Audit hash unserialize functions to prevent memory errors.

Some hash internal states have logical pointers into a buffer,
or sponge, that absorbs input provided in bytes rather than
chunks. The unserialize functions for these hash functions
must validate that the logical pointers are all within bounds,
lest future hash operations cause out-of-bounds memory accesses.

All hash functions were audited for this kind of problem.
Sponge/buffer positions appear to be the only values that can
cause memory errors after unserialization.

* Adler32, CRC32, FNV, joaat: simple state, no buffer positions
* Gost, MD2, SHA3, Snefru, Tiger, Whirlpool: buffer positions
  must be validated
* MD4, MD5, SHA1, SHA2, haval, ripemd: buffer positions encoded
  bitwise, forced to within bounds on use; no need to validate

Author: kohler

ext/hash/hash.c

@@ -129,24 +129,25 @@ static inline size_t align_to(size_t pos, size_t alignment) {
 	return pos + (offset ? alignment - offset : 0);
 }
 
-static size_t parse_serialize_spec(const char **specp, size_t *pos, size_t *sz,
-				   size_t *max_alignment) {
+static size_t parse_serialize_spec(
+		const char **specp, size_t *pos, size_t *sz, size_t *max_alignment) {
 	size_t count, alignment;
 	const char *spec = *specp;
 	/* parse size */
-	if (*spec == 's') {
+	if (*spec == 's' || *spec == 'S') {
 		*sz = 2;
 		alignment = __alignof__(uint16_t); /* usually 2 */
-	} else if (*spec == 'l') {
+	} else if (*spec == 'l' || *spec == 'L') {
 		*sz = 4;
 		alignment = __alignof__(uint32_t); /* usually 4 */
-	} else if (*spec == 'q') {
+	} else if (*spec == 'q' || *spec == 'Q') {
 		*sz = 8;
 		alignment = __alignof__(uint64_t); /* usually 8 */
-	} else if (*spec == 'i') {
+	} else if (*spec == 'i' || *spec == 'I') {
 		*sz = sizeof(int);
 		alignment = __alignof__(int);      /* usually 4 */
 	} else {
+		ZEND_ASSERT(*spec == 'b' || *spec == 'B');
 		*sz = 1;
 		alignment = 1;
 	}
@@ -179,6 +180,7 @@ static uint64_t one_from_buffer(size_t sz, const unsigned char *buf) {
 		const uint64_t *x = (const uint64_t *) buf;
 		return *x;
 	} else {
+		ZEND_ASSERT(sz == 1);
 		return *buf;
 	}
 }
@@ -194,6 +196,7 @@ static void one_to_buffer(size_t sz, unsigned char *buf, uint64_t val) {
 		uint64_t *x = (uint64_t *) buf;
 		*x = val;
 	} else {
+		ZEND_ASSERT(sz == 1);
 		*buf = val;
 	}
 }
@@ -205,7 +208,8 @@ static void one_to_buffer(size_t sz, unsigned char *buf, uint64_t val) {
    l[COUNT] -- serialize COUNT 32-bit integers
    q[COUNT] -- serialize COUNT 64-bit integers
    i[COUNT] -- serialize COUNT `int`s
-   -[COUNT] -- skip COUNT bytes
+   B[COUNT] -- skip COUNT bytes
+   S[COUNT], L[COUNT], etc. -- uppercase versions skip instead of read
    . (must be last character) -- assert that the hash context has exactly
        this size
    Example: "llllllb64l16." is the spec for an MD5 context: 6 32-bit
@@ -218,21 +222,20 @@ static void one_to_buffer(size_t sz, unsigned char *buf, uint64_t val) {
    significant bits first. This allows 32-bit and 64-bit architectures to
    interchange serialized HashContexts. */
 
-PHP_HASH_API int php_hash_serialize_spec(const php_hashcontext_object *hash, zend_long *magic, zval *zv, const char *spec) /* {{{ */
+PHP_HASH_API int php_hash_serialize_spec(const php_hashcontext_object *hash, zval *zv, const char *spec) /* {{{ */
 {
 	size_t pos = 0, max_alignment = 1, sz, count;
 	unsigned char *buf = (unsigned char *) hash->context;
 	zval tmp;
-	*magic = PHP_HASH_SERIALIZE_MAGIC_SPEC;
 	array_init(zv);
 	while (*spec != '\0' && *spec != '.') {
-		char specch = *spec;
+		char spec_ch = *spec;
 		count = parse_serialize_spec(&spec, &pos, &sz, &max_alignment);
 		if (pos + count * sz > hash->ops->context_size) {
 			return FAILURE;
 		}
-		if (specch == '-') {
-			pos += count;
+		if (isupper((unsigned char) spec_ch)) {
+			pos += count * sz;
 		} else if (sz == 1 && count > 1) {
 			ZVAL_STRINGL(&tmp, (char *) buf + pos, count);
 			zend_hash_next_index_insert(Z_ARRVAL_P(zv), &tmp);
@@ -264,22 +267,22 @@ PHP_HASH_API int php_hash_serialize_spec(const php_hashcontext_object *hash, zen
    -999 == spec wrong size for context
    -1000 - POS == problem at byte offset POS */
 
-PHP_HASH_API int php_hash_unserialize_spec(php_hashcontext_object *hash, zend_long magic, const zval *zv, const char *spec) /* {{{ */
+PHP_HASH_API int php_hash_unserialize_spec(php_hashcontext_object *hash, const zval *zv, const char *spec) /* {{{ */
 {
 	size_t pos = 0, max_alignment = 1, sz, count, j = 0;
 	unsigned char *buf = (unsigned char *) hash->context;
 	zval *elt;
-	if (magic != PHP_HASH_SERIALIZE_MAGIC_SPEC || Z_TYPE_P(zv) != IS_ARRAY) {
+	if (Z_TYPE_P(zv) != IS_ARRAY) {
 		return FAILURE;
 	}
 	while (*spec != '\0' && *spec != '.') {
-		char specch = *spec;
+		char spec_ch = *spec;
 		count = parse_serialize_spec(&spec, &pos, &sz, &max_alignment);
 		if (pos + count * sz > hash->ops->context_size) {
 			return -999;
 		}
-		if (specch == '-') {
-			pos += count;
+		if (isupper((unsigned char) spec_ch)) {
+			pos += count * sz;
 		} else if (sz == 1 && count > 1) {
 			elt = zend_hash_index_find(Z_ARRVAL_P(zv), j);
 			if (!elt || Z_TYPE_P(elt) != IS_STRING || Z_STRLEN_P(elt) != count) {
@@ -296,14 +299,14 @@ PHP_HASH_API int php_hash_unserialize_spec(php_hashcontext_object *hash, zend_lo
 					return -1000 - pos;
 				}
 				++j;
-				val = (uint32_t) zval_get_long(elt);
+				val = (uint32_t) Z_LVAL_P(elt);
 				if (sz == 8) {
 					elt = zend_hash_index_find(Z_ARRVAL_P(zv), j);
 					if (!elt || Z_TYPE_P(elt) != IS_LONG) {
 						return -1000 - pos;
 					}
 					++j;
-					val += ((uint64_t) zval_get_long(elt)) << 32;
+					val += ((uint64_t) Z_LVAL_P(elt)) << 32;
 				}
 				one_to_buffer(sz, buf + pos, val);
 				pos += sz;
@@ -321,27 +324,21 @@ PHP_HASH_API int php_hash_unserialize_spec(php_hashcontext_object *hash, zend_lo
 PHP_HASH_API int php_hash_serialize(const php_hashcontext_object *hash, zend_long *magic, zval *zv) /* {{{ */
 {
 	if (hash->ops->serialize_spec) {
-		return php_hash_serialize_spec(hash, magic, zv, hash->ops->serialize_spec);
+		*magic = PHP_HASH_SERIALIZE_MAGIC_SPEC;
+		return php_hash_serialize_spec(hash, zv, hash->ops->serialize_spec);
 	} else {
-		*magic = PHP_HASH_SERIALIZE_MAGIC;
-		ZVAL_STRINGL(zv, (const char *) hash->context, hash->ops->context_size);
-		return SUCCESS;
+		return FAILURE;
 	}
 }
 /* }}} */
 
 PHP_HASH_API int php_hash_unserialize(php_hashcontext_object *hash, zend_long magic, const zval *zv) /* {{{ */
 {
-	if (hash->ops->serialize_spec) {
-		return php_hash_unserialize_spec(hash, magic, zv, hash->ops->serialize_spec);
+	if (hash->ops->serialize_spec
+		&& magic == PHP_HASH_SERIALIZE_MAGIC_SPEC) {
+		return php_hash_unserialize_spec(hash, zv, hash->ops->serialize_spec);
 	} else {
-		if (Z_TYPE_P(zv) != IS_STRING
-			|| Z_STRLEN_P(zv) != hash->ops->context_size
-			|| magic != PHP_HASH_SERIALIZE_MAGIC) {
-			return FAILURE;
-		}
-		memcpy(hash->context, Z_STRVAL_P(zv), hash->ops->context_size);
-		return SUCCESS;
+		return FAILURE;
 	}
 }
 /* }}} */
@@ -1466,7 +1463,7 @@ PHP_METHOD(HashContext, __serialize)
 	return;
 
 serialize_failure:
-	zend_value_error("HashContext for algorithm '%s' cannot be serialized", hash->ops->algo);
+	zend_value_error("HashContext for algorithm \"%s\" cannot be serialized", hash->ops->algo);
 	RETURN_THROWS();
 }
 /* }}} */
@@ -1508,8 +1505,8 @@ PHP_METHOD(HashContext, __unserialize)
 		RETURN_THROWS();
 	}
 
-	magic = zval_get_long(magic_zv);
-	options = zval_get_long(options_zv);
+	magic = Z_LVAL_P(magic_zv);
+	options = Z_LVAL_P(options_zv);
 	if (options & PHP_HASH_HMAC) {
 		zend_value_error("HashContext with HASH_HMAC option cannot be serialized");
 		RETURN_THROWS();
@@ -1520,7 +1517,7 @@ PHP_METHOD(HashContext, __unserialize)
 		zend_value_error("Unknown hash algorithm");
 		RETURN_THROWS();
 	} else if (!ops->hash_unserialize) {
-		zend_value_error("Hash algorithm '%s' cannot be unserialized", ops->algo);
+		zend_value_error("Hash algorithm \"%s\" cannot be unserialized", ops->algo);
 		RETURN_THROWS();
 	}
 
@@ -1531,7 +1528,7 @@ PHP_METHOD(HashContext, __unserialize)
 
 	unserialize_result = ops->hash_unserialize(hash, magic, hash_zv);
 	if (unserialize_result != SUCCESS) {
-		zend_value_error("HashContext for algorithm '%s' cannot be unserialized, format may be non-portable (code %d)", ops->algo, unserialize_result);
+		zend_value_error("HashContext for algorithm \"%s\" cannot be unserialized, format may be non-portable (code %d)", ops->algo, unserialize_result);
 		/* Free internally allocated resources */
 		php_hashcontext_dtor(Z_OBJ_P(object));
 		RETURN_THROWS();

ext/hash/hash_gost.c

@@ -304,14 +304,27 @@ PHP_HASH_API void PHP_GOSTFinal(unsigned char digest[32], PHP_GOST_CTX *context)
 	ZEND_SECURE_ZERO(context, sizeof(*context));
 }
 
+static int php_gost_unserialize(php_hashcontext_object *hash, zend_long magic, const zval *zv)
+{
+	PHP_GOST_CTX *ctx = (PHP_GOST_CTX *) hash->context;
+	int r = FAILURE;
+	if (magic == PHP_HASH_SERIALIZE_MAGIC_SPEC
+		&& (r = php_hash_unserialize_spec(hash, zv, PHP_GOST_SPEC)) == SUCCESS
+		&& ctx->length < sizeof(ctx->buffer)) {
+		return SUCCESS;
+	} else {
+		return r != SUCCESS ? r : -2000;
+	}
+}
+
 const php_hash_ops php_hash_gost_ops = {
 	"gost",
 	(php_hash_init_func_t) PHP_GOSTInit,
 	(php_hash_update_func_t) PHP_GOSTUpdate,
 	(php_hash_final_func_t) PHP_GOSTFinal,
 	php_hash_copy,
 	php_hash_serialize,
-	php_hash_unserialize,
+	php_gost_unserialize,
 	PHP_GOST_SPEC,
 	32,
 	32,
@@ -326,7 +339,7 @@ const php_hash_ops php_hash_gost_crypto_ops = {
 	(php_hash_final_func_t) PHP_GOSTFinal,
 	php_hash_copy,
 	php_hash_serialize,
-	php_hash_unserialize,
+	php_gost_unserialize,
 	PHP_GOST_SPEC,
 	32,
 	32,

ext/hash/hash_md.c

@@ -47,14 +47,16 @@ const php_hash_ops php_hash_md4_ops = {
 	1
 };
 
+static int php_md2_unserialize(php_hashcontext_object *hash, zend_long magic, const zval *zv);
+
 const php_hash_ops php_hash_md2_ops = {
 	"md2",
 	(php_hash_init_func_t) PHP_MD2Init,
 	(php_hash_update_func_t) PHP_MD2Update,
 	(php_hash_final_func_t) PHP_MD2Final,
 	php_hash_copy,
 	php_hash_serialize,
-	php_hash_unserialize,
+	php_md2_unserialize,
 	PHP_MD2_SPEC,
 	16,
 	16,
@@ -352,3 +354,16 @@ PHP_HASH_API void PHP_MD2Final(unsigned char output[16], PHP_MD2_CTX *context)
 
 	memcpy(output, context->state, 16);
 }
+
+static int php_md2_unserialize(php_hashcontext_object *hash, zend_long magic, const zval *zv)
+{
+	PHP_MD2_CTX *ctx = (PHP_MD2_CTX *) hash->context;
+	int r = FAILURE;
+	if (magic == PHP_HASH_SERIALIZE_MAGIC_SPEC
+		&& (r = php_hash_unserialize_spec(hash, zv, PHP_MD2_SPEC)) == SUCCESS
+		&& (unsigned char) ctx->in_buffer < sizeof(ctx->buffer)) {
+		return SUCCESS;
+	} else {
+		return r != SUCCESS ? r : -2000;
+	}
+}

ext/hash/hash_sha3.c

@@ -201,6 +201,22 @@ static void PHP_SHA3_Final(unsigned char* digest,
 	ZEND_SECURE_ZERO(ctx, sizeof(PHP_SHA3_CTX));
 }
 
+static int php_sha3_unserialize(php_hashcontext_object *hash,
+				zend_long magic,
+				const zval *zv,
+				size_t block_size)
+{
+	PHP_SHA3_CTX *ctx = (PHP_SHA3_CTX *) hash->context;
+	int r = FAILURE;
+	if (magic == PHP_HASH_SERIALIZE_MAGIC_SPEC
+		&& (r = php_hash_unserialize_spec(hash, zv, PHP_SHA3_SPEC)) == SUCCESS
+		&& ctx->pos < block_size) {
+		return SUCCESS;
+	} else {
+		return r != SUCCESS ? r : -2000;
+	}
+}
+
 // ==========================================================================
 
 #define DECLARE_SHA3_OPS(bits) \
@@ -219,14 +235,19 @@ void PHP_SHA3##bits##Final(unsigned char* digest, \
                    (1600 - (2 * bits)) >> 3, \
                    bits >> 3); \
 } \
+static int php_sha3##bits##_unserialize(php_hashcontext_object *hash, \
+					zend_long magic, \
+					const zval *zv) { \
+	return php_sha3_unserialize(hash, magic, zv, (1600 - (2 * bits)) >> 3); \
+} \
 const php_hash_ops php_hash_sha3_##bits##_ops = { \
 	"sha3-" #bits, \
 	(php_hash_init_func_t) PHP_SHA3##bits##Init, \
 	(php_hash_update_func_t) PHP_SHA3##bits##Update, \
 	(php_hash_final_func_t) PHP_SHA3##bits##Final, \
 	php_hash_copy, \
 	php_hash_serialize, \
-	php_hash_unserialize, \
+	php_sha3##bits##_unserialize, \
 	PHP_SHA3_SPEC, \
 	bits >> 3, \
 	(1600 - (2 * bits)) >> 3, \
@@ -241,6 +262,45 @@ const php_hash_ops php_hash_sha3_##bits##_ops = { \
 #define SUCCESS SHA3_SUCCESS /* Avoid conflict between KeccacHash.h and zend_types.h */
 #include "KeccakHash.h"
 
+/* KECCAK SERIALIZATION
+
+   Keccak_HashInstance consists of:
+	KeccakWidth1600_SpongeInstance {
+		unsigned char state[200];
+		unsigned int rate;         -- fixed for digest size
+		unsigned int byteIOIndex;  -- in range [0, rate/8)
+		int squeezing;             -- 0 normally, 1 only during finalize
+	} sponge;
+	unsigned int fixedOutputLength;    -- fixed for digest size
+	unsigned char delimitedSuffix;     -- fixed for digest size
+
+   NB If the external sha3/ library is updated, the serialization code
+   may need to be updated.
+
+   We assume the simpler SHA3 code's serialization states is not
+   interchangeable with Keccak. */
+
+#define PHP_HASH_SERIALIZE_MAGIC_KECCAK 100
+#define PHP_KECCAK_SPEC "b200IiIIB"
+
+static int php_keccak_serialize(const php_hashcontext_object *hash, zend_long *magic, zval *zv)
+{
+	*magic = PHP_HASH_SERIALIZE_MAGIC_KECCAK;
+	return php_hash_serialize_spec(hash, zv, PHP_KECCAK_SPEC);
+}
+
+static int php_keccak_unserialize(php_hashcontext_object *hash, zend_long magic, const zval *zv)
+{
+	Keccak_HashInstance *ctx = (Keccak_HashInstance *) hash->context;
+	int r = FAILURE;
+	if (magic == PHP_HASH_SERIALIZE_MAGIC_KECCAK
+		&& (r = php_hash_unserialize_spec(hash, zv, PHP_KECCAK_SPEC)) == SUCCESS
+		&& ctx->sponge.byteIOIndex < ctx->sponge.rate / 8) {
+		return SUCCESS;
+	} else {
+		return r != SUCCESS ? r : -2000;
+	}
+}
 
 // ==========================================================================
 
@@ -264,9 +324,9 @@ const php_hash_ops php_hash_sha3_##bits##_ops = { \
 	(php_hash_update_func_t) PHP_SHA3##bits##Update, \
 	(php_hash_final_func_t) PHP_SHA3##bits##Final, \
 	php_hash_copy, \
-	php_hash_serialize, \
-	php_hash_unserialize, \
-	NULL, \
+	php_keccak_serialize, \
+	php_keccak_unserialize, \
+	PHP_KECCAK_SPEC, \
 	bits >> 3, \
 	(1600 - (2 * bits)) >> 3, \
 	sizeof(PHP_SHA3_CTX), \