php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81091 SIGSEGV (Address boundary error) in zend_mm_alloc_small
Submitted: 2021-05-31 12:39 UTC Modified: 2021-06-03 17:16 UTC
From: rafal dot janiczek at gmail dot com Assigned:
Status: Open Package: ssh2 (PECL)
PHP Version: 7.4.19 OS: Linux
Private report: No CVE-ID: None
 [2021-05-31 12:39 UTC] rafal dot janiczek at gmail dot com
Description:
------------
CLI script crash after load ~15 classes via composer (2.0.14). Same with php8.0.5

vendor/composer/ClassLoader.php:478 includeFile() (just after include $file)

'php fetcher.one.php mini-virt' terminated by signal SIGSEGV (Address boundary error)


Actual result:
--------------
#0  zend_mm_alloc_small (bin_num=0, heap=0x7f1157200040) at ./Zend/zend_alloc.c:1255
#1  _emalloc_8 () at ./Zend/zend_alloc.c:2466
#2  0x0000560638d7dd12 in init_op_array (op_array=op_array@entry=0x7f1157212440, type=type@entry=2 '\002', initial_ops_size=initial_ops_size@entry=64) at ./Zend/zend_opcode.c:53
#3  0x0000560638d76665 in zend_compile_func_decl (result=0x0, ast=0x7f1157264810, toplevel=<optimized out>) at ./Zend/zend_compile.c:5992
#4  0x0000560638d755dc in zend_compile_stmt (ast=0x7f1157264810) at ./Zend/zend_compile.c:8550
#5  0x0000560638d7656f in zend_compile_stmt_list (ast=ast@entry=0x7f1157266288) at ./Zend/zend_compile.c:5271
#6  0x0000560638d755c7 in zend_compile_stmt (ast=ast@entry=0x7f1157266288) at ./Zend/zend_compile.c:8494
#7  0x0000560638d772f0 in zend_compile_class_decl (ast=0x7f11572664e0, toplevel=<optimized out>) at ./Zend/zend_compile.c:6482
#8  0x0000560638d78277 in zend_compile_top_stmt (ast=0x7f11572664e0) at ./Zend/zend_compile.c:8469
#9  0x0000560638d782a0 in zend_compile_top_stmt (ast=0x7f1157262018) at ./Zend/zend_compile.c:8458
#10 0x0000560638d4f804 in zend_compile (type=type@entry=2) at Zend/zend_language_scanner.l:614
#11 0x0000560638d50f6a in compile_file (file_handle=0x7ffeacbb4120, type=2) at Zend/zend_language_scanner.l:650
#12 0x00007f115496b96d in phar_compile_file (file_handle=0x7ffeacbb4120, type=2) at ./ext/phar/phar.c:3323
#13 0x0000560638d50fe7 in compile_filename (type=type@entry=2, filename=filename@entry=0x7f1157213580) at Zend/zend_language_scanner.l:671
#14 0x0000560638dd5d27 in zend_include_or_eval (inc_filename=0x7f1157213580, type=2) at ./Zend/zend_execute.c:4299
#15 0x0000560638df2aee in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER () at ./Zend/zend_vm_execute.h:37797
#16 0x0000560638e0a869 in execute_ex (ex=0x7f1157200040) at ./Zend/zend_vm_execute.h:57041
#17 0x0000560638d7b41f in zend_call_function (fci=fci@entry=0x7ffeacbb4490, fci_cache=0x7f115727f090, fci_cache@entry=0x7ffeacbb4470) at ./Zend/zend_execute_API.c:820
#18 0x0000560638c85974 in zif_spl_autoload_call (execute_data=<optimized out>, return_value=<optimized out>) at ./ext/spl/php_spl.c:452
#19 0x0000560638d7b33b in zend_call_function (fci=0x7ffeacbb4630, fci_cache=0x7ffeacbb4610) at ./Zend/zend_execute_API.c:833
#20 0x0000560638d7b9f5 in zend_lookup_class_ex (name=name@entry=0x7f11572d3480, key=0x7f11572d35c0, flags=flags@entry=512) at ./Zend/zend_execute_API.c:1002
#21 0x0000560638d7c243 in zend_fetch_class_by_name (class_name=0x7f11572d3480, key=<optimized out>, fetch_type=fetch_type@entry=512) at ./Zend/zend_execute_API.c:1433
#22 0x0000560638defe17 in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER () at ./Zend/zend_vm_execute.h:9255
#23 0x0000560638e0c017 in execute_ex (ex=0x7f1157200040) at ./Zend/zend_vm_execute.h:54651
#24 0x0000560638e13a4b in zend_execute (op_array=0x7f115727e2a0, return_value=0x0) at ./Zend/zend_vm_execute.h:57993
#25 0x0000560638d8a03c in zend_execute_scripts (type=type@entry=8, retval=0x7f115727ad60, retval@entry=0x0, file_count=1461793392, file_count@entry=3) at ./Zend/zend.c:1679
#26 0x0000560638d29810 in php_execute_script (primary_file=<optimized out>) at ./main/main.c:2621
#27 0x0000560638e15b8a in do_cli (argc=3, argv=0x56063a9cc1d0) at ./sapi/cli/php_cli.c:964
#28 0x0000560638beeed8 in main (argc=3, argv=0x56063a9cc1d0) at ./sapi/cli/php_cli.c:1359


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-05-31 12:41 UTC] nikic@php.net
-Status: Open +Status: Feedback
 [2021-05-31 12:41 UTC] nikic@php.net
Is there some way to reproduce this issue? (What is the fetcher.one.php script here?)
 [2021-05-31 22:56 UTC] rafal dot janiczek at gmail dot com
-Status: Feedback +Status: Open
 [2021-05-31 22:56 UTC] rafal dot janiczek at gmail dot com
Simple repo to reproduce problem: https://github.com/erjotek/phpbug

You need to connect via ssh to a real server and try four "todos" in the code.
 [2021-06-01 07:27 UTC] nikic@php.net
-Package: Reproducible crash +Package: ssh2
 [2021-06-01 07:27 UTC] nikic@php.net
Based on the test case, this is very likely a bug in the ssh2 PECL extension, not in PHP, to transferring there.
 [2021-06-01 12:14 UTC] cmb@php.net
Are you using the latest ssh2 (1.3.1)?  That has several stabilty
and segfault fixes.
 [2021-06-03 17:16 UTC] rafal dot janiczek at gmail dot com
Yes, i use version 1.3.1

Same problem is on:
- ubuntu (1.3.1+0.13-1+ubuntu20.04.1+deb.sury.org+1)
- alpine (php7-pecl-ssh2-1.3.1-r0 x86_64 {php7-pecl-ssh2})
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 23:01:28 2024 UTC