[2014-09-07 14:54 UTC] max at cert dot cx

Description:
------------
cx@cx:~$ /home/rastabab/php56/bin/php -v
PHP 5.6.0 (cli) (built: Aug 30 2014 20:06:23) 
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2014 Zend Technologies
cx@cx:~$ /home/rastabab/php56/bin/php -r '$n = new SessionHandler(); $n->create_sid();'
Naruszenie ochrony pamięci (core dumped)

-------------------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000514f98 in zim_SessionHandler_create_sid (ht=<optimized out>, return_value=0x7ffff7fb96e8, 
    return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>)
    at /home/rastabab/php56/php-5.6.0/ext/session/mod_user_class.c:155
155		id = PS(default_mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
(gdb) print mod_data
No symbol "mod_data" in current context.
(gdb) list
150	
151		if (zend_parse_parameters_none() == FAILURE) {
152		    return;
153		}
154	
155		id = PS(default_mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
156	
157		RETURN_STRING(id, 0);
158	}
159	/* }}} */
-------------------------------
==30161== Invalid read of size 8
==30161==    at 0x514F98: zim_SessionHandler_create_sid (mod_user_class.c:155)
==30161==    by 0x6EFECB: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==30161==    by 0x689AB7: execute_ex (zend_vm_execute.h:363)
==30161==    by 0x643AA9: zend_eval_stringl (zend_execute_API.c:1080)
==30161==    by 0x643BA8: zend_eval_stringl_ex (zend_execute_API.c:1127)
==30161==    by 0x6F1B1A: do_cli (php_cli.c:1034)
==30161==    by 0x424B61: main (php_cli.c:1378)
==30161==  Address 0x38 is not stack'd, malloc'd or (recently) free'd
-------------------------------

In result local crash (DoS). Tested only on 5.6.0

Best regards,
Maksymilian Arciemowicz 
http://cxsecurity.com/


Test script:
---------------
$n = new SessionHandler(); $n->create_sid();

Actual result:
--------------
crash