|
| 1 | +--TEST-- |
| 2 | +Bug #80111: PHP SplDoublyLinkedList::offsetUnset UAF Sandbox Escape |
| 3 | +--FILE-- |
| 4 | +<?php |
| 5 | + |
| 6 | +function i2s(&$s, $p, $i, $x=8) |
| 7 | +{ |
| 8 | + for($j=0;$j<$x;$j++) |
| 9 | + { |
| 10 | + $s[$p+$j] = chr($i & 0xff); |
| 11 | + $i >>= 8; |
| 12 | + } |
| 13 | +} |
| 14 | + |
| 15 | +class Trigger |
| 16 | +{ |
| 17 | + function __destruct() |
| 18 | + { |
| 19 | + global $s, $b; |
| 20 | + # Add a reference afterwards |
| 21 | + //$v = new SplDoublyLinkedList(); |
| 22 | + //$v->setIteratorMode(SplDoublyLinkedList::IT_MODE_DELETE); |
| 23 | + # Remove element #2 from the list: this has no effect on |
| 24 | + # intern->traverse_pointer, since it is removed from the list already |
| 25 | + # The element, along with the zval, is freed |
| 26 | + unset($s[0]); |
| 27 | + |
| 28 | + $a = str_shuffle(str_repeat('A', 40-24-1)); |
| 29 | + # Build a fake zval (long, value: 12345678) |
| 30 | + i2s($a, 0x00, 12345678); # ptr |
| 31 | + i2s($a, 0x08, 4, 7); # type: long |
| 32 | + |
| 33 | + var_dump($s->current()); |
| 34 | + $s->next(); |
| 35 | + # The value is our fake zval |
| 36 | + var_dump($s->current()); |
| 37 | + print_r('DONE'."\n"); |
| 38 | + } |
| 39 | +} |
| 40 | + |
| 41 | +# Create a 3-item dllist |
| 42 | +$s = new SplDoublyLinkedList(); |
| 43 | + |
| 44 | +# This is the UAF trigger |
| 45 | +$s->push(new Trigger()); |
| 46 | + |
| 47 | +#$b = &$a; |
| 48 | +$s->push(3); |
| 49 | + |
| 50 | +# Points intern->traverse_pointer to our object element |
| 51 | +$s->rewind(); |
| 52 | +#$s->next(); |
| 53 | + |
| 54 | +# calls SplDoublyLinkedList::offsetUnset, which will remove the element from the |
| 55 | +# dllist, and then destruct the object, before clearing traverse_pointer |
| 56 | +unset($s[0]); |
| 57 | + |
| 58 | +?> |
| 59 | +--EXPECT-- |
| 60 | +NULL |
| 61 | +NULL |
| 62 | +DONE |
0 commit comments