PHP :: Bug #70089 :: segfault at ZEND_FETCH_DIM_W_SPEC_VAR_CONST

Bug #70089	segfault at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ()
Submitted:	2015-07-17 05:14 UTC	Modified:	2015-07-17 08:00 UTC
From:	brian dot carpenter at gmail dot com	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.0Git-2015-07-17 (Git)	OS:	Debian 7
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	brian dot carpenter at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2015-07-17 05:14 UTC] brian dot carpenter at gmail dot com

Description:
------------
While fuzzing PHP 7.0.0-dev (cli) (built: July 15 2015 16:00:56) with AFL (http://lcamtuf.coredump.cx/afl/), I found this script that segfaults at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER (). Most likely a null ptr dereference.

Test script:
---------------
<?php
$a=ptr00tr();[];function ptr00tr(){for(;;){$o=chr(0)[0][]=0;}}

Expected result:
----------------
PHP 5.4.41-0+deb7u1 returns PHP Fatal error: Cannot use string offset as an array in test00-min on line 2.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000001657b93 in ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ()
(gdb) bt
#0  0x0000000001657b93 in ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ()
#1  0x00000000015dc493 in execute_ex ()
#2  0x00000000017fdee5 in zend_execute ()
#3  0x000000000141373c in zend_execute_scripts ()
#4  0x00000000011bf190 in php_execute_script ()
#5  0x0000000001805679 in do_cli ()
    at /home/geeknik/php-src/sapi/cli/php_cli.c:971
#6  0x000000000043e2f1 in main ()
    at /home/geeknik/php-src/sapi/cli/php_cli.c:1338
(gdb) i r
rax            0x0	0
rbx            0x7ffff6013130	140737320661296
rcx            0x1	1
rdx            0x7ffff60554c0	140737320932544
rsi            0x7ffff6013140	140737320661312
rdi            0x4	4
rbp            0x7fffffffcfa0	0x7fffffffcfa0
rsp            0x7fffffffa920	0x7fffffffa920
r8             0x1fd37c0	33372096
r9             0x80	128
r10            0x0	0
r11            0x0	0
r12            0x7ffff60020f0	140737320591600
r13            0x1fd4820	33376288
r14            0x7ffff60130c0	140737320661184
r15            0x7ffff6086220	140737321132576
rip            0x1657b93	0x1657b93 <ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER+1267>
eflags         0x10246	[ PF ZF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-07-17 05:29 UTC] brian dot carpenter at gmail dot com

Valgrind was delayed due to having to compile a new version to get an accurate read on things:

==4945== Invalid read of size 4
==4945==    at 0x1657B93: ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:16978)
==4945==    by 0x15DC492: execute_ex (zend_vm_execute.h:406)
==4945==    by 0x17FDEE4: zend_execute (zend_vm_execute.h:450)
==4945==    by 0x141373B: zend_execute_scripts (zend.c:1399)
==4945==    by 0x11BF18F: php_execute_script (main.c:2475)
==4945==    by 0x1805678: do_cli (php_cli.c:971)
==4945==    by 0x43E2F0: main (php_cli.c:1338)
==4945==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==4945== 
==4945== 
==4945== Process terminating with default action of signal 11 (SIGSEGV)
==4945==  Access not within mapped region at address 0x8
==4945==    at 0x1657B93: ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:16978)
==4945==    by 0x15DC492: execute_ex (zend_vm_execute.h:406)
==4945==    by 0x17FDEE4: zend_execute (zend_vm_execute.h:450)
==4945==    by 0x141373B: zend_execute_scripts (zend.c:1399)
==4945==    by 0x11BF18F: php_execute_script (main.c:2475)
==4945==    by 0x1805678: do_cli (php_cli.c:971)
==4945==    by 0x43E2F0: main (php_cli.c:1338)
==4945==  If you believe this happened as a result of a stack
==4945==  overflow in your program's main thread (unlikely but
==4945==  possible), you can try to increase the size of the
==4945==  main thread stack using the --main-stacksize= flag.
==4945==  The main thread stack size used in this run was 8388608.
Segmentation fault

[2015-07-17 08:00 UTC] laruence@php.net

-Summary: segfault in PHP 7 at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER () +Summary: segfault at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ()

[2015-07-17 08:01 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7d07afd6c18f3d83ec21248d65a076b387aa05e9
Log: Fixed bug #70089 (segfault at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ())

[2015-07-17 08:01 UTC] laruence@php.net

-Status: Open +Status: Closed

[2015-07-21 14:20 UTC] ab@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7d07afd6c18f3d83ec21248d65a076b387aa05e9
Log: Fixed bug #70089 (segfault at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ())

[2016-07-20 11:37 UTC] davey@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7d07afd6c18f3d83ec21248d65a076b387aa05e9
Log: Fixed bug #70089 (segfault at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ())

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Nov 23 07:01:29 2024 UTC