Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:100877
Return-Path: <nikita.ppv@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 82015 invoked from network); 12 Oct 2017 15:01:48 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 Oct 2017 15:01:48 -0000
Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.49 as permitted sender)
X-PHP-List-Original-Sender: nikita.ppv@gmail.com
X-Host-Fingerprint: 209.85.214.49 mail-it0-f49.google.com  
Received: from [209.85.214.49] ([209.85.214.49:47006] helo=mail-it0-f49.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 35/08-49033-AD38FD95 for <internals@lists.php.net>; Thu, 12 Oct 2017 11:01:47 -0400
Received: by mail-it0-f49.google.com with SMTP id f187so7649527itb.1
        for <internals@lists.php.net>; Thu, 12 Oct 2017 08:01:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=/f3cFBf1JsFcXw+Mo8VVpSWW0Q7MC1EHg/3zM9C9ozo=;
        b=AbVBsgQtDKlc+cLzl/1+bNUDHE7+uiI8r8uIU4KXe3citcMOn0Jup1mnOsrMlhwPgJ
         tA/3HJ9SFAacZNym7FNtG2xkUb6GKY78OG23Mb5lkOnuRY/vGvltnhmuXsIzCaf7GNf3
         IxcHfqOEd1kh1U/jw/Tdiu7hlwDDSjMLYVJdjdOp2bN0uae004RttJJDRuTs4XfGa0/Y
         tCXqUDD0dsuYoxyK+9dPplM5B0eRoSkxLdLDUsgojGz2l4tadbIJAbYxZF8Ic07DWKdE
         MKBOOIRtbCmQBdtsNUm6YUJK0SRLkKGJBwnhTeZXPxY8bmRzQCC8uHqyZ4RvAHyV8m+5
         HxJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=/f3cFBf1JsFcXw+Mo8VVpSWW0Q7MC1EHg/3zM9C9ozo=;
        b=b9tEnGDnjpIYb4CYCkr6xJhICi8HkcRteem93QHk0ILQXhZQHilYTr0jzA8xDNoAmy
         RIuIUwwT2IOaGTEpmzXHbe1aj0y1kvod3reOLeWPlU5b7oNbVL7tPm3FiSzOody34LfT
         xLfxvY5YM25xvxKgWWNwKwXb2BrfPQz4bO+jlypwjD0S2Pbund3BecEDWCWiZ1Pn+4PG
         9Kj74hJFFhCvLRysV7kMKodcT9ZAbbU2iPom+UX+VmMhMnpsxTgVW4ZhcURGIPnLUt1b
         z4CLOhap3OObSvarhNCS9EqfP+NKJ0pSlyJRsPQIOxLIP0/Os42MEGo6ffE2XdDY0WTz
         eWJg==
X-Gm-Message-State: AMCzsaXsqgU8MLmQhChrfX2wcODMQ8fOX93iv/IwhfbYeVylBkh2M18f
	f0SHyZgo+FKkrCCbodUGGbhrXvk34nWSl0DOXjE=
X-Google-Smtp-Source: AOwi7QC4p+EauKijLqEfjJPeBEGnQjSl1k/B2E1C8ToSBQVIswmlHOyvpIV+rnaO9v6XkY2agfD3XFJRGygx0ld8sSU=
X-Received: by 10.36.149.196 with SMTP id m187mr3361984itd.75.1507820503532;
 Thu, 12 Oct 2017 08:01:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.35.78 with HTTP; Thu, 12 Oct 2017 08:01:42 -0700 (PDT)
In-Reply-To: <BN6PR02MB3234EFDCADFC9F9CF7EF43AEBF4B0@BN6PR02MB3234.namprd02.prod.outlook.com>
References: <BN6PR02MB3234EFDCADFC9F9CF7EF43AEBF4B0@BN6PR02MB3234.namprd02.prod.outlook.com>
Date: Thu, 12 Oct 2017 17:01:42 +0200
Message-ID: <CAF+90c_Ft+sth7uo7L6277x-3T14OVe1jYF-GBaUX=Vkr2nEig@mail.gmail.com>
To: Dmitry Stogov <dmitry@zend.com>
Cc: PHP internals list <internals@lists.php.net>, Stanislav Malyshev <smalyshev@gmail.com>, 
	Nikita Popov <nikic@php.net>, Xinchen Hui <laruence@gmail.com>, Sara Golemon <pollita@php.net>, 
	Zeev Suraski <zeev@zend.com>, "rasmus@lerdorf.com" <rasmus@lerdorf.com>
Content-Type: multipart/alternative; boundary="94eb2c05e6e67f884e055b5ad12b"
Subject: Re: Fix for unserialise() "vulnerabilities"
From: nikita.ppv@gmail.com (Nikita Popov)

--94eb2c05e6e67f884e055b5ad12b
Content-Type: text/plain; charset="UTF-8"

On Thu, Oct 12, 2017 at 4:38 PM, Dmitry Stogov <dmitry@zend.com> wrote:

> Hi,
>
>
> I've found, that at least half of unserialise() security problems, occurs
> because of non-symmetric serialize/unserialize assumption, regarding
> references encoded with "r".
>
>
> serialize() assumes it's an object.
>
>
> https://github.com/php/php-src/blob/master/ext/standard/var.c#L828
>
>
> universalize() allows any value.
>
>
> https://github.com/php/php-src/blob/master/ext/standard/
> var_unserializer.re#L677
>
>
> This allows manual crafting of strings that may lead to creation of
> unexpected data structures.
>
> I propose to fix this just by fixing the symmetry.
>
>
> https://gist.github.com/dstogov/53382540bdfee7b6c7dadf142dc437ed
>
>
> This will prohibit, some manually crafted strings.
>
> Of course, this will break few "security" related tests. Especially:
>
>
> > Bug #70284 (Use after free vulnerability in unserialize() with GMP)
> [ext/gmp/tests/bug70284.phpt]
> > Bug #70211 (php 7 ZEND_HASH_IF_FULL_DO_RESIZE use after free)
> [ext/soap/tests/bug70211.phpt]
> > Bug #70172 - Use After Free Vulnerability in unserialize()
> [ext/standard/tests/serialize/bug70172.phpt]
> > Bug #70963 (Unserialize shows UNKNOW in result)
> [ext/standard/tests/serialize/bug70963.phpt]
> > Memleaks if unserialize return a self-referenced array/object
> [ext/standard/tests/serialize/unserialize_mem_leak.phpt]
> > Bug #72433: Use After Free Vulnerability in PHP's GC algorithm and
> unserialize [ext/standard/tests/strings/bug72433.phpt]
>
> Any objections? (this is for master only of course)
>

Hi,

I don't think this will really fix any vulnerabilities, because the core
issue are R references, not r references. If this prevents a vulnerability
using r, you can usually replicate something similar using R instead.

However, I still agree that it makes sense to restrict this. Especially
because unserialize() currently allows creating structures that are just
impossible in plain PHP, such as cyclic arrays without use of references
(GLOBALS notwithstanding).

The check looks too strict to me though. Shouldn't it first DEREF the value
before performing the OBJECT check? (E.g. for something like
"a:3:{i:0;O:8:"stdClass":0:{}i:1;R:2;i:2;r:2;}", in which case r:2 will be
a REF to OBJECT).

Regards,
Nikita

--94eb2c05e6e67f884e055b5ad12b--