File: CVE-2015-6834-70365.patch

package info (click to toggle)
php5 5.3.3.1-7%2Bsqueeze29
  • links: PTS, VCS
  • area: main
  • in suites: squeeze-lts
  • size: 123,520 kB
  • ctags: 55,742
  • sloc: ansic: 633,963; php: 19,620; sh: 11,344; xml: 5,816; cpp: 2,400; yacc: 1,745; exp: 1,514; makefile: 1,019; pascal: 623; awk: 537; sql: 22
file content (87 lines) | stat: -rw-r--r-- 2,341 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
 
From f06a069c462d37c2e009f6d1d93b8c8e7b713393 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 1 Sep 2015 00:14:15 -0700
Subject: [PATCH] Fix bug #70365 - use-after-free vulnerability in
 unserialize() with SplObjectStorage

---
 ext/spl/spl_observer.c      |  2 ++
 ext/spl/tests/bug70365.phpt | 50 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 ext/spl/tests/bug70365.phpt

Index: php5-5.3.3.1/ext/spl/spl_observer.c
===================================================================
--- php5-5.3.3.1.orig/ext/spl/spl_observer.c	2015-10-28 13:30:23.000000000 +0100
+++ php5-5.3.3.1/ext/spl/spl_observer.c	2015-10-28 13:31:06.000000000 +0100
@@ -647,6 +648,7 @@
 			zval_ptr_dtor(&pentry);
 			goto outexcept;
 		}
+		var_push_dtor(&var_hash, &pentry);
 		if(Z_TYPE_P(pentry) != IS_OBJECT) {
 			zval_ptr_dtor(&pentry);
 			goto outexcept;
@@ -658,6 +660,7 @@
 				zval_ptr_dtor(&pinf);
 				goto outexcept;
 			}
+			var_push_dtor(&var_hash, &pinf);
 		}
 		
 		pelement = spl_object_storage_get(intern, pentry TSRMLS_CC);
Index: php5-5.3.3.1/ext/spl/tests/bug70365.phpt
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ php5-5.3.3.1/ext/spl/tests/bug70365.phpt	2015-10-28 13:30:23.000000000 +0100
@@ -0,0 +1,50 @@
+--TEST--
+SPL: Bug #70365 yet another use-after-free vulnerability in unserialize() with SplObjectStorage
+--FILE--
+<?php
+class obj {
+	var $ryat;
+	function __wakeup() {
+		$this->ryat = 1;
+	}
+}
+
+$fakezval = ptr2str(1122334455);
+$fakezval .= ptr2str(0);
+$fakezval .= "\x00\x00\x00\x00";
+$fakezval .= "\x01";
+$fakezval .= "\x00";
+$fakezval .= "\x00\x00";
+
+$inner = 'x:i:1;O:8:"stdClass":0:{},i:1;;m:a:0:{}';
+$exploit = 'a:5:{i:0;i:1;i:1;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;R:6;i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}';
+
+$data = unserialize($exploit);
+
+var_dump($data);
+
+function ptr2str($ptr)
+{
+	$out = '';
+	for ($i = 0; $i < 8; $i++) {
+		$out .= chr($ptr & 0xff);
+		$ptr >>= 8;
+	}
+	return $out;
+}
+--EXPECTF--
+array(5) {
+  [0]=>
+  int(1)
+  [1]=>
+  &int(1)
+  [2]=>
+  object(obj)#%d (1) {
+    ["ryat"]=>
+    &int(1)
+  }
+  [3]=>
+  int(1)
+  [4]=>
+  string(24) "%s"
+}