PHP :: Bug #80244 :: SEGV in zend_gc

Bug #80244

SEGV in zend_gc_delref()

Submitted:

2020-10-16 03:21 UTC

Modified:

2021-12-14 14:14 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

sanjeev dot das at ibm dot com

Assigned:

Status:

Open

Package:

Scripting Engine problem

PHP Version:

8.0.0rc1

OS:

18.04.4 LTS

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	sanjeev dot das at ibm dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2020-10-16 03:21 UTC] sanjeev dot das at ibm dot com

Description:
------------
php(cli) triggers segmentation fault with a crafted php file. The input triggers out of bounds read in zend_string_release_ex(). Address sanitizer also shows the crash caused by invalid read memory access in zend_string_release_ex(), which can potentially lead to information leakage or DOS. 
========================
Command : php -f crash_1.php (shown below)
 
Addrsan logs:
-----------------
Fatal error: Allowed memory size of 134217728 bytes exhausted at Zend/zend_string.h:141 (tried to allocate 14672 bytes) in crash_1.php on line 7
AddressSanitizer:DEADLYSIGNAL
=================================================================
==57581==ERROR: AddressSanitizer: SEGV on unknown address 0x7eff7ebf9000 (pc 0x0000024c9914 bp 0x7ffe413e5a90 sp 0x7ffe413e5a20 T0)
==57581==The signal is caused by a READ memory access.
    #0 0x24c9913 in zend_gc_delref php-src/Zend/zend_types.h:1172:2
    #1 0x24c976b in i_zval_ptr_dtor php-src/Zend/zend_variables.h:43:8
    #2 0x24896df in zend_unclean_zval_ptr_dtor php-src/Zend/zend_execute_API.c:214:2
    #3 0x26f7bad in _zend_hash_del_el_ex php-src/Zend/zend_hash.c:1330:3
    #4 0x26f2e16 in _zend_hash_del_el php-src/Zend/zend_hash.c:1353:2
    #5 0x2710b94 in zend_hash_graceful_reverse_destroy php-src/Zend/zend_hash.c:1807:3
    #6 0x248a20e in shutdown_executor php-src/Zend/zend_execute_API.c:279:3
    #7 0x25d4520 in zend_deactivate php-src/Zend/zend.c:1225:2
    #8 0x1f09573 in php_request_shutdown php-src/main/main.c:1807:2
    #9 0x358184c in do_cli php-src/sapi/cli/php_cli.c:1112:3
    #10 0x3579a07 in main php-src/sapi/cli/php_cli.c:1338:18
    #11 0x7eff8981ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x4368a9 in _start (php-src/sapi/cli/php+0x4368a9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV php-src/Zend/zend_types.h:1172:2 in zend_gc_delref
==57581==ABORTING
====================================

Test script:
---------------
<?php
$name = 'a';
for ($i = 0; $i < 100000; $i++) {
    if ($name .= 'i') {
        $$name =& $GLOBALS;
    }
    $name++;
}
?>

Expected result:
----------------
Should not seg fault.

Actual result:
--------------
Segmentation fault.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-10-16 08:31 UTC] stas@php.net

-Type: Security +Type: Bug

[2021-12-14 14:14 UTC] cmb@php.net

-Package: CGI/CLI related +Package: Scripting Engine problem

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 14:01:32 2024 UTC