Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/php/php56/patches/CVE-2015-6834_70365.patch
author Michael Nestler <Michael.Nestler@Oracle.COM>
Thu, 19 Nov 2015 22:52:15 -0800
changeset 5116 867d838118ad
permissions -rw-r--r--
22244227 problem in UTILITY/PHP 21577672 problem in UTILITY/PHP 22244239 problem in UTILITY/PHP 22244245 problem in UTILITY/PHP 22244247 problem in UTILITY/PHP 22244253 problem in UTILITY/PHP 22244256 problem in UTILITY/PHP 22244261 problem in UTILITY/PHP 22244265 problem in UTILITY/PHP 22244270 problem in UTILITY/PHP 22244277 problem in UTILITY/PHP 22244286 problem in UTILITY/PHP

# Source: upstream
# http://git.php.net/?p=php-src.git;a=commit;h=f06a069c462d37c2e009f6d1d93b8c8e7b713393
# https://bugs.php.net/bug.php?id=70365

From f06a069c462d37c2e009f6d1d93b8c8e7b713393 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <[email protected]>
Date: Tue, 1 Sep 2015 00:14:15 -0700
Subject: [PATCH] Fix bug #70365 - use-after-free vulnerability in
 unserialize() with SplObjectStorage

---
 ext/spl/spl_observer.c      |  2 ++
 ext/spl/tests/bug70365.phpt | 50 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 ext/spl/tests/bug70365.phpt

diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
index 5d94a3b..6a2e321 100644
--- a/ext/spl/spl_observer.c
+++ b/ext/spl/spl_observer.c
@@ -853,6 +853,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
 			zval_ptr_dtor(&pentry);
 			goto outexcept;
 		}
+		var_push_dtor(&var_hash, &pentry);
 		if(Z_TYPE_P(pentry) != IS_OBJECT) {
 			zval_ptr_dtor(&pentry);
 			goto outexcept;
@@ -864,6 +865,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
 				zval_ptr_dtor(&pinf);
 				goto outexcept;
 			}
+			var_push_dtor(&var_hash, &pinf);
 		}
 
 		hash = spl_object_storage_get_hash(intern, getThis(), pentry, &hash_len TSRMLS_CC);
diff --git a/ext/spl/tests/bug70365.phpt b/ext/spl/tests/bug70365.phpt
new file mode 100644
index 0000000..bd57360
--- /dev/null
+++ b/ext/spl/tests/bug70365.phpt
@@ -0,0 +1,50 @@
+--TEST--
+SPL: Bug #70365 yet another use-after-free vulnerability in unserialize() with SplObjectStorage
+--FILE--
+<?php
+class obj {
+	var $ryat;
+	function __wakeup() {
+		$this->ryat = 1;
+	}
+}
+
+$fakezval = ptr2str(1122334455);
+$fakezval .= ptr2str(0);
+$fakezval .= "\x00\x00\x00\x00";
+$fakezval .= "\x01";
+$fakezval .= "\x00";
+$fakezval .= "\x00\x00";
+
+$inner = 'x:i:1;O:8:"stdClass":0:{},i:1;;m:a:0:{}';
+$exploit = 'a:5:{i:0;i:1;i:1;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;R:6;i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}';
+
+$data = unserialize($exploit);
+
+var_dump($data);
+
+function ptr2str($ptr)
+{
+	$out = '';
+	for ($i = 0; $i < 8; $i++) {
+		$out .= chr($ptr & 0xff);
+		$ptr >>= 8;
+	}
+	return $out;
+}
+--EXPECTF--
+array(5) {
+  [0]=>
+  int(1)
+  [1]=>
+  &int(1)
+  [2]=>
+  object(obj)#%d (1) {
+    ["ryat"]=>
+    &int(1)
+  }
+  [3]=>
+  int(1)
+  [4]=>
+  string(24) "%s"
+}
-- 
2.1.4
upstream/oracle/userland-gate