Headline

CVE-2014-4698: ArrayIterator use-after-free due to object change during sorting

Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments.

10 years ago

CVE

Open in Source

#vulnerability #web #dos #git #php

Bug #67539

ArrayIterator use-after-free due to object change during sorting

Submitted:

2014-06-29 15:31 UTC

Modified:

2014-07-25 02:51 UTC

From:

research at insighti dot org

Assigned:

laruence (profile)

Status:

Closed

Package:

SPL related

PHP Version:

Irrelevant

OS:

Private report:

CVE-ID:

2014-4698

[2014-06-29 15:31 UTC] research at insighti dot org

Description:

ArrayIterator should not be changed while being sorted. There is a check missing in unserialize method in spl_array.c .

Test script:

<?php $it = new ArrayIterator(array_fill(0,10,’X’), 1 );

function badsort($a, $b) { $GLOBALS[‘it’]->unserialize($GLOBALS[‘it’]->serialize()); return TRUE; }

$it->uksort(‘badsort’);

Expected result:

Warning: Modification of ArrayObject during sorting is prohibited in spl_array.php on line 5

Actual result:

$ USE_ZEND_ALLOC=0 valgrind /opt/php/5.5.14/bin/php spl_array.php ==23209== Memcheck, a memory error detector ==23209== Copyright © 2002-2011, and GNU GPL’d, by Julian Seward et al. ==23209== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info ==23209== Command: /opt/php/5.5.14/bin/php spl_array.php ==23209== ==23209== Invalid read of size 4 ==23209== at 0x8374BAD: php_array_user_key_compare (array.c:736) ==23209== by 0x849C8BC: zend_qsort_r (zend_qsort.c:84) ==23209== by 0x849C9BE: zend_qsort (zend_qsort.c:123) ==23209== by 0x8496368: zend_hash_sort (zend_hash.c:1463) ==23209== by 0x837906B: zif_uksort (array.c:796) ==23209== by 0x8479E7C: zend_call_function (zend_execute_API.c:955) ==23209== by 0x6506747: ??? ==23209== Address 0x716c05c is 4 bytes inside a block of size 36 free’d ==23209== at 0x402750C: free (vg_replace_malloc.c:427) ==23209== by 0x8494B1A: zend_hash_destroy (zend_hash.c:565) ==23209== by 0x84866E0: _zval_dtor_func (zend_variables.c:45) ==23209== by 0x8477F47: _zval_ptr_dtor (zend_variables.h:35) ==23209== by 0x8357D33: zim_spl_Array_unserialize (spl_array.c:1781) ==23209== by 0x852E1B1: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550) ==23209== by 0x84F0935: execute_ex (zend_vm_execute.h:363) ==23209== by 0x8479F14: zend_call_function (zend_execute_API.c:937) ==23209== by 0x8374C11: php_array_user_key_compare (array.c:757) ==23209== by 0x849C8BC: zend_qsort_r (zend_qsort.c:84) ==23209== by 0x849C9BE: zend_qsort (zend_qsort.c:123) ==23209== by 0x8496368: zend_hash_sort (zend_hash.c:1463)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-06-29 15:35 UTC] research at insighti dot org

The following patch fixes the issue. Bug tracker does not allow us to submit a patch file to a private report for some reason.

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index c38065f…a75f9ca 100644 — a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -1737,6 +1737,12 @@ SPL_METHOD(Array, unserialize) { spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(getThis() TSRMLS_CC);

HashTable *htable = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
if (htable->nApplyCount > 0) {

  zend\_error(E\_WARNING, "Modification of ArrayObject during sorting is prohibited");

```
  return;
```
}
char *buf; int buf_len; const unsigned char *p, *s;

[2014-06-29 19:18 UTC] [email protected]

-Type: Security +Type: Bug

[2014-07-03 22:45 UTC] research at insighti dot org

Please use CVE-2014-4698 for this issue.

[2014-07-05 12:09 UTC] research at insighti dot org

As per the other reported bug, same applies for this one:

Please use CVE-2014-4698, the bug is in fact exploitable - not sure why was it made public before release of a patched version.

It’s not remotely exploitable, however, shared environments relying on PHP security features (open_basedir, safe_mode in older PHPs, disable_functions and similar) are affected. We’re ready to provide PoC is needed.

[2014-07-15 14:42 UTC] research at insighti dot org

-Status: Closed +Status: Assigned

[2014-07-15 14:42 UTC] research at insighti dot org

Please use the assigned CVE-2014-4698. 5.5.15-RC1 is now out and CVE is missing.

[2014-07-21 09:31 UTC] [email protected]

-Status: Assigned +Status: Closed

[2014-07-24 15:19 UTC] [email protected]

-Assigned To: +Assigned To: laruence

Related news

CVE-2016-5771: PHP: PHP 5 ChangeLog

spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.

CVE-2014-3479: PHP: PHP 5 ChangeLog

The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.