|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2015-07-15 18:01 UTC] stas@php.net
-Type: Security
+Type: Bug
[2015-07-15 18:01 UTC] stas@php.net
-Assigned To:
+Assigned To: dmitry
[2015-07-15 18:30 UTC] brian dot carpenter at gmail dot com
[2015-07-15 20:30 UTC] bwoebi@php.net
-Assigned To: dmitry
+Assigned To: bwoebi
[2015-07-15 20:33 UTC] bwoebi@php.net
-Summary: possible buffer overflow in php 7
+Summary: Use after free with assign by ref to overloaded
objects
[2015-07-15 20:36 UTC] bwoebi@php.net
[2015-07-15 20:36 UTC] bwoebi@php.net
-Status: Assigned
+Status: Closed
[2015-07-15 20:52 UTC] brian dot carpenter at gmail dot com
[2015-07-15 20:55 UTC] bwoebi@php.net
[2015-07-15 21:01 UTC] bwoebi@php.net
[2015-07-21 14:20 UTC] ab@php.net
[2016-07-20 11:37 UTC] davey@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Oct 25 23:00:01 2025 UTC |
Description: ------------ While fuzzing PHP 7.0.0-dev (cli) (built: Jul 12 2015 03:27:06), I came across a script that causes a whole heap of trouble, most likely a buffer overflow of sorts, not sure how far the security implications go, but better safe than sorry, however, it doesn't appear to affect an older version such as PHP 5.4.41-0+deb7u1. Test script: --------------- <?php class wp0{private$d;function __get($e){return$this;}}function ret_assoc(){}$wp0=new wp0;$wp0->i=&ret_assoc(); Expected result: ---------------- A graceful failure, easy to understand error message, obviously not this. Actual result: -------------- *** stack smashing detected ***: /home/geeknik/php-src/sapi/cli/php terminated ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ffff6aef0e7] /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x0)[0x7ffff6aef0b0] /home/geeknik/php-src/sapi/cli/php[0x16704b1] /home/geeknik/php-src/sapi/cli/php(zend_hash_graceful_reverse_destroy+0x69f)[0x15c262f] /home/geeknik/php-src/sapi/cli/php[0x14cf7df] /home/geeknik/php-src/sapi/cli/php(zend_deactivate+0x118)[0x15444c8] /home/geeknik/php-src/sapi/cli/php(php_request_shutdown+0x7b5)[0x12ebd25] /home/geeknik/php-src/sapi/cli/php[0x18e0fb7] /home/geeknik/php-src/sapi/cli/php[0x4593a5] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7ffff6a1dead] /home/geeknik/php-src/sapi/cli/php[0x459475] ======= Memory map: ======== 00400000-01da1000 r-xp 00000000 fe:01 941843 /home/geeknik/php-src/sapi/cli/ph p 01fa0000-0203b000 rw-p 019a0000 fe:01 941843 /home/geeknik/php-src/sapi/cli/ph p 0203b000-02162000 rw-p 00000000 00:00 0 [heap] 7ffff5dea000-7ffff5dff000 r-xp 00000000 fe:01 131581 /lib/x86_64-linux-gnu/libgcc_s.so .1 7ffff5dff000-7ffff5fff000 ---p 00015000 fe:01 131581 /lib/x86_64-linux-gnu/libgcc_s.so .1 7ffff5fff000-7ffff6000000 rw-p 00015000 fe:01 131581 /lib/x86_64-linux-gnu/libgcc_s.so .1 7ffff6000000-7ffff6200000 rw-p 00000000 00:00 0 7ffff63a9000-7ffff63cb000 r-xp 00000000 fe:01 131572 /lib/x86_64-linux-gnu/liblzma.so. 5.0.0 7ffff63cb000-7ffff65ca000 ---p 00022000 fe:01 131572 /lib/x86_64-linux-gnu/liblzma.so. 5.0.0 7ffff65ca000-7ffff65cb000 r--p 00021000 fe:01 131572 /lib/x86_64-linux-gnu/liblzma.so. 5.0.0 7ffff65cb000-7ffff65cc000 rw-p 00022000 fe:01 131572 /lib/x86_64-linux-gnu/liblzma.so. 5.0.0 7ffff65cc000-7ffff65e2000 r-xp 00000000 fe:01 131569 /lib/x86_64-linux-gnu/libz.so.1.2 .7 7ffff65e2000-7ffff67e1000 ---p 00016000 fe:01 131569 /lib/x86_64-linux-gnu/libz.so.1.2 .7 7ffff67e1000-7ffff67e2000 r--p 00015000 fe:01 131569 /lib/x86_64-linux-gnu/libz.so.1.2 .7 7ffff67e2000-7ffff67e3000 rw-p 00016000 fe:01 131569 /lib/x86_64-linux-gnu/libz.so.1.2 .7 7ffff67e3000-7ffff67fa000 r-xp 00000000 fe:01 135025 /lib/x86_64-linux-gnu/libpthread- 2.13.so 7ffff67fa000-7ffff69f9000 ---p 00017000 fe:01 135025 /lib/x86_64-linux-gnu/libpthread- 2.13.so 7ffff69f9000-7ffff69fa000 r--p 00016000 fe:01 135025 /lib/x86_64-linux-gnu/libpthread- 2.13.so 7ffff69fa000-7ffff69fb000 rw-p 00017000 fe:01 135025 /lib/x86_64-linux-gnu/libpthread- 2.13.so 7ffff69fb000-7ffff69ff000 rw-p 00000000 00:00 0 7ffff69ff000-7ffff6b80000 r-xp 00000000 fe:01 131508 /lib/x86_64-linux-gnu/libc-2.13.s o 7ffff6b80000-7ffff6d80000 ---p 00181000 fe:01 131508 /lib/x86_64-linux-gnu/libc-2.13.s o 7ffff6d80000-7ffff6d84000 r--p 00181000 fe:01 131508 /lib/x86_64-linux-gnu/libc-2.13.s o 7ffff6d84000-7ffff6d85000 rw-p 00185000 fe:01 131508 /lib/x86_64-linux-gnu/libc-2.13.s o 7ffff6d85000-7ffff6d8a000 rw-p 00000000 00:00 0 7ffff6d8a000-7ffff6edf000 r-xp 00000000 fe:01 399049 /usr/lib/x86_64-linux-gnu/libxml2 .so.2.8.0 7ffff6edf000-7ffff70df000 ---p 00155000 fe:01 399049 /usr/lib/x86_64-linux-gnu/libxml2 .so.2.8.0 7ffff70df000-7ffff70e7000 r--p 00155000 fe:01 399049 /usr/lib/x86_64-linux-gnu/libxml2 .so.2.8.0 7ffff70e7000-7ffff70e9000 rw-p 0015d000 fe:01 399049 /usr/lib/x86_64-linux-gnu/libxml2 .so.2.8.0 7ffff70e9000-7ffff70ea000 rw-p 00000000 00:00 0 7ffff70ea000-7ffff70ff000 r-xp 00000000 fe:01 131447 /lib/x86_64-linux-gnu/libnsl-2.13 .so 7ffff70ff000-7ffff72fe000 ---p 00015000 fe:01 131447 /lib/x86_64-linux-gnu/libnsl-2.13 .so 7ffff72fe000-7ffff72ff000 r--p 00014000 fe:01 131447 /lib/x86_64-linux-gnu/libnsl-2.13 .so 7ffff72ff000-7ffff7300000 rw-p 00015000 fe:01 131447 /lib/x86_64-linux-gnu/libnsl-2.13 .so 7ffff7300000-7ffff7302000 rw-p 00000000 00:00 0 7ffff7302000-7ffff7304000 r-xp 00000000 fe:01 131553 /lib/x86_64-linux-gnu/libdl-2.13. so 7ffff7304000-7ffff7504000 ---p 00002000 fe:01 131553 /lib/x86_64-linux-gnu/libdl-2.13. so 7ffff7504000-7ffff7505000 r--p 00002000 fe:01 131553 /lib/x86_64-linux-gnu/libdl-2.13. so 7ffff7505000-7ffff7506000 rw-p 00003000 fe:01 131553 /lib/x86_64-linux-gnu/libdl-2.13. so 7ffff7506000-7ffff7587000 r-xp 00000000 fe:01 131121 /lib/x86_64-linux-gnu/libm-2.13.s o 7ffff7587000-7ffff7786000 ---p 00081000 fe:01 131121 /lib/x86_64-linux-gnu/libm-2.13.s o 7ffff7786000-7ffff7787000 r--p 00080000 fe:01 131121 /lib/x86_64-linux-gnu/libm-2.13.s o 7ffff7787000-7ffff7788000 rw-p 00081000 fe:01 131121 /lib/x86_64-linux-gnu/libm-2.13.s o 7ffff7788000-7ffff778f000 r-xp 00000000 fe:01 135021 /lib/x86_64-linux-gnu/librt-2.13. so 7ffff778f000-7ffff798e000 ---p 00007000 fe:01 135021 /lib/x86_64-linux-gnu/librt-2.13. so 7ffff798e000-7ffff798f000 r--p 00006000 fe:01 135021 /lib/x86_64-linux-gnu/librt-2.13. so 7ffff798f000-7ffff7990000 rw-p 00007000 fe:01 135021 /lib/x86_64-linux-gnu/librt-2.13. so 7ffff7990000-7ffff79a3000 r-xp 00000000 fe:01 131610 /lib/x86_64-linux-gnu/libresolv-2 .13.so 7ffff79a3000-7ffff7ba2000 ---p 00013000 fe:01 131610 /lib/x86_64-linux-gnu/libresolv-2 .13.so 7ffff7ba2000-7ffff7ba3000 r--p 00012000 fe:01 131610 /lib/x86_64-linux-gnu/libresolv-2 .13.so 7ffff7ba3000-7ffff7ba4000 rw-p 00013000 fe:01 131610 /lib/x86_64-linux-gnu/libresolv-2 .13.so 7ffff7ba4000-7ffff7ba6000 rw-p 00000000 00:00 0 7ffff7ba6000-7ffff7bae000 r-xp 00000000 fe:01 131556 /lib/x86_64-linux-gnu/libcrypt-2. 13.so 7ffff7bae000-7ffff7dad000 ---p 00008000 fe:01 131556 /lib/x86_64-linux-gnu/libcrypt-2. 13.so 7ffff7dad000-7ffff7dae000 r--p 00007000 fe:01 131556 /lib/x86_64-linux-gnu/libcrypt-2. 13.so 7ffff7dae000-7ffff7daf000 rw-p 00008000 fe:01 131556 /lib/x86_64-linux-gnu/libcrypt-2. 13.so 7ffff7daf000-7ffff7ddd000 rw-p 00000000 00:00 0 7ffff7ddd000-7ffff7dfd000 r-xp 00000000 fe:01 131607 /lib/x86_64-linux-gnu/ld-2.13.so 7ffff7dfd000-7ffff7dff000 rw-p 00000000 00:00 0 7ffff7e00000-7ffff7e74000 rw-p 00000000 00:00 0 7ffff7e74000-7ffff7feb000 r--p 00000000 fe:01 393362 /usr/lib/locale/locale-archive 7ffff7feb000-7ffff7ff2000 rw-p 00000000 00:00 0 7ffff7ff9000-7ffff7ffb000 rw-p 00000000 00:00 0 7ffff7ffb000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso] 7ffff7ffc000-7ffff7ffd000 r--p 0001f000 fe:01 131607 /lib/x86_64-linux-gnu/ld-2.13.so 7ffff7ffd000-7ffff7ffe000 rw-p 00020000 fe:01 131607 /lib/x86_64-linux-gnu/ld-2.13.so 7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Program received signal SIGABRT, Aborted. 0x00007ffff6a31165 in *__GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 0x00007ffff6a31165 in *__GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007ffff6a343e0 in *__GI_abort () at abort.c:92 #2 0x00007ffff6a6b39b in __libc_message (do_abort=<optimized out>, fmt=<optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:189 #3 0x00007ffff6aef0e7 in *__GI___fortify_fail (msg=0x7ffff6b4d0aa "stack smashing detected") at fortify_fail.c:32 #4 0x00007ffff6aef0b0 in __stack_chk_fail () at stack_chk_fail.c:29 #5 0x00000000016704b1 in gc_possible_root (ref=<optimized out>) at /home/geeknik/php-src/Zend/zend_gc.c:270 #6 0x00000000015c262f in _zend_hash_del_el_ex (prev=<optimized out>, p=<optimized out>, idx=7, ht=<optimized out>) at /home/geeknik/php-src/Zend/zend_hash.c:935 #7 _zend_hash_del_el (p=<optimized out>, idx=7, ht=0x2056cd0) at /home/geeknik/php-src/Zend/zend_hash.c:959 #8 zend_hash_graceful_reverse_destroy (ht=ht@entry=0x2056cd0) at /home/geeknik/php-src/Zend/zend_hash.c:1405 #9 0x00000000014cf7df in shutdown_executor () at /home/geeknik/php-src/Zend/zend_execute_API.c:279 #10 0x00000000015444c8 in zend_deactivate () at /home/geeknik/php-src/Zend/zend.c:964 #11 0x00000000012ebd25 in php_request_shutdown (dummy=dummy@entry=0x0) at /home/geeknik/php-src/main/main.c:1814 #12 0x00000000018e0fb7 in do_cli (argc=2, argv=0x205a9f0) at /home/geeknik/php-src/sapi/cli/php_cli.c:1139 #13 0x00000000004593a5 in main (argc=2, argv=0x205a9f0) at /home/geeknik/php-src/sapi/cli/php_cli.c:1338 (gdb) i r rax 0x0 0 rbx 0x0 0 rcx 0xffffffffffffffff -1 rdx 0x6 6 rsi 0x67f9 26617 rdi 0x67f9 26617 rbp 0x7fffffffcc70 0x7fffffffcc70 rsp 0x7fffffffc2a8 0x7fffffffc2a8 r8 0x7ffff6b44e40 140737332399680 r9 0x407a90 4225680 r10 0x8 8 r11 0x206 518 r12 0x8 8 r13 0x7fffffffc550 140737488340304 r14 0x4f 79 r15 0x5 5 rip 0x7ffff6a31165 0x7ffff6a31165 <*__GI_raise+53> eflags 0x206 [ PF IF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0