diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-08-28 21:50:21 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2015-08-28 21:50:21 -0700 |
| commit | fc8eff897bd7fe3fed7f6867d2d6a86117a5278d (patch) | |
| tree | 8f7c4d7c1daa3f7a21df0bc94f850383a93cb9d2 | |
| parent | 24dda816d069a2e0cb5dc2985afd7f3269202946 (diff) | |
| download | php-git-fc8eff897bd7fe3fed7f6867d2d6a86117a5278d.tar.gz | |
More fixes for bug #70219
| -rw-r--r-- | ext/session/session.c | 7 | ||||
| -rw-r--r-- | ext/standard/tests/serialize/bug70219_1.phpt | 46 |
2 files changed, 51 insertions, 2 deletions
diff --git a/ext/session/session.c b/ext/session/session.c index 247f9b27f7..f5439ea79c 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -863,7 +863,10 @@ PS_SERIALIZER_DECODE_FUNC(php_serialize) /* {{{ */ PHP_VAR_UNSERIALIZE_INIT(var_hash); ALLOC_INIT_ZVAL(session_vars); - php_var_unserialize(&session_vars, &val, endptr, &var_hash TSRMLS_CC); + if (php_var_unserialize(&session_vars, &val, endptr, &var_hash TSRMLS_CC)) { + var_push_dtor(&var_hash, &session_vars); + } + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); if (PS(http_session_vars)) { zval_ptr_dtor(&PS(http_session_vars)); @@ -872,7 +875,7 @@ PS_SERIALIZER_DECODE_FUNC(php_serialize) /* {{{ */ array_init(session_vars); } PS(http_session_vars) = session_vars; - ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"), PS(http_session_vars), 2, 1); + ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"), PS(http_session_vars), Z_REFCOUNT_P(PS(http_session_vars)) + 1, 1); return SUCCESS; } /* }}} */ diff --git a/ext/standard/tests/serialize/bug70219_1.phpt b/ext/standard/tests/serialize/bug70219_1.phpt new file mode 100644 index 0000000000..f9c4c672fd --- /dev/null +++ b/ext/standard/tests/serialize/bug70219_1.phpt @@ -0,0 +1,46 @@ +--TEST-- +Bug #70219 Use after free vulnerability in session deserializer +--FILE-- +<?php +ini_set('session.serialize_handler', 'php_serialize'); +session_start(); + +class obj implements Serializable { + var $data; + function serialize() { + return serialize($this->data); + } + function unserialize($data) { + session_decode($data); + } +} + +$inner = 'r:2;'; +$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}}'; + +$data = unserialize($exploit); + +for ($i = 0; $i < 5; $i++) { + $v[$i] = 'hi'.$i; +} + +var_dump($data); +var_dump($_SESSION); +?> +--EXPECTF-- +array(2) { + [0]=> + &object(obj)#%d (1) { + ["data"]=> + NULL + } + [1]=> + object(obj)#%d (1) { + ["data"]=> + NULL + } +} +object(obj)#1 (1) { + ["data"]=> + NULL +}
\ No newline at end of file |