PHP :: Bug #69905 :: null ptr deref and segfault in ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED

Bug #69905	null ptr deref and segfault in ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED_HANDLER
Submitted:	2015-06-23 06:58 UTC	Modified:	2015-06-23 12:11 UTC
From:	brian dot carpenter at gmail dot com	Assigned:	dmitry (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.0Git-2015-06-23 (Git)	OS:	Debian 7
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	brian dot carpenter at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2015-06-23 06:58 UTC] brian dot carpenter at gmail dot com

Description:
------------
While fuzzing PHP 7 built from git source with AFL (http://lcamtuf.coredump.cx/afl/), I discoved a script that causes a null ptr deref and a seg fault at ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED_HANDLER (zend_vm_execute.h:19170).

Test script:
---------------
<?md5(0)[]--;

Expected result:
----------------
No crash. PHP 5.4.41-0+deb7u1 (cli) (built: May 22 2015 12:49:18) fails with the following:
PHP Warning:  md5() expects at least 1 parameter, 0 given in /home/geeknik/tmp/test.php on line 1

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x000000000187175b in ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED_HANDLER (
    execute_data=0x7ffff6013030)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:19170
19170                   EXTRACT_ZVAL_PTR(EX_VAR(opline->result.var));
(gdb) bt
#0  0x000000000187175b in ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED_HANDLER (
    execute_data=0x7ffff6013030)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:19170
#1  0x0000000001703548 in execute_ex (ex=<optimized out>)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:406
#2  0x00000000018d3c0b in zend_execute (
    op_array=op_array@entry=0x7ffff607f000,
    return_value=return_value@entry=0x0)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:447
#3  0x000000000154068d in zend_execute_scripts (type=type@entry=8,
    retval=retval@entry=0x0, file_count=file_count@entry=3)
    at /home/geeknik/php-src/Zend/zend.c:1389
#4  0x00000000012efaf8 in php_execute_script (
    primary_file=primary_file@entry=0x7fffffffd270)
    at /home/geeknik/php-src/main/main.c:2475
#5  0x00000000018daa85 in do_cli (argc=2, argv=0x20509f0)
    at /home/geeknik/php-src/sapi/cli/php_cli.c:967
#6  0x0000000000458c15 in main (argc=2, argv=0x20509f0)
    at /home/geeknik/php-src/sapi/cli/php_cli.c:1334
(gdb) i r
rax            0x0      0
rbx            0x7ffff6013030   140737320661040
rcx            0xc      12
rdx            0x1d19a40        30513728
rsi            0x14     20
rdi            0x7ffff60130a0   140737320661152
rbp            0x7ffff6013090   0x7ffff6013090
rsp            0x7fffffffacc0   0x7fffffffacc0
r8             0x0      0
r9             0x7ffff6070140   140737321042240
r10            0x7ffff606a040   140737321017408
r11            0x1      1
r12            0x7ffff6073480   140737321055360
r13            0x0      0
r14            0x0      0
r15            0x7ffff607f000   140737321103360
rip            0x187175b        0x187175b <ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED_HANDLER+1595>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-06-23 12:11 UTC] tyrael@php.net

-Status: Open +Status: Verified -Assigned To: +Assigned To: dmitry

[2015-06-23 12:11 UTC] tyrael@php.net

dmitry, could you look into this please?

[2015-06-23 13:32 UTC] dmitry@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7a01c44ab268820c2365798fde0fe010cf6c5e20
Log: Fixed bug #69905 (null ptr deref and segfault in ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED_HANDLER)

[2015-06-23 13:32 UTC] dmitry@php.net

-Status: Verified +Status: Closed

[2015-06-23 18:04 UTC] ab@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7a01c44ab268820c2365798fde0fe010cf6c5e20
Log: Fixed bug #69905 (null ptr deref and segfault in ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED_HANDLER)

[2016-07-20 11:38 UTC] davey@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7a01c44ab268820c2365798fde0fe010cf6c5e20
Log: Fixed bug #69905 (null ptr deref and segfault in ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED_HANDLER)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 16:01:28 2024 UTC