1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
|
commit 6045de69c7dedcba3eadf7c4bba424b19c81d00d
Author: Stanislav Malyshev <stas@php.net>
Date: Sun Oct 23 20:07:47 2016 -0700
Fix bug #73331 - do not try to serialize/unserialize objects wddx can not handle
Proper soltion would be to call serialize/unserialize and deal with the result,
but this requires more work that should be done by wddx maintainer (not me).
Upstream-status: Backport
CVE: CVE-2016-9934
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Index: php-5.6.26/ext/pdo/pdo_stmt.c
===================================================================
--- php-5.6.26.orig/ext/pdo/pdo_stmt.c 2016-09-16 02:32:50.000000000 +0530
+++ php-5.6.26/ext/pdo/pdo_stmt.c 2017-06-15 14:48:28.590259874 +0530
@@ -2338,6 +2338,7 @@
pdo_row_ce->ce_flags |= ZEND_ACC_FINAL_CLASS; /* when removing this a lot of handlers need to be redone */
pdo_row_ce->create_object = pdo_row_new;
pdo_row_ce->serialize = pdo_row_serialize;
+ pdo_row_ce->unserialize = zend_class_unserialize_deny;
}
static void free_statement(pdo_stmt_t *stmt TSRMLS_DC)
Index: php-5.6.26/ext/wddx/tests/bug45901.phpt
===================================================================
--- php-5.6.26.orig/ext/wddx/tests/bug45901.phpt 2016-09-16 02:32:50.000000000 +0530
+++ php-5.6.26/ext/wddx/tests/bug45901.phpt 2017-06-15 14:48:28.590259874 +0530
@@ -14,5 +14,6 @@
echo "DONE";
?>
--EXPECTF--
-<wddxPacket version='1.0'><header><comment>Variables</comment></header><data><struct><var name='php_class_name'><string>SimpleXMLElement</string></var><var name='test'><struct><var name='php_class_name'><string>SimpleXMLElement</string></var></struct></var></struct></data></wddxPacket>
-DONE
\ No newline at end of file
+Warning: wddx_serialize_value(): Class SimpleXMLElement can not be serialized in %sbug45901.php on line %d
+<wddxPacket version='1.0'><header><comment>Variables</comment></header><data></data></wddxPacket>
+DONE
Index: php-5.6.26/ext/wddx/tests/bug73331.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php-5.6.26/ext/wddx/tests/bug73331.phpt 2017-06-15 14:48:28.590259874 +0530
@@ -0,0 +1,14 @@
+--TEST--
+Bug #73331 (NULL Pointer Dereference in WDDX Packet Deserialization with PDORow)
+--SKIPIF--
+<?php if (!extension_loaded("wddx") || !extension_loaded("pdo")) print "skip"; ?>
+--FILE--
+<?php
+
+$wddx = "<wddxPacket version='1.0'><header/><data><struct><var name='php_class_name'><string>PDORow</string></var></struct></data></wddxPacket
+var_dump(wddx_deserialize($wddx));
+?>
+--EXPECTF--
+
+Warning: wddx_deserialize(): Class pdorow can not be unserialized in %s73331.php on line %d
+NULL
Index: php-5.6.26/ext/wddx/wddx.c
===================================================================
--- php-5.6.26.orig/ext/wddx/wddx.c 2016-09-16 02:32:50.000000000 +0530
+++ php-5.6.26/ext/wddx/wddx.c 2017-06-15 14:48:28.590259874 +0530
@@ -471,8 +471,18 @@
ulong idx;
char tmp_buf[WDDX_BUF_LEN];
HashTable *objhash, *sleephash;
+ zend_class_entry *ce;
+ PHP_CLASS_ATTRIBUTES;
TSRMLS_FETCH();
+ PHP_SET_CLASS_ATTRIBUTES(obj);
+ ce = Z_OBJCE_P(obj);
+ if (!ce || ce->serialize || ce->unserialize) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Class %s can not be serialized", class_name);
+ PHP_CLEANUP_CLASS_ATTRIBUTES();
+ return;
+ }
+
MAKE_STD_ZVAL(fname);
ZVAL_STRING(fname, "__sleep", 1);
@@ -482,10 +492,6 @@
*/
if (call_user_function_ex(CG(function_table), &obj, fname, &retval, 0, 0, 1, NULL TSRMLS_CC) == SUCCESS) {
if (retval && (sleephash = HASH_OF(retval))) {
- PHP_CLASS_ATTRIBUTES;
-
- PHP_SET_CLASS_ATTRIBUTES(obj);
-
php_wddx_add_chunk_static(packet, WDDX_STRUCT_S);
snprintf(tmp_buf, WDDX_BUF_LEN, WDDX_VAR_S, PHP_CLASS_NAME_VAR);
php_wddx_add_chunk(packet, tmp_buf);
@@ -494,8 +500,6 @@
php_wddx_add_chunk_static(packet, WDDX_STRING_E);
php_wddx_add_chunk_static(packet, WDDX_VAR_E);
- PHP_CLEANUP_CLASS_ATTRIBUTES();
-
objhash = HASH_OF(obj);
for (zend_hash_internal_pointer_reset(sleephash);
@@ -516,10 +520,6 @@
} else {
uint key_len;
- PHP_CLASS_ATTRIBUTES;
-
- PHP_SET_CLASS_ATTRIBUTES(obj);
-
php_wddx_add_chunk_static(packet, WDDX_STRUCT_S);
snprintf(tmp_buf, WDDX_BUF_LEN, WDDX_VAR_S, PHP_CLASS_NAME_VAR);
php_wddx_add_chunk(packet, tmp_buf);
@@ -528,8 +528,6 @@
php_wddx_add_chunk_static(packet, WDDX_STRING_E);
php_wddx_add_chunk_static(packet, WDDX_VAR_E);
- PHP_CLEANUP_CLASS_ATTRIBUTES();
-
objhash = HASH_OF(obj);
for (zend_hash_internal_pointer_reset(objhash);
zend_hash_get_current_data(objhash, (void**)&ent) == SUCCESS;
@@ -550,6 +548,8 @@
}
php_wddx_add_chunk_static(packet, WDDX_STRUCT_E);
}
+
+ PHP_CLEANUP_CLASS_ATTRIBUTES();
zval_dtor(fname);
FREE_ZVAL(fname);
@@ -1012,25 +1012,30 @@
pce = &PHP_IC_ENTRY;
}
- /* Initialize target object */
- MAKE_STD_ZVAL(obj);
- object_init_ex(obj, *pce);
-
- /* Merge current hashtable with object's default properties */
- zend_hash_merge(Z_OBJPROP_P(obj),
- Z_ARRVAL_P(ent2->data),
- (void (*)(void *)) zval_add_ref,
- (void *) &tmp, sizeof(zval *), 0);
-
- if (incomplete_class) {
- php_store_class_name(obj, Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data));
- }
-
- /* Clean up old array entry */
- zval_ptr_dtor(&ent2->data);
-
- /* Set stack entry to point to the newly created object */
- ent2->data = obj;
+ if (pce != &PHP_IC_ENTRY && ((*pce)->serialize || (*pce)->unserialize)) {
+ ent2->data = NULL;
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Class %s can not be unserialized", Z_STRVAL_P(ent1->data));
+ } else {
+ /* Initialize target object */
+ MAKE_STD_ZVAL(obj);
+ object_init_ex(obj, *pce);
+
+ /* Merge current hashtable with object's default properties */
+ zend_hash_merge(Z_OBJPROP_P(obj),
+ Z_ARRVAL_P(ent2->data),
+ (void (*)(void *)) zval_add_ref,
+ (void *) &tmp, sizeof(zval *), 0);
+
+ if (incomplete_class) {
+ php_store_class_name(obj, Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data));
+ }
+
+ /* Clean up old array entry */
+ zval_ptr_dtor(&ent2->data);
+
+ /* Set stack entry to point to the newly created object */
+ ent2->data = obj;
+ }
/* Clean up class name var entry */
zval_ptr_dtor(&ent1->data);
|
