PHP :: Bug #70124 :: null ptr deref / seg fault in ZEND_HANDLE_EXCEPTION_SPEC

Bug #70124	null ptr deref / seg fault in ZEND_HANDLE_EXCEPTION_SPEC_HANDLER
Submitted:	2015-07-24 02:29 UTC	Modified:	2015-07-24 07:13 UTC
From:	brian dot carpenter at gmail dot com	Assigned:	laruence (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.0Git-2015-07-24 (Git)	OS:	Debian 7
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	brian dot carpenter at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2015-07-24 02:29 UTC] brian dot carpenter at gmail dot com

Description:
------------
While fuzzing PHP 7.0.0-dev (built: Jul 22 2015 05:00:40), I found a script that causes a null ptr deref / segfault.

Test script:
---------------
<?echo base_convert([array_search(0,0,0,0,0,y())],0);

Expected result:
----------------
PHP 5.4.41-0+deb7u1 fails with:
PHP Fatal error:  Call to undefined function y() in /home/geeknik/tmp/test.php on line 1

Actual result:
--------------
==6717== Invalid read of size 4
==6717==    at 0x18D01C0: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (zend_execute.h:247)
==6717==    by 0x1709D57: execute_ex (zend_vm_execute.h:409)
==6717==    by 0x18DD5AA: zend_execute (zend_vm_execute.h:450)
==6717==    by 0x1546F8C: zend_execute_scripts (zend.c:1399)
==6717==    by 0x12F3B57: php_execute_script (main.c:2475)
==6717==    by 0x18E4424: do_cli (php_cli.c:971)
==6717==    by 0x4593D4: main (php_cli.c:1338)
==6717==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==6717==
==6717==
==6717== Process terminating with default action of signal 11 (SIGSEGV)
==6717==  Access not within mapped region at address 0x0
==6717==    at 0x18D01C0: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (zend_execute.h:247)
==6717==    by 0x1709D57: execute_ex (zend_vm_execute.h:409)
==6717==    by 0x18DD5AA: zend_execute (zend_vm_execute.h:450)
==6717==    by 0x1546F8C: zend_execute_scripts (zend.c:1399)
==6717==    by 0x12F3B57: php_execute_script (main.c:2475)
==6717==    by 0x18E4424: do_cli (php_cli.c:971)
==6717==    by 0x4593D4: main (php_cli.c:1338)
==6717==  If you believe this happened as a result of a stack
==6717==  overflow in your program's main thread (unlikely but
==6717==  possible), you can try to increase the size of the
==6717==  main thread stack using the --main-stacksize= flag.
==6717==  The main thread stack size used in this run was 8388608.
Segmentation fault

Program received signal SIGSEGV, Segmentation fault.
zend_vm_stack_free_args (call=0x7ffff60130d0)
    at /home/geeknik/php-src/Zend/zend_execute.h:247
247                                     if (!Z_DELREF_P(p)) {
(gdb) bt
#0  zend_vm_stack_free_args (call=0x7ffff60130d0)
    at /home/geeknik/php-src/Zend/zend_execute.h:247
#1  i_cleanup_unfinished_execution (catch_op_num=0, op_num=7,
    execute_data=0x7ffff6013030)
    at /home/geeknik/php-src/Zend/zend_execute.c:2481
#2  ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (execute_data=0x7ffff6013030)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:1515
#3  0x0000000001709d58 in execute_ex (ex=<optimized out>)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:409
#4  0x00000000018dd5ab in zend_execute (
    op_array=op_array@entry=0x7ffff607e000,
    return_value=return_value@entry=0x0)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:450
#5  0x0000000001546f8d in zend_execute_scripts (type=type@entry=8,
    retval=retval@entry=0x0, file_count=file_count@entry=3)
    at /home/geeknik/php-src/Zend/zend.c:1399
#6  0x00000000012f3b58 in php_execute_script (
    primary_file=primary_file@entry=0x7fffffffd280)
    at /home/geeknik/php-src/main/main.c:2475
#7  0x00000000018e4425 in do_cli (argc=2, argv=0x205b9e0)
    at /home/geeknik/php-src/sapi/cli/php_cli.c:971
#8  0x00000000004593d5 in main (argc=2, argv=0x205b9e0)
    at /home/geeknik/php-src/sapi/cli/php_cli.c:1338
(gdb) i r
rax            0xc08    3080
rbx            0x7ffff6013170   140737320661360
rcx            0x18d0055        26017877
rdx            0x2091ad0        34151120
rsi            0x1d2d074        30593140
rdi            0x0      0
rbp            0x50     0x50
rsp            0x7fffffffac70   0x7fffffffac70
r8             0x7ffff6013180   140737320661376
r9             0x4      4
r10            0x0      0
r11            0x2056fa0        33910688
r12            0x7ffff60130d0   140737320661200
r13            0x7ffff60660c0   140737321001152
r14            0x7ffff6013030   140737320661040
r15            0x7ffff6013130   140737320661296
rip            0x18d01c0        0x18d01c0 <ZEND_HANDLE_EXCEPTION_SPEC_HANDLER+16128>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-07-24 07:13 UTC] laruence@php.net

-Assigned To: +Assigned To: laruence

[2015-07-24 07:13 UTC] laruence@php.net

confirm this bug

[2015-07-24 08:21 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0f1e87d9c18c52f91cb64267114267d239ad3488
Log: Fixed bug #70124 (null ptr deref / seg fault in ZEND_HANDLE_EXCEPTION)

[2015-07-24 08:21 UTC] laruence@php.net

-Status: Assigned +Status: Closed

[2015-08-04 20:54 UTC] ab@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0f1e87d9c18c52f91cb64267114267d239ad3488
Log: Fixed bug #70124 (null ptr deref / seg fault in ZEND_HANDLE_EXCEPTION)

[2016-07-20 11:37 UTC] davey@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0f1e87d9c18c52f91cb64267114267d239ad3488
Log: Fixed bug #70124 (null ptr deref / seg fault in ZEND_HANDLE_EXCEPTION)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 14:01:29 2024 UTC