php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78658 Memory corruption using Closure::bindTo
Submitted: 2019-10-09 14:32 UTC Modified: 2019-10-09 14:53 UTC
From: leigh@php.net Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.3.10 OS: Linux
Private report: No CVE-ID: None
 [2019-10-09 14:32 UTC] leigh@php.net
Description:
------------
Test script produces a SEGFAULT on branches PHP-7.3, PHP-7.4 and master but not in PHP-7.2. Compiled with `--disable-all`. Found using AFL.

In the test script by the time it gets to the string interpolation with "CCCC" the zval already appears to be corrupt.

The memory location of a stdClass object on the end of the string instead of the requested characters.

Test script:
---------------
<?php

$c = function(){};

$scope = "AAAA";
$c->bindTo(new stdClass, $scope);

$scope = "{$scope}BBBB";
$c->bindTo(new stdClass, $scope);

$scope = "{$scope}CCCC"; // var_dump($scope); // string(12) "AAAABBBB"
$c->bindTo(new stdClass, $scope);

Expected result:
----------------
Exit code 0

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
zend_mm_gc (heap=0x7ffff7a00040) at /home/leigh/php-src/Zend/zend_alloc.c:1956
1956                            ZEND_MM_CHECK(chunk->heap == heap, "zend_mm_heap corrupted");
(gdb) bt
#0  zend_mm_gc (heap=0x7ffff7a00040) at /home/leigh/php-src/Zend/zend_alloc.c:1956
#1  0x00005555557c950b in zend_mm_gc (heap=0x7ffff7a00040) at /home/leigh/php-src/Zend/zend_alloc.c:1946
#2  zend_mm_alloc_huge (heap=0x7ffff7a00040, size=93824997779152) at /home/leigh/php-src/Zend/zend_alloc.c:1808
#3  0x00005555557e73d1 in zend_string_alloc (persistent=0, len=93824997779120) at /home/leigh/php-src/Zend/zend_string.h:133
#4  zend_string_tolower_ex (str=0x7ffff7a6a938, persistent=persistent@entry=0) at /home/leigh/php-src/Zend/zend_operators.c:2686
#5  0x00005555557e29f7 in zend_lookup_class_ex (name=name@entry=0x7ffff7a6a938, key=key@entry=0x0, use_autoload=use_autoload@entry=1) at /home/leigh/php-src/Zend/zend_execute_API.c:851
#6  0x0000555555817293 in zim_Closure_bind (execute_data=<optimised out>, return_value=0x7fffffffa450) at /home/leigh/php-src/Zend/zend_closures.c:201
#7  0x000055555587375e in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /home/leigh/php-src/Zend/zend_vm_execute.h:984
#8  execute_ex (ex=0x6262626261600000) at /home/leigh/php-src/Zend/zend_vm_execute.h:55493
#9  0x0000555555875230 in zend_execute (op_array=op_array@entry=0x7ffff7a7f2a0, return_value=0x0, return_value@entry=0x7ffff7a1d030) at /home/leigh/php-src/Zend/zend_vm_execute.h:60889
#10 0x00005555557f0239 in zend_execute_scripts (type=type@entry=8, retval=0x7ffff7a1d030, retval@entry=0x0, file_count=file_count@entry=3) at /home/leigh/php-src/Zend/zend.c:1568
#11 0x000055555578f440 in php_execute_script (primary_file=<optimised out>) at /home/leigh/php-src/main/main.c:2639
#12 0x000055555587770e in do_cli (argc=2, argv=0x555555a96860) at /home/leigh/php-src/sapi/cli/php_cli.c:997
#13 0x0000555555648bcd in main (argc=2, argv=0x555555a96860) at /home/leigh/php-src/sapi/cli/php_cli.c:1389

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-09 14:35 UTC] leigh@php.net
-Operating System: +Operating System: Linux
 [2019-10-09 14:53 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2019-10-09 14:53 UTC] nikic@php.net
<?php
$c = function(){};
$scope = "AAAA";
$scope = "{$scope}BBBB";
$c->bindTo(new stdClass, $scope);

Valgrind:

==15287== Invalid read of size 4
==15287==    at 0xA2A3CF: zend_gc_delref (zend_types.h:995)
==15287==    by 0xA2A6A4: i_zval_ptr_dtor (zend_variables.h:43)
==15287==    by 0xA2A91E: zval_ptr_dtor (zend_variables.c:111)
==15287==    by 0xA44610: _zend_hash_del_el_ex (zend_hash.c:1182)
==15287==    by 0xA446F0: _zend_hash_del_el (zend_hash.c:1205)
==15287==    by 0xA46034: zend_hash_graceful_reverse_destroy (zend_hash.c:1659)
==15287==    by 0xA14CDA: shutdown_executor (zend_execute_API.c:289)
==15287==    by 0xA2D1C8: zend_deactivate (zend.c:1104)
==15287==    by 0x9926EC: php_request_shutdown (main.c:1930)
==15287==    by 0xB0DBAA: do_cli (php_cli.c:1164)
==15287==    by 0xB0E419: main (php_cli.c:1389)
==15287==  Address 0x10ce6560 is 0 bytes inside a block of size 40 free'd
==15287==    at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15287==    by 0x9F5D9A: _efree (zend_alloc.c:2515)
==15287==    by 0xA2A832: zend_string_destroy (zend_variables.c:74)
==15287==    by 0xA2A731: rc_dtor_func (zend_variables.c:65)
==15287==    by 0xA8E215: zend_vm_stack_free_args (zend_execute.h:261)
==15287==    by 0xA988B5: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:999)
==15287==    by 0xB04EAD: execute_ex (zend_vm_execute.h:55493)
==15287==    by 0xB0A492: zend_execute (zend_vm_execute.h:60889)
==15287==    by 0xA2E798: zend_execute_scripts (zend.c:1568)
==15287==    by 0x993CDD: php_execute_script (main.c:2639)
==15287==    by 0xB0D2A2: do_cli (php_cli.c:997)
==15287==    by 0xB0E419: main (php_cli.c:1389)
==15287==  Block was alloc'd at
==15287==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15287==    by 0x9F6A42: __zend_malloc (zend_alloc.c:2908)
==15287==    by 0x9F5CF3: _emalloc (zend_alloc.c:2501)
==15287==    by 0xA8C90C: zend_string_alloc (zend_string.h:133)
==15287==    by 0xAEEFBF: ZEND_FAST_CONCAT_SPEC_CV_CONST_HANDLER (zend_vm_execute.h:41068)
==15287==    by 0xB092FA: execute_ex (zend_vm_execute.h:59789)
==15287==    by 0xB0A492: zend_execute (zend_vm_execute.h:60889)
==15287==    by 0xA2E798: zend_execute_scripts (zend.c:1568)
==15287==    by 0x993CDD: php_execute_script (main.c:2639)
==15287==    by 0xB0D2A2: do_cli (php_cli.c:997)
==15287==    by 0xB0E419: main (php_cli.c:1389)
==15287==
 [2019-10-09 15:01 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6fd6ad8f53f68154fa23de25f400d89ae29d54d0
Log: Fixed bug #78658
 [2019-10-09 15:01 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 17:01:29 2024 UTC