|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull Requests
Pull requests:
HistoryAllCommentsChangesGit/SVN commits
[2020-08-16 08:23 UTC] 1126774947 at qq dot com
-Summary: stream_socket_client be called by
call_user_func_array with wrong param and cau
+Summary: exec function execute code and cause crash with
call_user_func_array
[2020-08-16 08:23 UTC] 1126774947 at qq dot com
[2020-08-16 08:51 UTC] requinix@php.net
[2020-08-17 08:51 UTC] cmb@php.net
[2020-08-18 17:52 UTC] cmb@php.net
-Status: Open
+Status: Verified
-Operating System: ubuntu 16.04
+Operating System: *
-Assigned To:
+Assigned To: cmb
[2020-08-24 13:04 UTC] cmb@php.net
-Summary: exec function execute code and cause crash with
call_user_func_array
+Summary: passing value to by-ref param via CUFA crashes
[2020-08-24 13:04 UTC] cmb@php.net
[2020-08-24 13:04 UTC] cmb@php.net
-Status: Verified
+Status: Closed
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Oct 31 03:00:01 2025 UTC |
Description: ------------ exec be called in call_user_function_array wrong param will cause segment fault but still exec code backtrace #0 php_exec_ex (execute_data=0x7ffff3e150f0, return_value=0x7ffff3e15070, mode=0) at /tmp/tmp/php-src/ext/standard/exec.c:214 #1 0x00000000006cf3d5 in zif_exec (execute_data=0x7ffff3e150f0, return_value=0x7ffff3e15070) at /tmp/tmp/php-src/ext/standard/exec.c:263 #2 0x00000000008afcb4 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at /tmp/tmp/php-src/Zend/zend_vm_execute.h:1730 #3 0x0000000000914c75 in execute_ex (ex=0x7ffff3e15020) at /tmp/tmp/php-src/Zend/zend_vm_execute.h:53828 #4 0x0000000000918d53 in zend_execute (op_array=0x7ffff3e03100, return_value=0x0) at /tmp/tmp/php-src/Zend/zend_vm_execute.h:57920 #5 0x000000000083be3c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /tmp/tmp/php-src/Zend/zend.c:1678 #6 0x000000000079cc72 in php_execute_script (primary_file=0x7fffffffca30) at /tmp/tmp/php-src/main/main.c:2621 #7 0x000000000092500a in php_cli_server_dispatch_script (server=0x141c320 <server>, client=0x156a5e0) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2077 #8 0x0000000000925819 in php_cli_server_dispatch (server=0x141c320 <server>, client=0x156a5e0) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2248 #9 0x00000000009261cc in php_cli_server_recv_event_read_request (server=0x141c320 <server>, client=0x156a5e0) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2492 #10 0x00000000009265b1 in php_cli_server_do_event_for_each_fd_callback (_params=0x7fffffffcc90, fd=4, event=1) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2578 #11 0x0000000000922138 in php_cli_server_poller_iter_on_active (poller=0x141c328 <server+8>, opaque=0x7fffffffcc90, callback=0x92635b <php_cli_server_do_event_for_each_fd_callback>) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:919 #12 0x0000000000926647 in php_cli_server_do_event_for_each_fd (server=0x141c320 <server>, rhandler=0x926064 <php_cli_server_recv_event_read_request>, whandler=0x926207 <php_cli_server_send_event>) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2596 #13 0x00000000009266cf in php_cli_server_do_event_loop (server=0x141c320 <server>) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2606 #14 0x0000000000926a7b in do_cli_server (argc=3, argv=0x1437cd0) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2734 #15 0x000000000091ca7d in main (argc=3, argv=0x1437cd0) at /tmp/tmp/php-src/sapi/cli/php_cli.c:1362 after execute the code php: /tmp/tmp/php-src/ext/standard/exec.c:254: php_exec_ex: Assertion `(zval_get_type(&(*(ret_code))) == 10)' failed. #0 0x00007ffff6a82428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 #1 0x00007ffff6a8402a in __GI_abort () at abort.c:89 #2 0x00007ffff6a7abd7 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0xf965a0 "(zval_get_type(&(*(ret_code))) == 10)", file=file@entry=0xf964e0 "/tmp/tmp/php-src/ext/standard/exec.c", line=line@entry=254, function=function@entry=0xf96928 <__PRETTY_FUNCTION__.17203> "php_exec_ex") at assert.c:92 #3 0x00007ffff6a7ac82 in __GI___assert_fail (assertion=0xf965a0 "(zval_get_type(&(*(ret_code))) == 10)", file=0xf964e0 "/tmp/tmp/php-src/ext/standard/exec.c", line=254, function=0xf96928 <__PRETTY_FUNCTION__.17203> "php_exec_ex") at assert.c:101 #4 0x00000000006cf316 in php_exec_ex (execute_data=0x7ffff3e150f0, return_value=0x7ffff3e15070, mode=0) at /tmp/tmp/php-src/ext/standard/exec.c:254 #5 0x00000000006cf3d5 in zif_exec (execute_data=0x7ffff3e150f0, return_value=0x7ffff3e15070) at /tmp/tmp/php-src/ext/standard/exec.c:263 #6 0x00000000008afcb4 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at /tmp/tmp/php-src/Zend/zend_vm_execute.h:1730 #7 0x0000000000914c75 in execute_ex (ex=0x7ffff3e15020) at /tmp/tmp/php-src/Zend/zend_vm_execute.h:53828 #8 0x0000000000918d53 in zend_execute (op_array=0x7ffff3e03100, return_value=0x0) at /tmp/tmp/php-src/Zend/zend_vm_execute.h:57920 #9 0x000000000083be3c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /tmp/tmp/php-src/Zend/zend.c:1678 #10 0x000000000079cc72 in php_execute_script (primary_file=0x7fffffffca30) at /tmp/tmp/php-src/main/main.c:2621 #11 0x000000000092500a in php_cli_server_dispatch_script (server=0x141c320 <server>, client=0x156a5e0) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2077 #12 0x0000000000925819 in php_cli_server_dispatch (server=0x141c320 <server>, client=0x156a5e0) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2248 #13 0x00000000009261cc in php_cli_server_recv_event_read_request (server=0x141c320 <server>, client=0x156a5e0) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2492 #14 0x00000000009265b1 in php_cli_server_do_event_for_each_fd_callback (_params=0x7fffffffcc90, fd=4, event=1) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2578 #15 0x0000000000922138 in php_cli_server_poller_iter_on_active (poller=0x141c328 <server+8>, opaque=0x7fffffffcc90, callback=0x92635b <php_cli_server_do_event_for_each_fd_callback>) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:919 #16 0x0000000000926647 in php_cli_server_do_event_for_each_fd (server=0x141c320 <server>, rhandler=0x926064 <php_cli_server_recv_event_read_request>, whandler=0x926207 <php_cli_server_send_event>) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2596 #17 0x00000000009266cf in php_cli_server_do_event_loop (server=0x141c320 <server>) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2606 #18 0x0000000000926a7b in do_cli_server (argc=3, argv=0x1437cd0) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2734 #19 0x000000000091ca7d in main (argc=3, argv=0x1437cd0) at /tmp/tmp/php-src/sapi/cli/php_cli.c:1362 Test script: --------------- <?php call_user_func_array("exec",["echo '<?php phpinfo();?>' > bbb.php","??????","????"]); Expected result: ---------------- PHP Warning: Parameter 2 to exec() expected to be a reference, value given in php shell code on line 1 Warning: Parameter 2 to exec() expected to be a reference, value given in php shell code on line 1 PHP Warning: Parameter 3 to exec() expected to be a reference, value given in php shell code on line 1 Warning: Parameter 3 to exec() expected to be a reference, value given in php shell code on line 1 Actual result: -------------- Warning: Parameter 2 to exec() expected to be a reference, value given in php shell code on line 1 Warning: Parameter 3 to exec() expected to be a reference, value given in php shell code on line 1 Segmentation fault (core dumped)