php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78154 SEND_VAR_NO_REF does not always send reference
Submitted: 2019-06-13 06:24 UTC Modified: 2019-06-13 08:57 UTC
From: chinaxiaozhouzhou at gmail dot com Assigned: nikic (profile)
Status: Closed Package: *General Issues
PHP Version: master-Git-2019-06-13 (Git) OS: ubuntu 18.04
Private report: No CVE-ID: None
 [2019-06-13 06:24 UTC] chinaxiaozhouzhou at gmail dot com
Description:
------------
The crash is in similar_text function which is implemented in ext/standard/string.c:3489. We can fake a zval object.

Test script:
---------------
poc.php

<?php
similar_text('a', 'a', $c=0x44444444);
?>

Expected result:
----------------
no crash

Actual result:
--------------
./php poc.php
asan output
AddressSanitizer:DEADLYSIGNAL
=================================================================
==14691==ERROR: AddressSanitizer: SEGV on unknown address 0x00004444445c (pc 0x00000106a452 bp 0x7ffe2f6eb250 sp 0x7ffe2f6eadc0 T0)
==14691==The signal is caused by a READ memory access.
    #0 0x106a451  (/home/xzz/WorkSpace/tmp/php-src/out/bin/php+0x106a451)
    #1 0x18f52da  (/home/xzz/WorkSpace/tmp/php-src/out/bin/php+0x18f52da)
    #2 0x16cf58d  (/home/xzz/WorkSpace/tmp/php-src/out/bin/php+0x16cf58d)
    #3 0x16d0a76  (/home/xzz/WorkSpace/tmp/php-src/out/bin/php+0x16d0a76)
    #4 0x14ba157  (/home/xzz/WorkSpace/tmp/php-src/out/bin/php+0x14ba157)
    #5 0x1235b88  (/home/xzz/WorkSpace/tmp/php-src/out/bin/php+0x1235b88)
    #6 0x1b45c7f  (/home/xzz/WorkSpace/tmp/php-src/out/bin/php+0x1b45c7f)
    #7 0x1b42d9b  (/home/xzz/WorkSpace/tmp/php-src/out/bin/php+0x1b42d9b)
    #8 0x7f09d8301b96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #9 0x43f039  (/home/xzz/WorkSpace/tmp/php-src/out/bin/php+0x43f039)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/xzz/WorkSpace/tmp/php-src/out/bin/php+0x106a451)
==14691==ABORTING

lldb output
* thread #1, name = 'php', stop reason = signal SIGSEGV: invalid address (fault address: 0x4444445c)
    frame #0: 0x000000000106a452 php`zif_similar_text(execute_data=0x00007ffff0c120a0, return_value=0x00007fffffff9000) at string.c:3514
   3511         sim = php_similar_char(ZSTR_VAL(t1), ZSTR_LEN(t1), ZSTR_VAL(t2), ZSTR_LEN(t2));
   3512
   3513         if (ac > 2) {
-> 3514                 ZEND_TRY_ASSIGN_REF_DOUBLE(percent, sim * 200.0 / (ZSTR_LEN(t1) + ZSTR_LEN(t2)));
   3515         }
   3516
   3517         RETURN_LONG(sim);
(lldb) bt
* thread #1, name = 'php', stop reason = signal SIGSEGV: invalid address (fault address: 0x4444445c)
  * frame #0: 0x000000000106a452 php`zif_similar_text(execute_data=0x00007ffff0c120a0, return_value=0x00007fffffff9000) at string.c:3514
    frame #1: 0x00000000018f52db php`ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER(execute_data=0x00007ffff0c12020) at zend_vm_execute.h:981
    frame #2: 0x00000000016cf58e php`execute_ex(ex=0x00007ffff0c12020) at zend_vm_execute.h:57134
    frame #3: 0x00000000016d0a77 php`zend_execute(op_array=0x00007ffff0c78380, return_value=0x0000000000000000) at zend_vm_execute.h:62631
    frame #4: 0x00000000014ba158 php`zend_execute_scripts(type=8, retval=0x0000000000000000, file_count=3) at zend.c:1625
    frame #5: 0x0000000001235b89 php`php_execute_script(primary_file=0x00007fffffffc820) at main.c:2650
    frame #6: 0x0000000001b45c80 php`do_cli(argc=2, argv=0x00006030000003a0) at php_cli.c:985
    frame #7: 0x0000000001b42d9c php`main(argc=2, argv=0x00006030000003a0) at php_cli.c:1375
    frame #8: 0x00007ffff60edb97 libc.so.6`__libc_start_main(main=(php`main at php_cli.c:1176), argc=2, argv=0x00007fffffffe338, init=<unavailable>, fini=<unavailable>, rtld_fini=<unavailable>, stack_end=0x00007fffffffe328) at libc-start.c:310
    frame #9: 0x000000000043f03a php`_start + 42
(lldb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-06-13 06:49 UTC] stas@php.net
-Status: Open +Status: Feedback -Type: Security +Type: Bug
 [2019-06-13 06:49 UTC] stas@php.net
Not sure what you mean by "fake a zval object". I tried your reproducing code and I could not reproduce any crashes.
 [2019-06-13 08:40 UTC] sjon@php.net
actually, this seems to segfault in 7.4.0alpha1, see https://3v4l.org/kqL8Z
 [2019-06-13 08:41 UTC] sjon@php.net
-Status: Feedback +Status: Verified
 [2019-06-13 08:48 UTC] nikic@php.net
-Status: Verified +Status: Assigned -Assigned To: +Assigned To: nikic
 [2019-06-13 08:53 UTC] chinaxiaozhouzhou at gmail dot com
Hi, I compile php source code with CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-fsanitize=address"
 [2019-06-13 08:57 UTC] chinaxiaozhouzhou at gmail dot com
I also found some crashes in other functions. It seems that the root cause of these crashes is same.
 [2019-06-13 08:57 UTC] nikic@php.net
-Summary: php similar_text zval type confusion vulnerability +Summary: SEND_VAR_NO_REF does not always send reference
 [2019-06-13 08:59 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cac6b04113f6ab59d4ae22d760f9375627e059fc
Log: Fixed bug #78154
 [2019-06-13 08:59 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 [2019-06-13 09:54 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=792e38d863a84ed44970a142339ecfe1b40aea8a
Log: Fix bug #78154 with JIT
 [2020-12-09 11:48 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=44b234a9bc589ee6c4afe3e1c386d536f750abe2
Log: Fixed bug #78154
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 09:01:32 2024 UTC