107,7 +1107,7 @@ SPL_METHOD(SplDoublyLinkedList, valid) |
|
94 SPL_METHOD(SplDoublyLinkedList, rewind) |
|
95 { |
|
96 spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC); |
|
97 - |
|
98 + |
|
99 if (zend_parse_parameters_none() == FAILURE) { |
|
100 return; |
|
101 } |
|
102 @@ -1122,7 +1122,7 @@ SPL_METHOD(SplDoublyLinkedList, current) |
|
103 { |
|
104 spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC); |
|
105 spl_ptr_llist_element *element = intern->traverse_pointer; |
|
106 - |
|
107 + |
|
108 if (zend_parse_parameters_none() == FAILURE) { |
|
109 return; |
|
110 } |
|
111 @@ -1177,7 +1177,7 @@ SPL_METHOD(SplDoublyLinkedList, serialize) |
|
112 } else { |
|
113 RETURN_NULL(); |
|
114 } |
|
115 - |
|
116 + |
|
117 } /* }}} */ |
|
118 |
|
119 /* {{{ proto void SplDoublyLinkedList::unserialize(string serialized) |
|
120 @@ -1190,7 +1190,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize) |
|
121 int buf_len; |
|
122 const unsigned char *p, *s; |
|
123 php_unserialize_data_t var_hash; |
|
124 - |
|
125 + |
|
126 if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) { |
|
127 return; |
|
128 } |
|
129 @@ -1209,6 +1209,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize) |
|
130 zval_ptr_dtor(&flags); |
|
131 goto error; |
|
132 } |
|
133 + var_push_dtor(&var_hash, &flags); |
|
134 intern->flags = Z_LVAL_P(flags); |
|
135 zval_ptr_dtor(&flags); |
|
136 |
|
137 diff --git a/ext/spl/tests/bug70169.phpt b/ext/spl/tests/bug70169.phpt |
|
138 new file mode 100644 |
|
139 index 0000000..9d814be |
|
140 --- /dev/null |
|
141 +++ b/ext/spl/tests/bug70169.phpt |
|
142 @@ -0,0 +1,30 @@ |
|
143 +--TEST-- |
|
144 +SPL: Bug #70169 Use After Free Vulnerability in unserialize() with SplDoublyLinkedList |
|
145 +--FILE-- |
|
146 +<?php |
|
147 +$inner = 'i:1;'; |
|
148 +$exploit = 'a:2:{i:0;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:1;R:3;}'; |
|
149 + |
|
150 +$data = unserialize($exploit); |
|
151 + |
|
152 +for($i = 0; $i < 5; $i++) { |
|
153 + $v[$i] = 'hi'.$i; |
|
154 +} |
|
155 + |
|
156 +var_dump($data); |
|
157 +?> |
|
158 +===DONE=== |
|
159 +--EXPECTF-- |
|
160 +array(2) { |
|
161 + [0]=> |
|
162 + object(SplDoublyLinkedList)#%d (2) { |
|
163 + ["flags":"SplDoublyLinkedList":private]=> |
|
164 + int(1) |
|
165 + ["dllist":"SplDoublyLinkedList":private]=> |
|
166 + array(0) { |
|
167 + } |
|
168 + } |
|
169 + [1]=> |
|
170 + int(1) |
|
171 +} |
|
172 +===DONE=== |
|
173 -- |
|
174 2.1.4 |
|
175 |
|
176 |