php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70124 null ptr deref / seg fault in ZEND_HANDLE_EXCEPTION_SPEC_HANDLER
Submitted: 2015-07-24 02:29 UTC Modified: 2015-07-24 07:13 UTC
From: brian dot carpenter at gmail dot com Assigned: laruence (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.0Git-2015-07-24 (Git) OS: Debian 7
Private report: No CVE-ID: None
 [2015-07-24 02:29 UTC] brian dot carpenter at gmail dot com
Description:
------------
While fuzzing PHP 7.0.0-dev (built: Jul 22 2015 05:00:40), I found a script that causes a null ptr deref / segfault.

Test script:
---------------
<?echo base_convert([array_search(0,0,0,0,0,y())],0);

Expected result:
----------------
PHP 5.4.41-0+deb7u1 fails with:
PHP Fatal error:  Call to undefined function y() in /home/geeknik/tmp/test.php on line 1

Actual result:
--------------
==6717== Invalid read of size 4
==6717==    at 0x18D01C0: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (zend_execute.h:247)
==6717==    by 0x1709D57: execute_ex (zend_vm_execute.h:409)
==6717==    by 0x18DD5AA: zend_execute (zend_vm_execute.h:450)
==6717==    by 0x1546F8C: zend_execute_scripts (zend.c:1399)
==6717==    by 0x12F3B57: php_execute_script (main.c:2475)
==6717==    by 0x18E4424: do_cli (php_cli.c:971)
==6717==    by 0x4593D4: main (php_cli.c:1338)
==6717==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==6717==
==6717==
==6717== Process terminating with default action of signal 11 (SIGSEGV)
==6717==  Access not within mapped region at address 0x0
==6717==    at 0x18D01C0: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (zend_execute.h:247)
==6717==    by 0x1709D57: execute_ex (zend_vm_execute.h:409)
==6717==    by 0x18DD5AA: zend_execute (zend_vm_execute.h:450)
==6717==    by 0x1546F8C: zend_execute_scripts (zend.c:1399)
==6717==    by 0x12F3B57: php_execute_script (main.c:2475)
==6717==    by 0x18E4424: do_cli (php_cli.c:971)
==6717==    by 0x4593D4: main (php_cli.c:1338)
==6717==  If you believe this happened as a result of a stack
==6717==  overflow in your program's main thread (unlikely but
==6717==  possible), you can try to increase the size of the
==6717==  main thread stack using the --main-stacksize= flag.
==6717==  The main thread stack size used in this run was 8388608.
Segmentation fault

Program received signal SIGSEGV, Segmentation fault.
zend_vm_stack_free_args (call=0x7ffff60130d0)
    at /home/geeknik/php-src/Zend/zend_execute.h:247
247                                     if (!Z_DELREF_P(p)) {
(gdb) bt
#0  zend_vm_stack_free_args (call=0x7ffff60130d0)
    at /home/geeknik/php-src/Zend/zend_execute.h:247
#1  i_cleanup_unfinished_execution (catch_op_num=0, op_num=7,
    execute_data=0x7ffff6013030)
    at /home/geeknik/php-src/Zend/zend_execute.c:2481
#2  ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (execute_data=0x7ffff6013030)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:1515
#3  0x0000000001709d58 in execute_ex (ex=<optimized out>)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:409
#4  0x00000000018dd5ab in zend_execute (
    op_array=op_array@entry=0x7ffff607e000,
    return_value=return_value@entry=0x0)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:450
#5  0x0000000001546f8d in zend_execute_scripts (type=type@entry=8,
    retval=retval@entry=0x0, file_count=file_count@entry=3)
    at /home/geeknik/php-src/Zend/zend.c:1399
#6  0x00000000012f3b58 in php_execute_script (
    primary_file=primary_file@entry=0x7fffffffd280)
    at /home/geeknik/php-src/main/main.c:2475
#7  0x00000000018e4425 in do_cli (argc=2, argv=0x205b9e0)
    at /home/geeknik/php-src/sapi/cli/php_cli.c:971
#8  0x00000000004593d5 in main (argc=2, argv=0x205b9e0)
    at /home/geeknik/php-src/sapi/cli/php_cli.c:1338
(gdb) i r
rax            0xc08    3080
rbx            0x7ffff6013170   140737320661360
rcx            0x18d0055        26017877
rdx            0x2091ad0        34151120
rsi            0x1d2d074        30593140
rdi            0x0      0
rbp            0x50     0x50
rsp            0x7fffffffac70   0x7fffffffac70
r8             0x7ffff6013180   140737320661376
r9             0x4      4
r10            0x0      0
r11            0x2056fa0        33910688
r12            0x7ffff60130d0   140737320661200
r13            0x7ffff60660c0   140737321001152
r14            0x7ffff6013030   140737320661040
r15            0x7ffff6013130   140737320661296
rip            0x18d01c0        0x18d01c0 <ZEND_HANDLE_EXCEPTION_SPEC_HANDLER+16128>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-24 07:13 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2015-07-24 07:13 UTC] laruence@php.net
confirm this bug
 [2015-07-24 08:21 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0f1e87d9c18c52f91cb64267114267d239ad3488
Log: Fixed bug #70124 (null ptr deref / seg fault in ZEND_HANDLE_EXCEPTION)
 [2015-07-24 08:21 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2015-08-04 20:54 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0f1e87d9c18c52f91cb64267114267d239ad3488
Log: Fixed bug #70124 (null ptr deref / seg fault in ZEND_HANDLE_EXCEPTION)
 [2016-07-20 11:37 UTC] davey@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0f1e87d9c18c52f91cb64267114267d239ad3488
Log: Fixed bug #70124 (null ptr deref / seg fault in ZEND_HANDLE_EXCEPTION)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 11:01:29 2024 UTC