|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2015-11-11 20:51 UTC] brian dot carpenter at gmail dot com
Description:
------------
While fuzzing PHP 7.1.0-dev (cli) (built: Nov 8 2015 21:18:49) ( NTS ), I found a script that triggers a null ptr deref and subsequent segfault in xbuf_format_converter at spprintf.c:744.
Test script:
---------------
<?function i(){(0);}function m($f,$a){return array_map($f,0);}echo implode(m("",m("",("i"("",m("%n",("")))))));
Expected result:
----------------
No crash. PHP 5.4.45-0+deb7u2 (cli) (built: Oct 17 2015 08:26:31) returns the following:
PHP Parse error: syntax error, unexpected '(' in /home/geeknik/php-tmp/out/crashes/test00 on line 1
Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000001327717 in xbuf_format_converter (xbuf=xbuf@entry=0x7fffffffa790,
is_char=is_char@entry=1 '\001', fmt=0x7ffff6073343 "n' not found or invalid function name",
ap=0x7fffffffa8f0) at /home/geeknik/php-src/main/spprintf.c:744
744 *(va_arg(ap, int *)) = is_char? (int)((smart_string *)xbuf)->len : (int)ZSTR_LEN(((smart_str *)xbuf)->s);
(gdb) bt
#0 0x0000000001327717 in xbuf_format_converter (xbuf=xbuf@entry=0x7fffffffa790,
is_char=is_char@entry=1 '\001', fmt=0x7ffff6073343 "n' not found or invalid function name",
ap=0x7fffffffa8f0) at /home/geeknik/php-src/main/spprintf.c:744
#1 0x000000000132b5fc in vspprintf (pbuf=pbuf@entry=0x7fffffffa7f0, max_len=1024, format=<optimized out>,
ap=<optimized out>) at /home/geeknik/php-src/main/spprintf.c:847
#2 0x000000000043c935 in php_error_cb (type=2,
error_filename=0x7ffff6070068 "/home/geeknik/php-tmp/out/crashes/test00", error_lineno=1,
format=<optimized out>, args=<optimized out>) at /home/geeknik/php-src/main/main.c:965
#3 0x0000000000446719 in zend_error (type=type@entry=2,
format=0x7ffff6073300 "array_map() expects parameter 1 to be a valid callback, function '%n' not found or invalid function name") at /home/geeknik/php-src/Zend/zend.c:1164
#4 0x0000000000447c6c in zend_internal_type_error (throw_exception=0 '\000',
format=format@entry=0x1d43cd0 "%s%s%s() expects parameter %d to be a valid callback, %s")
at /home/geeknik/php-src/Zend/zend.c:1349
#5 0x0000000000448e74 in zend_wrong_callback_error (severity=severity@entry=2, num=num@entry=1,
error=0x7ffff60700a0 "function '%n' not found or invalid function name")
at /home/geeknik/php-src/Zend/zend_API.c:246
#6 0x00000000010cf5c7 in zif_array_map (execute_data=0x7ffff6013380, return_value=0x7ffff6013370)
at /home/geeknik/php-src/ext/standard/array.c:5223
#7 0x0000000001793dd9 in ZEND_DO_ICALL_SPEC_HANDLER (execute_data=0x7ffff60132f0)
at /home/geeknik/php-src/Zend/zend_vm_execute.h:586
#8 0x00000000017214c8 in execute_ex (ex=<optimized out>)
at /home/geeknik/php-src/Zend/zend_vm_execute.h:417
#9 0x00000000018f706b in zend_execute (op_array=op_array@entry=0x7ffff607f000,
return_value=return_value@entry=0x0) at /home/geeknik/php-src/Zend/zend_vm_execute.h:458
#10 0x00000000015654a1 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0,
file_count=file_count@entry=3) at /home/geeknik/php-src/Zend/zend.c:1428
#11 0x00000000013174b8 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd270)
at /home/geeknik/php-src/main/main.c:2471
#12 0x00000000018ff055 in do_cli (argc=2, argv=0x20789e0) at /home/geeknik/php-src/sapi/cli/php_cli.c:974
#13 0x0000000000468e35 in main (argc=2, argv=0x20789e0) at /home/geeknik/php-src/sapi/cli/php_cli.c:1345
%%%
==12033== Conditional jump or move depends on uninitialised value(s)
==12033== at 0x15EFD9E: zend_hash_find (zend_hash.c:439)
==12033== by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033== by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033== by 0x164CB0E: zend_register_default_exception (zend_exceptions.c:862)
==12033== by 0x17059E5: zend_register_default_classes (zend_default_classes.c:34)
==12033== by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033== by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033== by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033== by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033== by 0x1314CE9: php_module_startup (main.c:2194)
==12033== by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033== by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Conditional jump or move depends on uninitialised value(s)
==12033== at 0x15F013D: zend_hash_find (zend_hash.c:439)
==12033== by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033== by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033== by 0x164CB0E: zend_register_default_exception (zend_exceptions.c:862)
==12033== by 0x17059E5: zend_register_default_classes (zend_default_classes.c:34)
==12033== by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033== by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033== by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033== by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033== by 0x1314CE9: php_module_startup (main.c:2194)
==12033== by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033== by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Conditional jump or move depends on uninitialised value(s)
==12033== at 0x15EFD9E: zend_hash_find (zend_hash.c:439)
==12033== by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033== by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033== by 0x164CF8D: zend_register_default_exception (zend_exceptions.c:880)
==12033== by 0x17059E5: zend_register_default_classes (zend_default_classes.c:34)
==12033== by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033== by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033== by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033== by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033== by 0x1314CE9: php_module_startup (main.c:2194)
==12033== by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033== by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Conditional jump or move depends on uninitialised value(s)
==12033== at 0x15F013D: zend_hash_find (zend_hash.c:439)
==12033== by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033== by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033== by 0x164CF8D: zend_register_default_exception (zend_exceptions.c:880)
==12033== by 0x17059E5: zend_register_default_classes (zend_default_classes.c:34)
==12033== by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033== by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033== by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033== by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033== by 0x1314CE9: php_module_startup (main.c:2194)
==12033== by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033== by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Conditional jump or move depends on uninitialised value(s)
==12033== at 0x15EFD9E: zend_hash_find (zend_hash.c:439)
==12033== by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033== by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033== by 0x164D14F: zend_register_default_exception (zend_exceptions.c:884)
==12033== by 0x17059E5: zend_register_default_classes (zend_default_classes.c:34)
==12033== by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033== by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033== by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033== by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033== by 0x1314CE9: php_module_startup (main.c:2194)
==12033== by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033== by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Conditional jump or move depends on uninitialised value(s)
==12033== at 0x15F013D: zend_hash_find (zend_hash.c:439)
==12033== by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033== by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033== by 0x164D14F: zend_register_default_exception (zend_exceptions.c:884)
==12033== by 0x17059E5: zend_register_default_classes (zend_default_classes.c:34)
==12033== by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033== by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033== by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033== by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033== by 0x1314CE9: php_module_startup (main.c:2194)
==12033== by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033== by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Conditional jump or move depends on uninitialised value(s)
==12033== at 0x15EFD9E: zend_hash_find (zend_hash.c:439)
==12033== by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033== by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033== by 0x164D31E: zend_register_default_exception (zend_exceptions.c:888)
==12033== by 0x17059E5: zend_register_default_classes (zend_default_classes.c:34)
==12033== by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033== by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033== by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033== by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033== by 0x1314CE9: php_module_startup (main.c:2194)
==12033== by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033== by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Conditional jump or move depends on uninitialised value(s)
==12033== at 0x15F013D: zend_hash_find (zend_hash.c:439)
==12033== by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033== by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033== by 0x164D31E: zend_register_default_exception (zend_exceptions.c:888)
==12033== by 0x17059E5: zend_register_default_classes (zend_default_classes.c:34)
==12033== by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033== by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033== by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033== by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033== by 0x1314CE9: php_module_startup (main.c:2194)
==12033== by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033== by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Conditional jump or move depends on uninitialised value(s)
==12033== at 0x15EFD9E: zend_hash_find (zend_hash.c:439)
==12033== by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033== by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033== by 0x164D4EA: zend_register_default_exception (zend_exceptions.c:892)
==12033== by 0x17059E5: zend_register_default_classes (zend_default_classes.c:34)
==12033== by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033== by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033== by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033== by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033== by 0x1314CE9: php_module_startup (main.c:2194)
==12033== by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033== by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Conditional jump or move depends on uninitialised value(s)
==12033== at 0x15F013D: zend_hash_find (zend_hash.c:439)
==12033== by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033== by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033== by 0x164D4EA: zend_register_default_exception (zend_exceptions.c:892)
==12033== by 0x17059E5: zend_register_default_classes (zend_default_classes.c:34)
==12033== by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033== by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033== by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033== by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033== by 0x1314CE9: php_module_startup (main.c:2194)
==12033== by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033== by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Conditional jump or move depends on uninitialised value(s)
==12033== at 0x15EFD9E: zend_hash_find (zend_hash.c:439)
==12033== by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033== by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033== by 0x16A351C: zend_register_generator_ce (zend_generators.c:1124)
==12033== by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033== by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033== by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033== by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033== by 0x1314CE9: php_module_startup (main.c:2194)
==12033== by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033== by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Conditional jump or move depends on uninitialised value(s)
==12033== at 0x15F013D: zend_hash_find (zend_hash.c:439)
==12033== by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033== by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033== by 0x16A351C: zend_register_generator_ce (zend_generators.c:1124)
==12033== by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033== by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033== by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033== by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033== by 0x1314CE9: php_module_startup (main.c:2194)
==12033== by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033== by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Invalid write of size 4
==12033== at 0x1327717: xbuf_format_converter (spprintf.c:744)
==12033== by 0x132B5FB: vspprintf (spprintf.c:847)
==12033== by 0x43C934: php_error_cb (main.c:965)
==12033== by 0x446718: zend_error (zend.c:1164)
==12033== by 0x447C6B: zend_internal_type_error (zend.c:1349)
==12033== by 0x448E73: zend_wrong_callback_error (zend_API.c:246)
==12033== by 0x10CF5C6: zif_array_map (array.c:5223)
==12033== by 0x1793DD8: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==12033== by 0x17214C7: execute_ex (zend_vm_execute.h:417)
==12033== by 0x18F706A: zend_execute (zend_vm_execute.h:458)
==12033== by 0x15654A0: zend_execute_scripts (zend.c:1428)
==12033== by 0x13174B7: php_execute_script (main.c:2471)
==12033== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==12033==
==12033==
==12033== Process terminating with default action of signal 11 (SIGSEGV)
==12033== Access not within mapped region at address 0x0
==12033== at 0x1327717: xbuf_format_converter (spprintf.c:744)
==12033== by 0x132B5FB: vspprintf (spprintf.c:847)
==12033== by 0x43C934: php_error_cb (main.c:965)
==12033== by 0x446718: zend_error (zend.c:1164)
==12033== by 0x447C6B: zend_internal_type_error (zend.c:1349)
==12033== by 0x448E73: zend_wrong_callback_error (zend_API.c:246)
==12033== by 0x10CF5C6: zif_array_map (array.c:5223)
==12033== by 0x1793DD8: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==12033== by 0x17214C7: execute_ex (zend_vm_execute.h:417)
==12033== by 0x18F706A: zend_execute (zend_vm_execute.h:458)
==12033== by 0x15654A0: zend_execute_scripts (zend.c:1428)
==12033== by 0x13174B7: php_execute_script (main.c:2471)
==12033== If you believe this happened as a result of a stack
==12033== overflow in your program's main thread (unlikely but
==12033== possible), you can try to increase the size of the
==12033== main thread stack using the --main-stacksize= flag.
==12033== The main thread stack size used in this run was 8388608.
Segmentation fault
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Jan 31 14:01:29 2025 UTC |
Or more simply, array_map("%n", 0). Affects 7.0 as well. https://3v4l.org/WEBmg