php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77737 Heap corruption in zend_mm_gc
Submitted: 2019-03-13 15:19 UTC Modified: 2019-03-13 16:14 UTC
From: bugs-syssec at rub dot de Assigned:
Status: Duplicate Package: *General Issues
PHP Version: 7.3.3 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: bugs-syssec at rub dot de
New email:
PHP Version: OS:

 

 [2019-03-13 15:19 UTC] bugs-syssec at rub dot de
Description:
------------
$ ./php --version
PHP 7.3.0 (cli) (built: Jan 17 2019 14:04:29) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.0-dev, Copyright (c) 1998-2018 Zend Technologies

Test script:
---------------
<?php

$a = strtotime(A);
spl_autoload($a);
gc_mem_caches();

Expected result:
----------------
No crash.

Actual result:
--------------
==12423== Memcheck, a memory error detector
==12423== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==12423== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==12423== Command: ./php-plain heap_corrption-1-zend_mm_gc.php
==12423== 
==12423== Invalid read of size 8
==12423==    at 0x36EB93: zend_mm_gc.part.11 (zend_alloc.c:1949)
==12423==    by 0x3AB737: zif_gc_mem_caches (zend_builtin_functions.c:356)
==12423==    by 0x41F3C7: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:645)
==12423==    by 0x41F3C7: execute_ex (zend_vm_execute.h:55414)
==12423==    by 0x42352F: zend_execute (zend_vm_execute.h:60834)
==12423==    by 0x3972F6: zend_execute_scripts (zend.c:1568)
==12423==    by 0x336457: php_execute_script (main.c:2630)
==12423==    by 0x42597D: do_cli (php_cli.c:997)
==12423==    by 0x1E49B1: main (php_cli.c:1389)
==12423==  Address 0x646a00000 is not stack'd, malloc'd or (recently) free'd
==12423== 
==12423== 
==12423== Process terminating with default action of signal 11 (SIGSEGV)
==12423==  Access not within mapped region at address 0x646A00000
==12423==    at 0x36EB93: zend_mm_gc.part.11 (zend_alloc.c:1949)
==12423==    by 0x3AB737: zif_gc_mem_caches (zend_builtin_functions.c:356)
==12423==    by 0x41F3C7: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:645)
==12423==    by 0x41F3C7: execute_ex (zend_vm_execute.h:55414)
==12423==    by 0x42352F: zend_execute (zend_vm_execute.h:60834)
==12423==    by 0x3972F6: zend_execute_scripts (zend.c:1568)
==12423==    by 0x336457: php_execute_script (main.c:2630)
==12423==    by 0x42597D: do_cli (php_cli.c:997)
==12423==    by 0x1E49B1: main (php_cli.c:1389)
==12423==  If you believe this happened as a result of a stack
==12423==  overflow in your program's main thread (unlikely but
==12423==  possible), you can try to increase the size of the
==12423==  main thread stack using the --main-stacksize= flag.
==12423==  The main thread stack size used in this run was 8388608.
==12423== 
==12423== HEAP SUMMARY:
==12423==     in use at exit: 922,523 bytes in 6,198 blocks
==12423==   total heap usage: 6,622 allocs, 424 frees, 1,125,821 bytes allocated
==12423== 
==12423== LEAK SUMMARY:
==12423==    definitely lost: 0 bytes in 0 blocks
==12423==    indirectly lost: 0 bytes in 0 blocks
==12423==      possibly lost: 692,368 bytes in 5,247 blocks
==12423==    still reachable: 230,155 bytes in 951 blocks
==12423==         suppressed: 0 bytes in 0 blocks
==12423== Rerun with --leak-check=full to see details of leaked memory
==12423== 
==12423== For counts of detected and suppressed errors, rerun with: -v
==12423== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-03-13 16:14 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2019-03-13 16:14 UTC] nikic@php.net
Duplicate of bug #77736.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 15:01:29 2024 UTC