php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70089 segfault at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ()
Submitted: 2015-07-17 05:14 UTC Modified: 2015-07-17 08:00 UTC
From: brian dot carpenter at gmail dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.0Git-2015-07-17 (Git) OS: Debian 7
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: brian dot carpenter at gmail dot com
New email:
PHP Version: OS:

 

 [2015-07-17 05:14 UTC] brian dot carpenter at gmail dot com
Description:
------------
While fuzzing PHP 7.0.0-dev (cli) (built: July 15 2015 16:00:56) with AFL (http://lcamtuf.coredump.cx/afl/), I found this script that segfaults at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER (). Most likely a null ptr dereference.

Test script:
---------------
<?php
$a=ptr00tr();[];function ptr00tr(){for(;;){$o=chr(0)[0][]=0;}}

Expected result:
----------------
PHP 5.4.41-0+deb7u1 returns PHP Fatal error: Cannot use string offset as an array in test00-min on line 2.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000001657b93 in ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ()
(gdb) bt
#0  0x0000000001657b93 in ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ()
#1  0x00000000015dc493 in execute_ex ()
#2  0x00000000017fdee5 in zend_execute ()
#3  0x000000000141373c in zend_execute_scripts ()
#4  0x00000000011bf190 in php_execute_script ()
#5  0x0000000001805679 in do_cli ()
    at /home/geeknik/php-src/sapi/cli/php_cli.c:971
#6  0x000000000043e2f1 in main ()
    at /home/geeknik/php-src/sapi/cli/php_cli.c:1338
(gdb) i r
rax            0x0	0
rbx            0x7ffff6013130	140737320661296
rcx            0x1	1
rdx            0x7ffff60554c0	140737320932544
rsi            0x7ffff6013140	140737320661312
rdi            0x4	4
rbp            0x7fffffffcfa0	0x7fffffffcfa0
rsp            0x7fffffffa920	0x7fffffffa920
r8             0x1fd37c0	33372096
r9             0x80	128
r10            0x0	0
r11            0x0	0
r12            0x7ffff60020f0	140737320591600
r13            0x1fd4820	33376288
r14            0x7ffff60130c0	140737320661184
r15            0x7ffff6086220	140737321132576
rip            0x1657b93	0x1657b93 <ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER+1267>
eflags         0x10246	[ PF ZF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-17 05:29 UTC] brian dot carpenter at gmail dot com
Valgrind was delayed due to having to compile a new version to get an accurate read on things:

==4945== Invalid read of size 4
==4945==    at 0x1657B93: ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:16978)
==4945==    by 0x15DC492: execute_ex (zend_vm_execute.h:406)
==4945==    by 0x17FDEE4: zend_execute (zend_vm_execute.h:450)
==4945==    by 0x141373B: zend_execute_scripts (zend.c:1399)
==4945==    by 0x11BF18F: php_execute_script (main.c:2475)
==4945==    by 0x1805678: do_cli (php_cli.c:971)
==4945==    by 0x43E2F0: main (php_cli.c:1338)
==4945==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==4945== 
==4945== 
==4945== Process terminating with default action of signal 11 (SIGSEGV)
==4945==  Access not within mapped region at address 0x8
==4945==    at 0x1657B93: ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:16978)
==4945==    by 0x15DC492: execute_ex (zend_vm_execute.h:406)
==4945==    by 0x17FDEE4: zend_execute (zend_vm_execute.h:450)
==4945==    by 0x141373B: zend_execute_scripts (zend.c:1399)
==4945==    by 0x11BF18F: php_execute_script (main.c:2475)
==4945==    by 0x1805678: do_cli (php_cli.c:971)
==4945==    by 0x43E2F0: main (php_cli.c:1338)
==4945==  If you believe this happened as a result of a stack
==4945==  overflow in your program's main thread (unlikely but
==4945==  possible), you can try to increase the size of the
==4945==  main thread stack using the --main-stacksize= flag.
==4945==  The main thread stack size used in this run was 8388608.
Segmentation fault
 [2015-07-17 08:00 UTC] laruence@php.net
-Summary: segfault in PHP 7 at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER () +Summary: segfault at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ()
 [2015-07-17 08:01 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7d07afd6c18f3d83ec21248d65a076b387aa05e9
Log: Fixed bug #70089 (segfault at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ())
 [2015-07-17 08:01 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2015-07-21 14:20 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7d07afd6c18f3d83ec21248d65a076b387aa05e9
Log: Fixed bug #70089 (segfault at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ())
 [2016-07-20 11:37 UTC] davey@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7d07afd6c18f3d83ec21248d65a076b387aa05e9
Log: Fixed bug #70089 (segfault at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ())
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 17:01:29 2024 UTC