PHP :: Bug #73755 :: Infinite recursion within unset() leads to SEGV

Bug #73755	Infinite recursion within unset() leads to SEGV
Submitted:	2016-12-16 01:58 UTC	Modified:	2018-11-08 02:16 UTC
From:	kshah at fortinet dot com	Assigned:	dmitry (profile)
Status:	Assigned	Package:	Arrays related
PHP Version:	master-Git-2016-12-16 (Git)	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	kshah at fortinet dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2016-12-16 01:58 UTC] kshah at fortinet dot com

Description:
------------
There exists a Stack Corruption Vulnerability leading to Arbitrary Code Execution within the latest PHP client.

In order to reproduce this issue, please do the following.

1) Compile PHP 7.2.0 Master Git using address sanitizer and the flag USE_ZEND_ALLOC=0.

2) Run the PoC.php test script using the php cli client.

The issue exists due to the incorrect handling of the unset function.

Test script:
---------------
https://www.dropbox.com/s/kgxye17o9gixdkh/PoC.php?dl=0

Expected result:
----------------
root@kali:~/Downloads# /root/Downloads/php-src/sapi/cli/php original.php 
===ArrayOverloading===
ArrayAccessReferenceProxy::__construct(0)
ArrayAccessReferenceProxy::offsetUnset(0, name)
ArrayAccessReferenceProxy::__construct(0)
object(ArrayAccessReferenceProxy)#1 (3) {
  ["object":"ArrayAccessReferenceProxy":private]=>
  object(Peoples)#2 (1) {
    ["person"]=>
    &array(1) {
      [0]=>
      array(0) {
      }
    }
  }
  ["oarray":"ArrayAccessReferenceProxy":private]=>
  &array(1) {
    [0]=>
    array(0) {
    }
  }
  ["element":"ArrayAccessReferenceProxy":private]=>
  int(0)
}
===DONE===

Actual result:
--------------
Starting program: /root/Downloads/php-src/sapi/cli/php /root/Downloads/php-out_crashes/PoC.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x812cd218 in i_init_execute_data (return_value=0x81a5b000, 
    op_array=0xb5a0368c, execute_data=0xb56686d0)
    at /root/Downloads/php-src/Zend/zend_execute.c:2226
2226		if (EX_CALL_INFO() & ZEND_CALL_HAS_SYMBOL_TABLE) {
#0  0x812cd218 in i_init_execute_data (return_value=0x81a5b000, 
    op_array=0xb5a0368c, execute_data=0xb56686d0)
    at /root/Downloads/php-src/Zend/zend_execute.c:2226
#1  zend_init_execute_data (
    execute_data=0x812cd1c7 <zend_init_execute_data+55>, op_array=0x81a5b000, 
    return_value=0x81a5b000)
    at /root/Downloads/php-src/Zend/zend_execute.c:2299
#2  0x00000001 in ?? ()
#3  0x812cd1c7 in zend_init_execute_data (execute_data=0xb56686d0, 
    op_array=0xb5a0368c, return_value=0xb56686c0)
    at /root/Downloads/php-src/Zend/zend_execute.c:2297
#4  0x80eb4c77 in zend_call_function (fci=0xbf800148, fci_cache=0xbf800114)
    at /root/Downloads/php-src/Zend/zend_execute_API.c:833
#5  0x8101cc66 in zend_call_method (object=0xb5683e78, obj_ce=0xb5a0342c, 
    fn_proxy=0x0, function_name=0x81899f24 "offsetget", function_name_len=9, 
    retval_ptr=0xb56686c0, param_count=1, arg1=0xb56686b0, arg2=0x0)
    at /root/Downloads/php-src/Zend/zend_interfaces.c:99
#6  0x810ba76a in zend_std_read_dimension (object=0xb5683e78, 
    offset=0xb56686b0, type=5, rv=0xb56686c0)
    at /root/Downloads/php-src/Zend/zend_object_handlers.c:792
#7  0x811b5ffd in zend_fetch_dimension_address (type=5, dim_type=6, 
    dim=<optimized out>, container=0xb5683e78, result=0xb56686c0)
    at /root/Downloads/php-src/Zend/zend_execute.c:1718
#8  zend_fetch_dimension_address_UNSET (result=0xb56686c0, 
    container_ptr=<optimized out>, dim=0xb56686b0, dim_type=6)
    at /root/Downloads/php-src/Zend/zend_execute.c:1794
#9  0x811b74fe in ZEND_FETCH_DIM_UNSET_SPEC_VAR_TMPVAR_HANDLER ()
    at /root/Downloads/php-src/Zend/zend_vm_execute.h:24951
#10 0x8126d712 in execute_ex (ex=0xb5668610)
    at /root/Downloads/php-src/Zend/zend_vm_execute.h:429
#11 0x80eb4c84 in zend_call_function (fci=0xbf800398, fci_cache=0xbf800364)
    at /root/Downloads/php-src/Zend/zend_execute_API.c:834
#12 0x8101cc66 in zend_call_method (object=0xb5668600, obj_ce=0xb5a0300c, 
    fn_proxy=0x0, function_name=0x81899f45 "offsetunset", 
    function_name_len=11, retval_ptr=0x0, param_count=1, arg1=0xb5668580, 
    arg2=0x0) at /root/Downloads/php-src/Zend/zend_interfaces.c:99
#13 0x810ba254 in zend_std_unset_dimension (object=0xb5668600, 
    offset=0xb5668580)
    at /root/Downloads/php-src/Zend/zend_object_handlers.c:1012
#14 0x8121aed7 in ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER ()
    at /root/Downloads/php-src/Zend/zend_vm_execute.h:24100
#15 0x8126d712 in execute_ex (ex=0xb5668550)
    at /root/Downloads/php-src/Zend/zend_vm_execute.h:429
Quit
Description: Possible stack corruption
Short description: PossibleStackCorruption (7/22)
Hash: 311968a4ab3347ac6bec733a47e2f47e.fe407b7ea324997767071bf04ab8a725
Exploitability Classification: EXPLOITABLE
Explanation: GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable.
Other tags: DestAv (8/22), AccessViolation (21/22)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-12-16 07:21 UTC] kshah at fortinet dot com

The issue exists even when compiled with ASAN, Without setting the USE_ZEND_ALLOC=0 flag.

[2016-12-19 08:05 UTC] dmitry@php.net

-Status: Open +Status: Feedback

[2016-12-19 08:05 UTC] dmitry@php.net

The crash occurs because of CPU stack overflow, caused by infinity recursion.

unset() -> offsetUnset() -> [offsetGet() -> new ArrayAccessReferenceProxy()] -> unset()

[2016-12-20 07:32 UTC] stas@php.net

-Status: Feedback +Status: Not a bug

[2016-12-20 07:32 UTC] stas@php.net

Doesn't seem to be a bug then.

[2016-12-20 07:33 UTC] stas@php.net

-Type: Security +Type: Bug

[2016-12-20 17:11 UTC] kshah at fortinet dot com

-Type: Bug +Type: Security -Private report: No +Private report: Yes

[2016-12-20 17:11 UTC] kshah at fortinet dot com

The issue is due to stack buffer overflow and not stack overflow.

I am sharing the gdb output(including gdb exploitable) below. Also the following gdb output is obtained on a basic build of php.


Starting program: /root/Downloads/php-no-asan/php-src/sapi/cli/php /root/Downloads/PoC.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00005555558fc5a9 in zend_call_function (fci=fci@entry=0x7fffff7ff0c0, fci_cache=fci_cache@entry=0x7fffff7ff090)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_execute_API.c:709
709		} else if (EG(current_execute_data)->func &&
#0  0x00005555558fc5a9 in zend_call_function (fci=fci@entry=0x7fffff7ff0c0, fci_cache=fci_cache@entry=0x7fffff7ff090)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_execute_API.c:709
#1  0x0000555555928e5a in zend_call_method (object=object@entry=0x7ffff349a7a8, obj_ce=obj_ce@entry=0x7ffff38046d0, 
    fn_proxy=fn_proxy@entry=0x0, function_name=function_name@entry=0x555555f4ebc8 "offsetget", 
    function_name_len=function_name_len@entry=9, retval_ptr=retval_ptr@entry=0x7ffff3480950, param_count=1, arg1=0x7ffff3480940, arg2=0x0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_interfaces.c:99
#2  0x0000555555943f43 in zend_std_read_dimension (object=0x7ffff349a7a8, offset=0x7ffff3480940, type=5, rv=0x7ffff3480950)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_object_handlers.c:792
#3  0x000055555597d1b3 in zend_fetch_dimension_address (type=5, dim_type=6, dim=0x7ffff3480940, container=0x7ffff349a7a8, 
    result=0x7ffff3480950) at /root/Downloads/php-no-asan/php-src/Zend/zend_execute.c:1718
#4  zend_fetch_dimension_address_UNSET (result=0x7ffff3480950, container_ptr=<optimized out>, dim=dim@entry=0x7ffff3480940, 
    dim_type=dim_type@entry=6) at /root/Downloads/php-no-asan/php-src/Zend/zend_execute.c:1794
#5  0x000055555597d7ec in ZEND_FETCH_DIM_UNSET_SPEC_VAR_TMPVAR_HANDLER ()
    at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:24951
#6  0x00005555559530ab in execute_ex (ex=<optimized out>) at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:429
#7  0x00005555558fcd38 in zend_call_function (fci=fci@entry=0x7fffff7ff390, fci_cache=<optimized out>, fci_cache@entry=0x7fffff7ff360)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_execute_API.c:834
#8  0x0000555555928e5a in zend_call_method (object=object@entry=0x7ffff3480860, obj_ce=obj_ce@entry=0x7ffff3804018, 
    fn_proxy=fn_proxy@entry=0x0, function_name=function_name@entry=0x555555f4ebe9 "offsetunset", 
    function_name_len=function_name_len@entry=11, retval_ptr=retval_ptr@entry=0x0, param_count=1, arg1=0x7ffff34807d0, arg2=0x0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_interfaces.c:99
#9  0x0000555555943da4 in zend_std_unset_dimension (object=0x7ffff3480860, offset=0x7ffff34807d0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_object_handlers.c:1012
#10 0x000055555599510e in ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER () at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:24100
#11 0x00005555559530ab in execute_ex (ex=<optimized out>) at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:429
#12 0x00005555558fcd38 in zend_call_function (fci=fci@entry=0x7fffff7ff610, fci_cache=<optimized out>, fci_cache@entry=0x7fffff7ff5e0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_execute_API.c:834
#13 0x0000555555928e5a in zend_call_method (object=object@entry=0x7ffff3480770, obj_ce=obj_ce@entry=0x7ffff3804018, 
    fn_proxy=fn_proxy@entry=0x0, function_name=function_name@entry=0x555555f4ebe9 "offsetunset", 
    function_name_len=function_name_len@entry=11, retval_ptr=retval_ptr@entry=0x0, param_count=1, arg1=0x7ffff34806e0, arg2=0x0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_interfaces.c:99
#14 0x0000555555943da4 in zend_std_unset_dimension (object=0x7ffff3480770, offset=0x7ffff34806e0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_object_handlers.c:1012
#15 0x000055555599510e in ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER () at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:24100
#16 0x00005555559530ab in execute_ex (ex=<optimized out>) at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:429
#17 0x00005555558fcd38 in zend_call_function (fci=fci@entry=0x7fffff7ff890, fci_cache=<optimized out>, fci_cache@entry=0x7fffff7ff860)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_execute_API.c:834
#18 0x0000555555928e5a in zend_call_method (object=object@entry=0x7ffff3480680, obj_ce=obj_ce@entry=0x7ffff3804018, 
    fn_proxy=fn_proxy@entry=0x0, function_name=function_name@entry=0x555555f4ebe9 "offsetunset", 
    function_name_len=function_name_len@entry=11, retval_ptr=retval_ptr@entry=0x0, param_count=1, arg1=0x7ffff34805f0, arg2=0x0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_interfaces.c:99
#19 0x0000555555943da4 in zend_std_unset_dimension (object=0x7ffff3480680, offset=0x7ffff34805f0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_object_handlers.c:1012
#20 0x000055555599510e in ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER () at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:24100
#21 0x00005555559530ab in execute_ex (ex=<optimized out>) at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:429
#22 0x00005555558fcd38 in zend_call_function (fci=fci@entry=0x7fffff7ffb10, fci_cache=<optimized out>, fci_cache@entry=0x7fffff7ffae0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_execute_API.c:834
#23 0x0000555555928e5a in zend_call_method (object=object@entry=0x7ffff3480590, obj_ce=obj_ce@entry=0x7ffff3804018, 
    fn_proxy=fn_proxy@entry=0x0, function_name=function_name@entry=0x555555f4ebe9 "offsetunset", 
    function_name_len=function_name_len@entry=11, retval_ptr=retval_ptr@entry=0x0, param_count=1, arg1=0x7ffff3480500, arg2=0x0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_interfaces.c:99
#24 0x0000555555943da4 in zend_std_unset_dimension (object=0x7ffff3480590, offset=0x7ffff3480500)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_object_handlers.c:1012
#25 0x000055555599510e in ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER () at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:24100
#26 0x00005555559530ab in execute_ex (ex=<optimized out>) at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:429
#27 0x00005555558fcd38 in zend_call_function (fci=fci@entry=0x7fffff7ffd90, fci_cache=<optimized out>, fci_cache@entry=0x7fffff7ffd60)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_execute_API.c:834
#28 0x0000555555928e5a in zend_call_method (object=object@entry=0x7ffff34804a0, obj_ce=obj_ce@entry=0x7ffff3804018, 
    fn_proxy=fn_proxy@entry=0x0, function_name=function_name@entry=0x555555f4ebe9 "offsetunset", 
    function_name_len=function_name_len@entry=11, retval_ptr=retval_ptr@entry=0x0, param_count=1, arg1=0x7ffff3480410, arg2=0x0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_interfaces.c:99
#29 0x0000555555943da4 in zend_std_unset_dimension (object=0x7ffff34804a0, offset=0x7ffff3480410)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_object_handlers.c:1012
#30 0x000055555599510e in ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER () at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:24100
#31 0x00005555559530ab in execute_ex (ex=<optimized out>) at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:429
#32 0x00005555558fcd38 in zend_call_function (fci=fci@entry=0x7fffff800010, fci_cache=<optimized out>, fci_cache@entry=0x7fffff7fffe0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_execute_API.c:834
#33 0x0000555555928e5a in zend_call_method (object=object@entry=0x7ffff34803b0, obj_ce=obj_ce@entry=0x7ffff3804018, 
    fn_proxy=fn_proxy@entry=0x0, function_name=function_name@entry=0x555555f4ebe9 "offsetunset", 
    function_name_len=function_name_len@entry=11, retval_ptr=retval_ptr@entry=0x0, param_count=1, arg1=0x7ffff3480320, arg2=0x0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_interfaces.c:99
#34 0x0000555555943da4 in zend_std_unset_dimension (object=0x7ffff34803b0, offset=0x7ffff3480320)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_object_handlers.c:1012
#35 0x000055555599510e in ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER () at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:24100
#36 0x00005555559530ab in execute_ex (ex=<optimized out>) at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:429
#37 0x00005555558fcd38 in zend_call_function (fci=fci@entry=0x7fffff800290, fci_cache=<optimized out>, fci_cache@entry=0x7fffff800260)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_execute_API.c:834
#38 0x0000555555928e5a in zend_call_method (object=object@entry=0x7ffff34802c0, obj_ce=obj_ce@entry=0x7ffff3804018, 
    fn_proxy=fn_proxy@entry=0x0, function_name=function_name@entry=0x555555f4ebe9 "offsetunset", 
    function_name_len=function_name_len@entry=11, retval_ptr=retval_ptr@entry=0x0, param_count=1, arg1=0x7ffff3480230, arg2=0x0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_interfaces.c:99
#39 0x0000555555943da4 in zend_std_unset_dimension (object=0x7ffff34802c0, offset=0x7ffff3480230)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_object_handlers.c:1012
#40 0x000055555599510e in ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER () at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:24100
#41 0x00005555559530ab in execute_ex (ex=<optimized out>) at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:429
#42 0x00005555558fcd38 in zend_call_function (fci=fci@entry=0x7fffff800510, fci_cache=<optimized out>, fci_cache@entry=0x7fffff8004e0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_execute_API.c:834
#43 0x0000555555928e5a in zend_call_method (object=object@entry=0x7ffff34801d0, obj_ce=obj_ce@entry=0x7ffff3804018, 
    fn_proxy=fn_proxy@entry=0x0, function_name=function_name@entry=0x555555f4ebe9 "offsetunset", 
    function_name_len=function_name_len@entry=11, retval_ptr=retval_ptr@entry=0x0, param_count=1, arg1=0x7ffff3480140, arg2=0x0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_interfaces.c:99
#44 0x0000555555943da4 in zend_std_unset_dimension (object=0x7ffff34801d0, offset=0x7ffff3480140)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_object_handlers.c:1012
#45 0x000055555599510e in ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER () at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:24100
#46 0x00005555559530ab in execute_ex (ex=<optimized out>) at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:429
#47 0x00005555558fcd38 in zend_call_function (fci=fci@entry=0x7fffff800790, fci_cache=<optimized out>, fci_cache@entry=0x7fffff800760)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_execute_API.c:834
#48 0x0000555555928e5a in zend_call_method (object=object@entry=0x7ffff34800e0, obj_ce=obj_ce@entry=0x7ffff3804018, 
    fn_proxy=fn_proxy@entry=0x0, function_name=function_name@entry=0x555555f4ebe9 "offsetunset", 
    function_name_len=function_name_len@entry=11, retval_ptr=retval_ptr@entry=0x0, param_count=1, arg1=0x7ffff3480050, arg2=0x0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_interfaces.c:99
#49 0x0000555555943da4 in zend_std_unset_dimension (object=0x7ffff34800e0, offset=0x7ffff3480050)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_object_handlers.c:1012
#50 0x000055555599510e in ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER () at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:24100
#51 0x00005555559530ab in execute_ex (ex=<optimized out>) at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:429
#52 0x00005555558fcd38 in zend_call_function (fci=fci@entry=0x7fffff800a10, fci_cache=<optimized out>, fci_cache@entry=0x7fffff8009e0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_execute_API.c:834
#53 0x0000555555928e5a in zend_call_method (object=object@entry=0x7ffff347fff0, obj_ce=obj_ce@entry=0x7ffff3804018, 
    fn_proxy=fn_proxy@entry=0x0, function_name=function_name@entry=0x555555f4ebe9 "offsetunset", 
    function_name_len=function_name_len@entry=11, retval_ptr=retval_ptr@entry=0x0, param_count=1, arg1=0x7ffff347ff60, arg2=0x0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_interfaces.c:99
#54 0x0000555555943da4 in zend_std_unset_dimension (object=0x7ffff347fff0, offset=0x7ffff347ff60)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_object_handlers.c:1012
#55 0x000055555599510e in ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER () at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:24100
#56 0x00005555559530ab in execute_ex (ex=<optimized out>) at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:429
#57 0x00005555558fcd38 in zend_call_function (fci=fci@entry=0x7fffff800c90, fci_cache=<optimized out>, fci_cache@entry=0x7fffff800c60)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_execute_API.c:834
#58 0x0000555555928e5a in zend_call_method (object=object@entry=0x7ffff347ff00, obj_ce=obj_ce@entry=0x7ffff3804018, 
    fn_proxy=fn_proxy@entry=0x0, function_name=function_name@entry=0x555555f4ebe9 "offsetunset", 
    function_name_len=function_name_len@entry=11, retval_ptr=retval_ptr@entry=0x0, param_count=1, arg1=0x7ffff347fe70, arg2=0x0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_interfaces.c:99
#59 0x0000555555943da4 in zend_std_unset_dimension (object=0x7ffff347ff00, offset=0x7ffff347fe70)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_object_handlers.c:1012
#60 0x000055555599510e in ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER () at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:24100
#61 0x00005555559530ab in execute_ex (ex=<optimized out>) at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:429
#62 0x00005555558fcd38 in zend_call_function (fci=fci@entry=0x7fffff800f10, fci_cache=<optimized out>, fci_cache@entry=0x7fffff800ee0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_execute_API.c:834
#63 0x0000555555928e5a in zend_call_method (object=object@entry=0x7ffff347fe10, obj_ce=obj_ce@entry=0x7ffff3804018, 
    fn_proxy=fn_proxy@entry=0x0, function_name=function_name@entry=0x555555f4ebe9 "offsetunset", 
    function_name_len=function_name_len@entry=11, retval_ptr=retval_ptr@entry=0x0, param_count=1, arg1=0x7ffff347fd80, arg2=0x0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_interfaces.c:99
#64 0x0000555555943da4 in zend_std_unset_dimension (object=0x7ffff347fe10, offset=0x7ffff347fd80)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_object_handlers.c:1012
#65 0x000055555599510e in ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER () at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:24100
#66 0x00005555559530ab in execute_ex (ex=<optimized out>) at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:429
#67 0x00005555558fcd38 in zend_call_function (fci=fci@entry=0x7fffff801190, fci_cache=<optimized out>, fci_cache@entry=0x7fffff801160)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_execute_API.c:834
#68 0x0000555555928e5a in zend_call_method (object=object@entry=0x7ffff347fd20, obj_ce=obj_ce@entry=0x7ffff3804018, 
    fn_proxy=fn_proxy@entry=0x0, function_name=function_name@entry=0x555555f4ebe9 "offsetunset", 
    function_name_len=function_name_len@entry=11, retval_ptr=retval_ptr@entry=0x0, param_count=1, arg1=0x7ffff347fc90, arg2=0x0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_interfaces.c:99
#69 0x0000555555943da4 in zend_std_unset_dimension (object=0x7ffff347fd20, offset=0x7ffff347fc90)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_object_handlers.c:1012
#70 0x000055555599510e in ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER () at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:24100
#71 0x00005555559530ab in execute_ex (ex=<optimized out>) at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:429
#72 0x00005555558fcd38 in zend_call_function (fci=fci@entry=0x7fffff801410, fci_cache=<optimized out>, fci_cache@entry=0x7fffff8013e0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_execute_API.c:834
#73 0x0000555555928e5a in zend_call_method (object=object@entry=0x7ffff347fc30, obj_ce=obj_ce@entry=0x7ffff3804018, 
    fn_proxy=fn_proxy@entry=0x0, function_name=function_name@entry=0x555555f4ebe9 "offsetunset", 
    function_name_len=function_name_len@entry=11, retval_ptr=retval_ptr@entry=0x0, param_count=1, arg1=0x7ffff347fba0, arg2=0x0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_interfaces.c:99
#74 0x0000555555943da4 in zend_std_unset_dimension (object=0x7ffff347fc30, offset=0x7ffff347fba0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_object_handlers.c:1012
#75 0x000055555599510e in ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER () at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:24100
#76 0x00005555559530ab in execute_ex (ex=<optimized out>) at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:429
#77 0x00005555558fcd38 in zend_call_function (fci=fci@entry=0x7fffff801690, fci_cache=<optimized out>, fci_cache@entry=0x7fffff801660)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_execute_API.c:834
#78 0x0000555555928e5a in zend_call_method (object=object@entry=0x7ffff347fb40, obj_ce=obj_ce@entry=0x7ffff3804018, 
    fn_proxy=fn_proxy@entry=0x0, function_name=function_name@entry=0x555555f4ebe9 "offsetunset", 
    function_name_len=function_name_len@entry=11, retval_ptr=retval_ptr@entry=0x0, param_count=1, arg1=0x7ffff347fab0, arg2=0x0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_interfaces.c:99
#79 0x0000555555943da4 in zend_std_unset_dimension (object=0x7ffff347fb40, offset=0x7ffff347fab0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_object_handlers.c:1012
#80 0x000055555599510e in ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER () at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:24100
#81 0x00005555559530ab in execute_ex (ex=<optimized out>) at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:429
#82 0x00005555558fcd38 in zend_call_function (fci=fci@entry=0x7fffff801910, fci_cache=<optimized out>, fci_cache@entry=0x7fffff8018e0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_execute_API.c:834
#83 0x0000555555928e5a in zend_call_method (object=object@entry=0x7ffff347fa50, obj_ce=obj_ce@entry=0x7ffff3804018, 
    fn_proxy=fn_proxy@entry=0x0, function_name=function_name@entry=0x555555f4ebe9 "offsetunset", 
    function_name_len=function_name_len@entry=11, retval_ptr=retval_ptr@entry=0x0, param_count=1, arg1=0x7ffff347f9c0, arg2=0x0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_interfaces.c:99
#84 0x0000555555943da4 in zend_std_unset_dimension (object=0x7ffff347fa50, offset=0x7ffff347f9c0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_object_handlers.c:1012
#85 0x000055555599510e in ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER () at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:24100
#86 0x00005555559530ab in execute_ex (ex=<optimized out>) at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:429
#87 0x00005555558fcd38 in zend_call_function (fci=fci@entry=0x7fffff801b90, fci_cache=<optimized out>, fci_cache@entry=0x7fffff801b60)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_execute_API.c:834
#88 0x0000555555928e5a in zend_call_method (object=object@entry=0x7ffff347f960, obj_ce=obj_ce@entry=0x7ffff3804018, 
    fn_proxy=fn_proxy@entry=0x0, function_name=function_name@entry=0x555555f4ebe9 "offsetunset", 
    function_name_len=function_name_len@entry=11, retval_ptr=retval_ptr@entry=0x0, param_count=1, arg1=0x7ffff347f8d0, arg2=0x0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_interfaces.c:99
#89 0x0000555555943da4 in zend_std_unset_dimension (object=0x7ffff347f960, offset=0x7ffff347f8d0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_object_handlers.c:1012
#90 0x000055555599510e in ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER () at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:24100
#91 0x00005555559530ab in execute_ex (ex=<optimized out>) at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:429
#92 0x00005555558fcd38 in zend_call_function (fci=fci@entry=0x7fffff801e10, fci_cache=<optimized out>, fci_cache@entry=0x7fffff801de0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_execute_API.c:834
#93 0x0000555555928e5a in zend_call_method (object=object@entry=0x7ffff347f870, obj_ce=obj_ce@entry=0x7ffff3804018, 
    fn_proxy=fn_proxy@entry=0x0, function_name=function_name@entry=0x555555f4ebe9 "offsetunset", 
    function_name_len=function_name_len@entry=11, retval_ptr=retval_ptr@entry=0x0, param_count=1, arg1=0x7ffff347f7e0, arg2=0x0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_interfaces.c:99
#94 0x0000555555943da4 in zend_std_unset_dimension (object=0x7ffff347f870, offset=0x7ffff347f7e0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_object_handlers.c:1012
#95 0x000055555599510e in ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER () at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:24100
#96 0x00005555559530ab in execute_ex (ex=<optimized out>) at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:429
#97 0x00005555558fcd38 in zend_call_function (fci=fci@entry=0x7fffff802090, fci_cache=<optimized out>, fci_cache@entry=0x7fffff802060)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_execute_API.c:834
#98 0x0000555555928e5a in zend_call_method (object=object@entry=0x7ffff347f780, obj_ce=obj_ce@entry=0x7ffff3804018, 
    fn_proxy=fn_proxy@entry=0x0, function_name=function_name@entry=0x555555f4ebe9 "offsetunset", 
    function_name_len=function_name_len@entry=11, retval_ptr=retval_ptr@entry=0x0, param_count=1, arg1=0x7ffff347f6f0, arg2=0x0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_interfaces.c:99
#99 0x0000555555943da4 in zend_std_unset_dimension (object=0x7ffff347f780, offset=0x7ffff347f6f0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_object_handlers.c:1012
#100 0x000055555599510e in ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER () at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:24100
#101 0x00005555559530ab in execute_ex (ex=<optimized out>) at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:429
#102 0x00005555558fcd38 in zend_call_function (fci=fci@entry=0x7fffff802310, fci_cache=<optimized out>, fci_cache@entry=0x7fffff8022e0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_execute_API.c:834
#103 0x0000555555928e5a in zend_call_method (object=object@entry=0x7ffff347f690, obj_ce=obj_ce@entry=0x7ffff3804018, 
    fn_proxy=fn_proxy@entry=0x0, function_name=function_name@entry=0x555555f4ebe9 "offsetunset", 
    function_name_len=function_name_len@entry=11, retval_ptr=retval_ptr@entry=0x0, param_count=1, arg1=0x7ffff347f600, arg2=0x0)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_interfaces.c:99
#104 0x0000555555943da4 in zend_std_unset_dimension (object=0x7ffff347f690, offset=0x7ffff347f600)
    at /root/Downloads/php-no-asan/php-src/Zend/zend_object_handlers.c:1012
#105 0x000055555599510e in ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER () at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:24100
#106 0x00005555559530ab in execute_ex (ex=<optimized out>) at /root/Downloads/php-no-asan/php-src/Zend/zend_vm_execute.h:429
#107 0x00005555558fcd38 in zend_call_function (fci=fci@entry=0x7fffff802590, fci_cache=<optimized out>, fci_cache@entry=0x7fffff802560)
 at /Quit
Description: Possible stack corruption
Short description: PossibleStackCorruption (7/22)
Hash: 20c8ea8a693bb31ed3f25e1f0ad3638a.f6dc8658ac2024ac41f2c066f411f7d9
Exploitability Classification: EXPLOITABLE
Explanation: GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable.
Other tags: DestAv (8/22), AccessViolation (21/22)

[2016-12-20 17:16 UTC] kshah at fortinet dot com

Also as previously discussed with stas over email, the issue exists in latest php git build, php released versions 7.0.12, 7.1 and maybe more on Linux platform.

[2017-01-05 19:48 UTC] kshah at fortinet dot com

PHP Security Team, Any Update??

[2017-01-05 21:28 UTC] stas@php.net

-Status: Not a bug +Status: Open -Assigned To: +Assigned To: dmitry

[2017-01-05 21:28 UTC] stas@php.net

This definitely looks like infinite recursion, but if its buffer overflow may indicate some check missing in recursion handling. Dmitry, could you take another look and see if there's not anything we have missed?

In any case, not a security issue, please refer to https://wiki.php.net/security for classification.

[2017-01-05 21:29 UTC] stas@php.net

-Summary: FG-VD-16-092 : Stack Corruption leading to Arbitrary Code Execution +Summary: Infinite recursion within unset() leads to SEGV

[2017-01-05 21:46 UTC] kshah at fortinet dot com

I looked at the classification on https://wiki.php.net/security and I was unable to see how this is "not" a security issue. 

Could you explain how it is not a security issue.

[2018-11-01 09:41 UTC] ryan dot jentzsch at gmail dot com

Looks to be fixed in version 7.2.10 running this code produces:
PHP Fatal error:  Uncaught Error: Maximum function nesting level of '256' reached, aborting!

Linux Mint 19 (Tara)
Kernel 4.19

[2018-11-07 22:05 UTC] stas@php.net

-Type: Security +Type: Bug

[2018-11-08 01:17 UTC] yohgaki@php.net

256 may be too small. A thousand is the limit for Ruby/Python.

Anyway, I thought we don't have arbitrary recursion limit like Perl and let PHP consume stack until system limit, i.e. segfault. If PHP is going to have recursion limit, it should be configurable via INI. IMO.

[2018-11-08 02:16 UTC] yohgaki@php.net

Out of curiosity, I've tested the script on my system. I've got expected result. 

ArrayAccessReferenceProxy::__construct(0)
ArrayAccessReferenceProxy::offsetUnset(0, name)
Segmentation fault 

Kashah, I guess you are using Suhosin extension.
The stack limit error should come from it. (Or module like Suhosin that can limit stack usage at least)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC