php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78702 Refreshable PHP crash
Submitted: 2019-10-21 05:18 UTC Modified: 2019-10-21 08:27 UTC
From: songmingxuan at cert dot org dot cn Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 7.3.10 OS: #31~18.04.1-Ubuntu
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: songmingxuan at cert dot org dot cn
New email:
PHP Version: OS:

 

 [2019-10-21 05:18 UTC] songmingxuan at cert dot org dot cn
Description:
------------
#php test.php

crash.

Test script:
---------------
test.php

<?php
spl_autoload_register(function ($name) {
  echo "IN:  autoload($name)\n";

  static $i = 0;
  if ($i++ > 10) {
      echo "-> Recursion detected - as expected.\n";
      retu^n;
  }

  class_exists('UndefinedClass' . $i);

  echo "OUT: autoload($name)\n";
});

var_dump(class_exists('UndefinedClass0'));
?>


Expected result:
----------------
no crash.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7fffff7ff618 --> 0x13 
RCX: 0x7fffff7ff620 --> 0x3000000008 
RDX: 0x55555740ebe7 ("%s\n%s: %s in %s on line %u\n%s")
RSI: 0x1 
RDI: 0x7fffff7ff5d0 --> 0x0 
RBP: 0x25 ('%')
RSP: 0x7fffff7fefe8 
RIP: 0x555556c3047c (<xbuf_format_converter+140>:	mov    QWORD PTR [rsp],rdx)
R8 : 0x7ffff2a69358 ("/home/fuzz/Desktop/phpcrash/crash1.php")
R9 : 0x8 
R10: 0x55555740ebe7 ("%s\n%s: %s in %s on line %u\n%s")
R11: 0x4 
R12: 0x2 
R13: 0x5555573d16c4 --> 0x676e696e726157 ('Warning')
R14: 0x5555573d63da --> 0x276e646c756f6300 ('')
R15: 0x7ffff2a91000 ("Use of undefined constant retu - assumed 'retu' (this will throw an Error in a future version of PHP)")
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555556c3046c <xbuf_format_converter+124>:	je     0x555556c308f8 <xbuf_format_converter+1288>
   0x555556c30472 <xbuf_format_converter+130>:	xchg   ax,ax
   0x555556c30474 <xbuf_format_converter+132>:	lea    rsp,[rsp-0x98]
=> 0x555556c3047c <xbuf_format_converter+140>:	mov    QWORD PTR [rsp],rdx
   0x555556c30480 <xbuf_format_converter+144>:	mov    QWORD PTR [rsp+0x8],rcx
   0x555556c30485 <xbuf_format_converter+149>:	mov    QWORD PTR [rsp+0x10],rax
   0x555556c3048a <xbuf_format_converter+154>:	mov    rcx,0x5422
   0x555556c30491 <xbuf_format_converter+161>:	call   0x555556c36d68 <__afl_maybe_log>
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fefe8
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555556c3047c in xbuf_format_converter (xbuf=0x7fffff7ff5d0, is_char=0x1, 
    fmt=0x55555740ebe7 "%s\n%s: %s in %s on line %u\n%s", ap=0x7fffff7ff620)
    at /home/fuzz/Desktop/fuzz_php/php-7.3.10/main/spprintf.c:237
237		while (*fmt) {
gdb-peda$ 


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-21 07:57 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2019-10-21 07:57 UTC] nikic@php.net
Standard "magic" recursion stack overflow, tracked at bug #64196.
 [2019-10-21 08:27 UTC] songmingxuan at cert dot org dot cn
I want to ask. Can I apply for CVE for this duplicate? Ha ha ha????
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 17:01:32 2024 UTC