Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:100876
Return-Path: <dmitry@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 79641 invoked from network); 12 Oct 2017 14:38:56 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 Oct 2017 14:38:56 -0000
Authentication-Results: pb1.pair.com smtp.mail=dmitry@zend.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=dmitry@zend.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain zend.com from 104.47.38.101 cause and error)
X-PHP-List-Original-Sender: dmitry@zend.com
X-Host-Fingerprint: 104.47.38.101 mail-bl2nam02on0101.outbound.protection.outlook.com  
Received: from [104.47.38.101] ([104.47.38.101:24000] helo=NAM02-BL2-obe.outbound.protection.outlook.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id CF/A7-49033-E7E7FD95 for <internals@lists.php.net>; Thu, 12 Oct 2017 10:38:55 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=RWSoftware.onmicrosoft.com; s=selector1-zend-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=XZXOExOquS+ovUNoevq2e2XljeXTWE2LhtzcvuxcDXc=;
 b=hr6VtW02P34mRG7+LUDByen4mnrAMFpHYzJrTzRZtiANas4hmIIL/I9un2eW1Hq3uQCdzt2sdbA/K5ji46MxH+H5dcKM6F1Kp2eDGiaRKfKtQ3HWwDAllg21MRRRVFgL094u18OtwNB3VnSgt2gJ3RgkWOQ9RQ0Ix67ueWmLGJ0=
Received: from BN6PR02MB3234.namprd02.prod.outlook.com (10.161.152.32) by
 BL2PR02MB290.namprd02.prod.outlook.com (10.141.90.145) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.77.7; Thu, 12 Oct 2017 14:38:50 +0000
Received: from BN6PR02MB3234.namprd02.prod.outlook.com ([10.161.152.32]) by
 BN6PR02MB3234.namprd02.prod.outlook.com ([10.161.152.32]) with mapi id
 15.20.0077.018; Thu, 12 Oct 2017 14:38:49 +0000
To: PHP internals list <internals@lists.php.net>
CC: Stanislav Malyshev <smalyshev@gmail.com>, Nikita Popov <nikic@php.net>,
	Xinchen Hui <laruence@gmail.com>, Sara Golemon <pollita@php.net>, "Zeev
 Suraski" <zeev@zend.com>, "rasmus@lerdorf.com" <rasmus@lerdorf.com>
Thread-Topic: Fix for unserialise() "vulnerabilities"
Thread-Index: AQHTQ2dImWUtX7+w+kqx/QYu0zhQUA==
Date: Thu, 12 Oct 2017 14:38:49 +0000
Message-ID: <BN6PR02MB3234EFDCADFC9F9CF7EF43AEBF4B0@BN6PR02MB3234.namprd02.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=dmitry@zend.com; 
x-originating-ip: [213.21.45.232]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;BL2PR02MB290;6:kJUdTx+sd+WpX/lKuKQE8z0TuSQONdLP8CO3praGr76V21nKQfeUcXqxHrSs+OWRzgYAcqSF/iGGn/LE02ZbbOko1Lykw78Y3BM+1v7oKfIYFv/cfexPiM+kXuCAcBnOIPSoI3YiN+aeyxxz1Eu469UYIkv5hDKUh6lPXKl1FJUHpbAt0AHbLk3HWP6MPFiLFny+QLyGYC2kMECxg2vmcCj2vjOHg/7asRVP4v3QzLKdYW/Ve/MpJ75tnkG3Sq+HitBMhGV3keFUY3jUVuKGx9UftjcfIJo+AwL7eMtnsnmxbpLdei1P4xs0ZPNdK2uN+OI7PcggEbi4KcH4Pes4Bw==;5:d/nlUZSxDd2+L7Ojxt+NSowqeI0/ejk+kNgA3UAKZFi0pVbkD9BeLfir4WtLD6mqiLw6lHK17w+Pts++11JubxHo+SzXxF1+q/xesYIMUMZEi2xULXV0P59KThe8y4VQ4CdNGLQIQ7FuN/l8kSDQ3aFNUB69Qo2oTRm1WH1t+fw=;24:qvBVr00zz77uYFNsO0P0MM2Lc9MP4WVdw6Fu8hTSRou4eDx3a3NUo9YZfJnS6lKPjTo/E3upDv2hs9Zrjh+A69/3sJi+YGMoeU2tVPq6N+I=;7:FQ0caBp3T8mlX8sCZOiQIZGM5k5G5cVeIWCTdN95L5RGYug5w1T6ztE5Cxky0KioXx0ARO/ktCjcDyl8I8/h8wbwhsYO6JqDcGdKaPvhdIbGfs/g8OEX/ffFlcA6oqg0VHKtbborcGeIKM6a+YEtb4JinsWHEMfVN083HLawqbrniF0tzVKUyBcm7bcLyeGlvPR6HWPsck8HCwtZd3k9CWukXk7B4hiHwCJ+n3L05rY=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;SSOR;
x-forefront-antispam-report: SFV:SKI;SCL:-1;SFV:NSPM;SFS:(10019020)(376002)(39830400002)(346002)(189002)(199003)(606006)(50986999)(105586002)(6916009)(966005)(39060400002)(106356001)(6306002)(54896002)(236005)(9686003)(55016002)(99286003)(189998001)(54356999)(97736004)(77096006)(6436002)(101416001)(6506006)(2900100001)(316002)(25786009)(68736007)(33656002)(53936002)(14454004)(5660300001)(74316002)(4326008)(81156014)(7696004)(3280700002)(7736002)(66066001)(19627405001)(2906002)(3846002)(3660700001)(54906003)(8676002)(86362001)(81166006)(478600001)(6116002)(6606003)(102836003)(8936002);DIR:OUT;SFP:1102;SCL:1;SRVR:BL2PR02MB290;H:BN6PR02MB3234.namprd02.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en;
x-ms-office365-filtering-correlation-id: fc9b5359-4efc-4c89-40cb-08d5117ef3fa
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(2017030254152)(2017052603199)(201703131423075)(201703031133081)(201702281549075);SRVR:BL2PR02MB290;
x-ms-traffictypediagnostic: BL2PR02MB290:
x-exchange-antispam-report-test: UriScan:(166708455590820)(192374486261705)(192278398808882);
x-microsoft-antispam-prvs: <BL2PR02MB29035EA174599C7C02C579ABF4B0@BL2PR02MB290.namprd02.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(10201501046)(100000703101)(100105400095)(93006095)(93001095)(3002001)(6041248)(20161123558100)(20161123562025)(20161123555025)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:BL2PR02MB290;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:BL2PR02MB290;
x-forefront-prvs: 04583CED1A
received-spf: None (protection.outlook.com: zend.com does not designate
 permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative;
	boundary="_000_BN6PR02MB3234EFDCADFC9F9CF7EF43AEBF4B0BN6PR02MB3234namp_"
MIME-Version: 1.0
X-OriginatorOrg: zend.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Oct 2017 14:38:49.7617
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 32210298-c08b-4829-8097-6b12c025a892
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2PR02MB290
Subject: Fix for unserialise() "vulnerabilities"
From: dmitry@zend.com (Dmitry Stogov)

--_000_BN6PR02MB3234EFDCADFC9F9CF7EF43AEBF4B0BN6PR02MB3234namp_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi,


I've found, that at least half of unserialise() security problems, occurs b=
ecause of non-symmetric serialize/unserialize assumption, regarding referen=
ces encoded with "r".


serialize() assumes it's an object.


https://github.com/php/php-src/blob/master/ext/standard/var.c#L828


universalize() allows any value.


https://github.com/php/php-src/blob/master/ext/standard/var_unserializer.re=
#L677


This allows manual crafting of strings that may lead to creation of unexpec=
ted data structures.

I propose to fix this just by fixing the symmetry.


https://gist.github.com/dstogov/53382540bdfee7b6c7dadf142dc437ed


This will prohibit, some manually crafted strings.

Of course, this will break few "security" related tests. Especially:


> Bug #70284 (Use after free vulnerability in unserialize() with GMP) [ext/=
gmp/tests/bug70284.phpt]
> Bug #70211 (php 7 ZEND_HASH_IF_FULL_DO_RESIZE use after free) [ext/soap/t=
ests/bug70211.phpt]
> Bug #70172 - Use After Free Vulnerability in unserialize() [ext/standard/=
tests/serialize/bug70172.phpt]
> Bug #70963 (Unserialize shows UNKNOW in result) [ext/standard/tests/seria=
lize/bug70963.phpt]
> Memleaks if unserialize return a self-referenced array/object [ext/standa=
rd/tests/serialize/unserialize_mem_leak.phpt]
> Bug #72433: Use After Free Vulnerability in PHP's GC algorithm and unseri=
alize [ext/standard/tests/strings/bug72433.phpt]

Any objections? (this is for master only of course)


Thanks. Dmitry.

--_000_BN6PR02MB3234EFDCADFC9F9CF7EF43AEBF4B0BN6PR02MB3234namp_--