PHP :: Bug #70084 :: segfault (general protection fault) in sub_function (zend

Bug #70084	segfault (general protection fault) in sub_function (zend_operators.c:957)
Submitted:	2015-07-15 17:23 UTC	Modified:	2015-07-16 07:38 UTC
From:	brian dot carpenter at gmail dot com	Assigned:	bwoebi (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.0Git-2015-07-15 (Git)	OS:	Debian 7
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	brian dot carpenter at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2015-07-15 17:23 UTC] brian dot carpenter at gmail dot com

Description:
------------
While fuzzing PHP 7.0.0-dev (cli) I came across this script that causes a segfault (GPF) in sub_function (zend_operators.c:957). It also crashes PHP 5.4.41-0+deb7u1 due to a null ptr deref. If I run afl-tmin on this test case, it produces a similar script to the one in Sec Bug #70083, however this might be a different issue altogether.

3v4l.org throws this up for PHP 5.0.4:

Notice: Use of undefined constant Linteresting - assumed 'Linteresting' in /in/J4A60 on line 18

Fatal error: Unsupported operand types in /in/J4A60 on line 18
*** Error in `/bin/php-5.0.4': double free or corruption (fasttop): 0x0000000001e95f10 ***

Process exited with code 139.

Test script:
---------------
<?php

class wpq {
    private $unrenced;

    public functiOn __get($name) {
       return $this;~$name;
    }
}

function ret_assoc() {
    return array('foo' => 'bar);
$x = $wpq-Linteresti');
}

$wpq = new wpq;
$wpq->interesting =& ret_assoc();
$x = $wpq-Linteresting;
printf("%s\n", $x);

Expected result:
----------------
No crash.

Actual result:
--------------
Warning: Unexpected character in input:  '' (ASCII=17) state=0 in /home/geeknik/php-tmp/out/crashes/test89 on line 7
==11387== Invalid read of size 8
==11387==    at 0x15251FB: sub_function (zend_operators.c:957)
==11387==    by 0x181E7CA: ZEND_SUB_SPEC_CV_TMPVAR_HANDLER (zend_vm_execute.h:37581)
==11387==    by 0x170A197: execute_ex (zend_vm_execute.h:409)
==11387==    by 0x18DD62A: zend_execute (zend_vm_execute.h:450)
==11387==    by 0x154769C: zend_execute_scripts (zend.c:1399)
==11387==    by 0x12F1217: php_execute_script (main.c:2475)
==11387==    by 0x18E44A4: do_cli (php_cli.c:971)
==11387==    by 0x4593A4: main (php_cli.c:1338)
==11387==  Address 0x7265746e694c2144 is not stack'd, malloc'd or (recently) free'd
==11387==
==11387==
==11387== Process terminating with default action of signal 11 (SIGSEGV)
==11387==  General Protection Fault
==11387==    at 0x15251FB: sub_function (zend_operators.c:957)
==11387==    by 0x181E7CA: ZEND_SUB_SPEC_CV_TMPVAR_HANDLER (zend_vm_execute.h:37581)
==11387==    by 0x170A197: execute_ex (zend_vm_execute.h:409)
==11387==    by 0x18DD62A: zend_execute (zend_vm_execute.h:450)
==11387==    by 0x154769C: zend_execute_scripts (zend.c:1399)
==11387==    by 0x12F1217: php_execute_script (main.c:2475)
==11387==    by 0x18E44A4: do_cli (php_cli.c:971)
==11387==    by 0x4593A4: main (php_cli.c:1338)
Segmentation fault

Warning: Unexpected character in input:  '' (ASCII=17) state=0 in /home/geeknik/php-tmp/out/crashes/test89 on line 7

Program received signal SIGSEGV, Segmentation fault.
0x00000000015251fb in sub_function (result=0x7ffff6013130, op1=0x7ffff6013090, op2=op2@entry=0x7ffff6013120)
    at /home/geeknik/php-src/Zend/zend_operators.c:957
957                                             ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_SUB, sub_function);
(gdb) bt
#0  0x00000000015251fb in sub_function (result=0x7ffff6013130, op1=0x7ffff6013090,
    op2=op2@entry=0x7ffff6013120) at /home/geeknik/php-src/Zend/zend_operators.c:957
#1  0x000000000181e7cb in ZEND_SUB_SPEC_CV_TMPVAR_HANDLER (execute_data=0x7ffff6013030)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:37581
#2  0x000000000170a198 in execute_ex (ex=<optimized out>)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:409
#3  0x00000000018dd62b in zend_execute (op_array=op_array@entry=0x7ffff607f000,
    return_value=return_value@entry=0x0) at /home/geeknik/php-src/Zend/zend_vm_execute.h:450
#4  0x000000000154769d in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0,
    file_count=file_count@entry=3) at /home/geeknik/php-src/Zend/zend.c:1399
#5  0x00000000012f1218 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd270)
    at /home/geeknik/php-src/main/main.c:2475
#6  0x00000000018e44a5 in do_cli (argc=2, argv=0x205a9f0) at /home/geeknik/php-src/sapi/cli/php_cli.c:971
#7  0x00000000004593a5 in main (argc=2, argv=0x205a9f0) at /home/geeknik/php-src/sapi/cli/php_cli.c:1338
(gdb) i r
rax            0x86     134
rbx            0x7ffff6013090   140737320661136
rcx            0x6      6
rdx            0x7ffff6013120   140737320661280
rsi            0x6      6
rdi            0x7ffff6013130   140737320661296
rbp            0x7ffff6013120   0x7ffff6013120
rsp            0x7fffffffac30   0x7fffffffac30
r8             0x8      8
r9             0x0      0
r10            0x7ffff60700a0   140737321042080
r11            0x7265746e694c2074       8243122710533382260
r12            0x7ffff6013130   140737320661296
r13            0x7fffffffac40   140737488333888
r14            0x1d26d94        30567828
r15            0x1d26dbc        30567868
rip            0x15251fb        0x15251fb <sub_function+4603>
eflags         0x10287  [ CF PF SF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-07-16 06:05 UTC] laruence@php.net

this is not reproducible after #70083 is fixed.

[2015-07-16 06:05 UTC] laruence@php.net

-Status: Open +Status: Feedback

[2015-07-16 06:08 UTC] stas@php.net

-Type: Security +Type: Bug

[2015-07-16 07:38 UTC] bwoebi@php.net

-Status: Feedback +Status: Closed -Assigned To: +Assigned To: bwoebi

[2015-07-16 07:38 UTC] bwoebi@php.net

No, that's just the same origin.
The bug had caused $this/$wpq to be freed too early… and hence everything what accesses it next will crash.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Jul 02 07:01:33 2025 UTC