-
-
Save anonymous/035a95208257aed53e7221275d57a231 to your computer and use it in GitHub Desktop.
Patch for 72479
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit cab1c3b3708eead315e033359d07049b23b147a3 | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Sun Jun 26 17:52:09 2016 -0700 | |
Fixed bug #72479 - same as #72434 | |
diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c | |
index 6c1da4c..e1161c7 100644 | |
--- a/ext/snmp/snmp.c | |
+++ b/ext/snmp/snmp.c | |
@@ -2095,6 +2095,14 @@ static int php_snmp_has_property(zval *object, zval *member, int has_set_exists, | |
} | |
/* }}} */ | |
+static HashTable *php_snmp_get_gc(zval *object, zval ***gc_data, int *gc_data_count TSRMLS_DC) /* {{{ */ | |
+{ | |
+ *gc_data = NULL; | |
+ *gc_data_count = 0; | |
+ return zend_std_get_properties(object TSRMLS_CC); | |
+} | |
+/* }}} */ | |
+ | |
/* {{{ php_snmp_get_properties(zval *object) | |
Returns all object properties. Injects SNMP properties into object on first call */ | |
static HashTable *php_snmp_get_properties(zval *object TSRMLS_DC) | |
@@ -2401,6 +2409,7 @@ PHP_MINIT_FUNCTION(snmp) | |
php_snmp_object_handlers.write_property = php_snmp_write_property; | |
php_snmp_object_handlers.has_property = php_snmp_has_property; | |
php_snmp_object_handlers.get_properties = php_snmp_get_properties; | |
+ php_snmp_object_handlers.get_gc = php_snmp_get_gc; | |
/* Register SNMP Class */ | |
INIT_CLASS_ENTRY(ce, "SNMP", php_snmp_class_methods); | |
diff --git a/ext/snmp/tests/bug72479.phpt b/ext/snmp/tests/bug72479.phpt | |
new file mode 100644 | |
index 0000000..0308754 | |
--- /dev/null | |
+++ b/ext/snmp/tests/bug72479.phpt | |
@@ -0,0 +1,35 @@ | |
+--TEST-- | |
+Bug #72479: Use After Free Vulnerability in SNMP with GC and unserialize() | |
+--SKIPIF-- | |
+<?php | |
+require_once(dirname(__FILE__).'/skipif.inc'); | |
+?> | |
+--FILE-- | |
+<?php | |
+$arr = [1, [1, 2, 3, 4, 5], 3, 4, 5]; | |
+$poc = 'a:3:{i:1;N;i:2;O:4:"snmp":1:{s:11:"quick_print";'.serialize($arr).'}i:1;R:7;}'; | |
+$out = unserialize($poc); | |
+gc_collect_cycles(); | |
+$fakezval = ptr2str(1122334455); | |
+$fakezval .= ptr2str(0); | |
+$fakezval .= "\x00\x00\x00\x00"; | |
+$fakezval .= "\x01"; | |
+$fakezval .= "\x00"; | |
+$fakezval .= "\x00\x00"; | |
+for ($i = 0; $i < 5; $i++) { | |
+ $v[$i] = $fakezval.$i; | |
+} | |
+var_dump($out[1]); | |
+ | |
+function ptr2str($ptr) | |
+{ | |
+ $out = ''; | |
+ for ($i = 0; $i < 8; $i++) { | |
+ $out .= chr($ptr & 0xff); | |
+ $ptr >>= 8; | |
+ } | |
+ return $out; | |
+} | |
+?> | |
+--EXPECT-- | |
+int(1) | |
\ No newline at end of file |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment