PHP :: Bug #70077 :: Segfault / stack corruption in zend_call_function (zend_execute

Bug #70077

Segfault / stack corruption in zend_call_function (zend_execute_API.c:696)

Submitted:

2015-07-14 18:01 UTC

Modified:

2015-08-16 04:23 UTC

Votes:	3
Avg. Score:	5.0 ± 0.0
Reproduced:	3 of 3 (100.0%)
Same Version:	3 (100.0%)
Same OS:	2 (66.7%)

From:

brian dot carpenter at gmail dot com

Assigned:

Status:

No Feedback

Package:

Reproducible crash

PHP Version:

7.0Git-2015-07-14 (Git)

OS:

Debian 7

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	brian dot carpenter at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2015-07-14 18:01 UTC] brian dot carpenter at gmail dot com

Description:
------------
While fuzzing PHP 7.0.0-dev (cli) (built: Jul 12 2015 03:27:06) I came across a script that causes a segfault (and possible stack corruption) in zend_call_function (zend_execute_API.c:696). It also appears to affect PHP 5.4.41-0+deb7u1 (cli) (built: May 22 2015 12:49:18).



Test script:
---------------
<?php
class wp0{private$d;function __get($e){$wp0=new wp0;$wp0->e;}}function c(){(0);}$wp0=new wp0;$wp0->i;

Expected result:
----------------
No crash.

Actual result:
--------------
==12935== Stack overflow in thread 1: can't grow stack to 0x7fe801fe8
==12935==
==12935== Process terminating with default action of signal 11 (SIGSEGV)
==12935==  Access not within mapped region at address 0x7FE801FE8
==12935==    at 0x1622978: zend_call_method (zend_interfaces.c:43)
==12935==  If you believe this happened as a result of a stack
==12935==  overflow in your program's main thread (unlikely but
==12935==  possible), you can try to increase the size of the
==12935==  main thread stack using the --main-stacksize= flag.
==12935==  The main thread stack size used in this run was 8388608.
==12935== Stack overflow in thread 1: can't grow stack to 0x7fe801fe0
==12935==
==12935== Process terminating with default action of signal 11 (SIGSEGV)
==12935==  Access not within mapped region at address 0x7FE801FE0
==12935==    at 0x4A226E0: _vgnU_freeres (vg_preloaded.c:58)
==12935==  If you believe this happened as a result of a stack
==12935==  overflow in your program's main thread (unlikely but
==12935==  possible), you can try to increase the size of the
==12935==  main thread stack using the --main-stacksize= flag.
==12935==  The main thread stack size used in this run was 8388608.
Segmentation fault

Starting program: /home/geeknik/php-src/sapi/cli/php test00-min
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000014d38f8 in zend_call_function (fci=0x7fffff7ff180,
    fci_cache=0x7fffff7ff150)
    at /home/geeknik/php-src/Zend/zend_execute_API.c:696
696             if (!EG(active)) {
(gdb) bt
#0  0x00000000014d38f8 in zend_call_function (fci=0x7fffff7ff180,
    fci_cache=0x7fffff7ff150)
    at /home/geeknik/php-src/Zend/zend_execute_API.c:696
#1  0x0000000065675f00 in ?? ()
#2  0x00007ffff5b04660 in ?? ()
#3  0x00007fffff7ff1d0 in ?? ()
#4  0x00007fffff7ff1d0 in ?? ()
#5  0x0000000000000000 in ?? ()
(gdb) i r
rax            0x7ffff5ab2dd0   140737315024336
rbx            0x7fffff7ff2a0   140737479963296
rcx            0x7ffff5b04660   140737315358304
rdx            0x65675f00       1701273344
rsi            0x7fffff7ff150   140737479962960
rdi            0x7fffff7ff180   140737479963008
rbp            0x1      0x1
rsp            0x7fffff7fef78   0x7fffff7fef78
r8             0x5      5
r9             0x7ffff6003118   140737320595736
r10            0x7ffff6003230   140737320596016
r11            0x5      5
r12            0x7fffff7ff180   140737479963008
r13            0x2056ba0        33909664
r14            0x0      0
r15            0x7ffff6003018   140737320595480
rip            0x14d38f8        0x14d38f8 <zend_call_function+136>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb) exploitable
Description: Possible stack corruption
Short description: PossibleStackCorruption (7/22)
Hash: fdacf7bfdade269be71df9a402726823.9a75f6ab0bd3a6de69a05282ade5ee5d
Exploitability Classification: EXPLOITABLE
Explanation: GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable.
Other tags: DestAv (8/22), AccessViolation (21/22)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-07-18 05:29 UTC] brian dot carpenter at gmail dot com

I've retested this with PHP 7.0.0-dev (cli) (built: Jul 15 2015 16:00:56) and the test case I provided still crashes:

==25286== Stack overflow in thread #1: can't grow stack to 0xffe801000
==25286== 
==25286== Process terminating with default action of signal 11 (SIGSEGV)
==25286==  Access not within mapped region at address 0xFFE801FF8
==25286== Stack overflow in thread #1: can't grow stack to 0xffe801000
==25286==    at 0x132137D: _emalloc (zend_alloc.c:2203)
==25286==  If you believe this happened as a result of a stack
==25286==  overflow in your program's main thread (unlikely but
==25286==  possible), you can try to increase the size of the
==25286==  main thread stack using the --main-stacksize= flag.
==25286==  The main thread stack size used in this run was 8388608.
==25286== Stack overflow in thread #1: can't grow stack to 0xffe801000
==25286== 
==25286== Process terminating with default action of signal 11 (SIGSEGV)
==25286==  Access not within mapped region at address 0xFFE801FF0
==25286== Stack overflow in thread #1: can't grow stack to 0xffe801000
==25286==    at 0x4A22620: _vgnU_freeres (vg_preloaded.c:58)
==25286==  If you believe this happened as a result of a stack
==25286==  overflow in your program's main thread (unlikely but
==25286==  possible), you can try to increase the size of the
==25286==  main thread stack using the --main-stacksize= flag.
==25286==  The main thread stack size used in this run was 8388608.
Segmentation fault

Program received signal SIGSEGV, Segmentation fault.
0x00000000014f05b4 in zend_call_method ()
(gdb) bt
#0  0x00000000014f05b4 in zend_call_method ()
#1  0x00007ffff6003118 in ?? ()
#2  0x0000000001c45d4c in ?? ()
#3  0x0000000000000c08 in ?? ()
#4  0x000000000146209f in _zend_hash_add ()
#5  0x00007ffff5abeb90 in ?? ()
#6  0x00007ffff5b225a0 in ?? ()
#7  0x0000000000000000 in ?? ()
(gdb) i r
rax            0x0	0
rbx            0x7fffff7ff1c0	140737479963072
rcx            0x1c45d4c	29646156
rdx            0x7ffff6003118	140737320595736
rsi            0x7ffff6003018	140737320595480
rdi            0x7fffff7ff1c0	140737479963072
rbp            0x1	0x1
rsp            0x7fffff7fefa8	0x7fffff7fefa8
r8             0x5	5
r9             0x0	0
r10            0x7ffff5b1e7e0	140737315465184
r11            0x7ffff5b225a0	140737315480992
r12            0x7ffff5abeb90	140737315072912
r13            0x7ffff60640e0	140737320992992
r14            0x7ffff6003018	140737320595480
r15            0x7ffff6003118	140737320595736
rip            0x14f05b4	0x14f05b4 <zend_call_method+148>
eflags         0x10202	[ IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0

[2015-07-18 05:38 UTC] stas@php.net

-Type: Security +Type: Bug

[2015-07-18 05:49 UTC] brian dot carpenter at gmail dot com

According to 3v4l.org, this code crashes every version between PHP 5.0.0 and 7.0.0alpha2.

[2015-08-03 10:31 UTC] dmitry@php.net

-Status: Open +Status: Feedback

[2015-08-03 10:31 UTC] dmitry@php.net

This is not a stack corruption.
This is a stack overflow caused by infinity recursion in PHP code.
I wouldn't interpret this like a bug at all.

[2015-08-16 04:23 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 16:01:28 2024 UTC