PHP :: Bug #67538 :: SPL Iterators use-after-free

Bug #67538 SPL Iterators use-after-free
Submitted: 2014-06-29 14:54 UTC Modified: 2014-07-03 02:49 UTC
From: research at insighti dot org Assigned: laruence (profile)
Status: Closed Package: SPL related
PHP Version: Irrelevant OS: *
Private report: No CVE-ID: 2014-4670

 [2014-06-29 14:54 UTC] research at insighti dot org

Description:
------------
SPL provides a set of iterators to traverse over objects (including internal iterators).
Changes in the object are not projected to the object iterators.
This results in iterators pointing to freed memory.
Calling next on the iterator triggers use-after-free.

Please use CVE-2014-4670 for this bug.

Test script:
---------------
<?php
$list = new SplDoublyLinkedList();
$list->push('a');
$list->push('b');

$list->rewind();
$list->offsetUnset(0);
$list->push('c');
$list->offsetUnset(0);
$list->next();

Actual result:
--------------
$ USE_ZEND_ALLOC=0 valgrind /opt/php/5.5.14/bin/php test.php
==14274== Memcheck, a memory error detector
==14274== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==14274== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==14274== Command: /opt/php/5.5.14/bin/php test.php
==14274==
==14274== Invalid read of size 4
==14274==    at 0x8367BCC: spl_dllist_it_helper_move_forward (spl_dllist.c:989)
==14274==    by 0x852E1B1: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==14274==    by 0x84F0935: execute_ex (zend_vm_execute.h:363)
==14274==    by 0x8488C71: zend_execute_scripts (zend.c:1316)
==14274==    by 0x842943A: php_execute_script (main.c:2506)
==14274==    by 0x8531447: do_cli (php_cli.c:994)
==14274==    by 0x808149B: main (php_cli.c:1378)
==14274==  Address 0x716b748 is 8 bytes inside a block of size 16 free'd
==14274==    at 0x402750C: free (vg_replace_malloc.c:427)
==14274==    by 0x83688FF: zim_spl_SplDoublyLinkedList_offsetUnset (spl_dllist.c:922)
==14274==    by 0x852E1B1: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==14274==    by 0x84F0935: execute_ex (zend_vm_execute.h:363)
==14274==    by 0x8488C71: zend_execute_scripts (zend.c:1316)
==14274==    by 0x842943A: php_execute_script (main.c:2506)
==14274==    by 0x8531447: do_cli (php_cli.c:994)
==14274==    by 0x808149B: main (php_cli.c:1378)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2014-06-29 19:20 UTC] stas@php.net

-Type: Security +Type: Bug

 [2014-07-02 12:45 UTC] research at insighti dot org

Please use CVE-2014-4670, the bug is in fact exploitable - not sure why was it made public before release of a patched version.

It's not remotely exploitable, however, shared environments relying on PHP security features (open_basedir, safe_mode in older PHPs, disable_functions and similar) are affected. We're ready to provide PoC is needed.