php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #71045 zend_mm_alloc_small crashes with zend_string_alloc
Submitted: 2015-12-06 20:52 UTC Modified: 2015-12-08 04:28 UTC
From: kak dot serpom dot po dot yaitsam at gmail dot com Assigned: bd808 (profile)
Status: Closed Package: yaml (PECL)
PHP Version: 7.0.0 OS: CentOS
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: kak dot serpom dot po dot yaitsam at gmail dot com
New email:
PHP Version: OS:

 

 [2015-12-06 20:52 UTC] kak dot serpom dot po dot yaitsam at gmail dot com 
Description:
------------
A segmentation fault.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff7fe57c0 (LWP 81104)]
zend_mm_alloc_small (size=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_alloc.c:1291
1291			heap->free_slot[bin_num] = p->next_free_slot;
Missing separate debuginfos, use: debuginfo-install libidn-1.18-2.el6.x86_64 libssh2-1.4.2-2.el6.x86_64
(gdb) bt
#0  zend_mm_alloc_small (size=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_alloc.c:1291
#1  zend_mm_alloc_heap (size=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_alloc.c:1358
#2  _emalloc (size=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_alloc.c:2442
#3  0x00000000005ac391 in zend_string_alloc (zendlval=0x7fffffffa3a0) at /usr/src/debug/php-7.0.0/Zend/zend_string.h:121
#4  zend_string_init (zendlval=0x7fffffffa3a0) at /usr/src/debug/php-7.0.0/Zend/zend_string.h:157
#5  lex_scan (zendlval=0x7fffffffa3a0) at Zend/zend_language_scanner.l:1310
#6  0x00000000005c0701 in zendlex (elem=0x7ffffffface0) at /usr/src/debug/php-7.0.0/Zend/zend_compile.c:1573
#7  0x00000000005a29ea in zendparse () at /usr/src/debug/php-7.0.0/Zend/zend_language_parser.c:4207
#8  0x00000000005a6f0d in compile_file (file_handle=<value optimized out>, type=<value optimized out>) at Zend/zend_language_scanner.l:591
#9  0x00000000005ce772 in dtrace_compile_file (file_handle=0x7fffffffb0c0, type=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_dtrace.c:50
#10 0x00007fffea6ed72f in phar_compile_file (file_handle=0x7fffffffb0c0, type=2) at /usr/src/debug/php-7.0.0/ext/phar/phar.c:3311
#11 0x00000000005a64ef in compile_filename (type=2, filename=0x7ffff4616930) at Zend/zend_language_scanner.l:647
#12 0x000000000066021a in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER (execute_data=0x7ffff46168d0) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:29114
#13 0x000000000061b740 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:417
#14 0x00000000005ce63e in dtrace_execute_ex (execute_data=0x7ffff46168d0) at /usr/src/debug/php-7.0.0/Zend/zend_dtrace.c:83
#15 0x000000000065317a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7ffff4616820) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:800
#16 0x000000000061b740 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:417
#17 0x00000000005ce63e in dtrace_execute_ex (execute_data=0x7ffff4616820) at /usr/src/debug/php-7.0.0/Zend/zend_dtrace.c:83
#18 0x00000000005d0ce8 in zend_call_function (fci=0x7fffffffb4d0, fci_cache=0x7fffffffb520) at /usr/src/debug/php-7.0.0/Zend/zend_execute_API.c:854
#19 0x00000000005fb0f7 in zend_call_method (object=0x7ffff46a02a8, obj_ce=<value optimized out>, fn_proxy=<value optimized out>,
    function_name=0x7ffff46cbdd8 "composer\\autoload\\classloader::loadclass\001", function_name_len=<value optimized out>, retval_ptr=0x0, param_count=1, arg1=0x7ffff4616810,
    arg2=0x0) at /usr/src/debug/php-7.0.0/Zend/zend_interfaces.c:104
#20 0x00000000004ec700 in zif_spl_autoload_call (execute_data=<value optimized out>, return_value=<value optimized out>) at /usr/src/debug/php-7.0.0/ext/spl/php_spl.c:425
#21 0x00000000005ce4f9 in dtrace_execute_internal (execute_data=<value optimized out>, return_value=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_dtrace.c:107
#22 0x00000000005d1133 in zend_call_function (fci=0x7fffffffb770, fci_cache=0x7fffffffb7c0) at /usr/src/debug/php-7.0.0/Zend/zend_execute_API.c:875
#23 0x00000000005d1410 in zend_lookup_class_ex (name=<value optimized out>, key=0x0, use_autoload=<value optimized out>)
    at /usr/src/debug/php-7.0.0/Zend/zend_execute_API.c:1036
#24 0x00000000005d1791 in zend_fetch_class (class_name=0x7ffff4719090, fetch_type=512) at /usr/src/debug/php-7.0.0/Zend/zend_execute_API.c:1361
#25 0x000000000062ac75 in ZEND_FETCH_CLASS_SPEC_CV_HANDLER (execute_data=0x7ffff46164b0) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:2332
#26 0x000000000061b740 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:417
#27 0x00000000005ce63e in dtrace_execute_ex (execute_data=0x7ffff46164b0) at /usr/src/debug/php-7.0.0/Zend/zend_dtrace.c:83
#28 0x000000000065317a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7ffff4616210) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:800
#29 0x000000000061b740 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:417
#30 0x00000000005ce63e in dtrace_execute_ex (execute_data=0x7ffff4616210) at /usr/src/debug/php-7.0.0/Zend/zend_dtrace.c:83
#31 0x000000000065317a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7ffff4616170) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:800
#32 0x000000000061b740 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:417
#33 0x00000000005ce63e in dtrace_execute_ex (execute_data=0x7ffff4616170) at /usr/src/debug/php-7.0.0/Zend/zend_dtrace.c:83
#34 0x0000000000660a87 in ZEND_INCLUDE_OR_EVAL_SPEC_TMPVAR_HANDLER (execute_data=0x7ffff46160e0) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:40602
#35 0x000000000061b740 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:417
---Type <return> to continue, or q <return> to quit---

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-12-06 21:41 UTC] danack@php.net 
Please can you provide more information about how to reproduce this issue?
 [2015-12-06 22:20 UTC] kak dot serpom dot po dot yaitsam at gmail dot com 
I managed to compile a reproduction code, but it discloses some parts of our project so I have to hold it until the decision of my employer. I will talk to him tomorrow. Is it possible to share the code with someone competent in private?
 [2015-12-07 01:26 UTC] laruence@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: laruence
 [2015-12-07 01:26 UTC] laruence@php.net 
You can send it to me via mail, or if it's possible , you can grant me a ssh access to the box which can reproduce this
 [2015-12-07 01:30 UTC] kak dot serpom dot po dot yaitsam at gmail dot com
-Status: Feedback +Status: Assigned
 [2015-12-07 01:30 UTC] kak dot serpom dot po dot yaitsam at gmail dot com 
laruence@php.net, I've just sent you the code. Can you reproduce the bug?
 [2015-12-07 03:40 UTC] laruence@php.net
-Package: *General Issues +Package: yaml -Assigned To: laruence +Assigned To:
 [2015-12-07 03:40 UTC] laruence@php.net 
it turns out it's a yaml issue, valgrind report:

$ USE_ZEND_ALLOC=0 valgrind php7 crash.php
==19581== Memcheck, a memory error detector
==19581== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==19581== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==19581== Command: php7 crash.php
==19581==
==19581== Invalid read of size 2
==19581==    at 0xA04C36: gc_check_possible_root (zend_gc.h:135)
==19581==    by 0xA04CB4: i_zval_ptr_dtor (zend_variables.h:60)
==19581==    by 0xA08B4D: zend_array_destroy (zend_hash.c:1305)
==19581==    by 0x9F04FE: _zval_dtor_func_for_ptr (zend_variables.c:96)
==19581==    by 0x9D97E5: i_zval_ptr_dtor (zend_variables.h:58)
==19581==    by 0x9DB156: _zval_ptr_dtor (zend_execute_API.c:527)
==19581==    by 0xF71A243: handle_document (parse.c:352)
==19581==    by 0xF719E2B: php_yaml_read_partial (parse.c:175)
==19581==    by 0xF718E1C: zif_yaml_parse_file (yaml.c:469)
==19581==    by 0xA509F2: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:714)
==19581==    by 0xA4FE15: execute_ex (zend_vm_execute.h:417)
==19581==    by 0xA4FF3F: zend_execute (zend_vm_execute.h:458)
==19581==  Address 0x14b40966 is 6 bytes inside a block of size 56 free'd
==19581==    at 0x4C27430: free (vg_replace_malloc.c:446)
==19581==    by 0x9C06D1: _efree (zend_alloc.c:2453)
==19581==    by 0xA08C85: zend_array_destroy (zend_hash.c:1327)
==19581==    by 0x9F04FE: _zval_dtor_func_for_ptr (zend_variables.c:96)
==19581==    by 0x9D97E5: i_zval_ptr_dtor (zend_variables.h:58)
==19581==    by 0x9DB156: _zval_ptr_dtor (zend_execute_API.c:527)
==19581==    by 0xF71A757: handle_mapping (parse.c:424)
==19581==    by 0xF71A14B: get_next_element (parse.c:311)
==19581==    by 0xF71A46D: handle_mapping (parse.c:390)
==19581==    by 0xF71A14B: get_next_element (parse.c:311)
==19581==    by 0xF71A46D: handle_mapping (parse.c:390)
==19581==    by 0xF71A14B: get_next_element (parse.c:311)

thanks
 [2015-12-07 03:46 UTC] laruence@php.net 
please try this quick fix:

diff -u yaml-2.0.0RC5/parse.c yaml-2.0.0RC5-old/parse.c
--- yaml-2.0.0RC5/parse.c	2015-10-18 04:54:05.000000000 +0800
+++ yaml-2.0.0RC5-old/parse.c	2015-12-07 11:45:15.563379173 +0800
@@ -398,21 +398,21 @@
 		}

 		if (Z_ISREF_P(&value)) {
-			value = *Z_REFVAL_P(&value);
+			ZVAL_COPY_VALUE(&value, Z_REFVAL(value));
 		}

 		/* check for '<<' and handle merge */
 		if (key_event.type == YAML_SCALAR_EVENT &&
 				IS_NOT_QUOTED_OR_TAG_IS(key_event, YAML_MERGE_TAG) &&
 				STR_EQ("<<", key_str) &&
-				Z_TYPE_P(&value) == IS_ARRAY) {
+				Z_TYPE(value) == IS_ARRAY) {
 			/* zend_hash_merge */
 			/*
 			 * value is either a single ref or a simple array of refs
 			 */
 			if (YAML_ALIAS_EVENT == state->event.type) {
 				/* single ref */
-				zend_hash_merge(Z_ARRVAL_P(retval), Z_ARRVAL_P(&value), zval_add_ref, 0);
+				zend_hash_merge(Z_ARRVAL_P(retval), Z_ARRVAL(value), zval_add_ref, 0);
 			} else {
 				zval *zvalp;
 				ZEND_HASH_FOREACH_VAL(HASH_OF(&value), zvalp) {
@@ -424,6 +424,7 @@
 			zval_ptr_dtor(&value);
 		} else {
 			/* add key => value to retval */
+			Z_TRY_ADDREF_P(&value);
 			add_assoc_zval(retval, key_str, &value);
 		}
 		efree(key_str);
Only in yaml-2.0.0RC5-old/: parse.lo
Only in yaml-2.0.0RC5-old/: run-tests.php
Common subdirectories: yaml-2.0.0RC5/tests and yaml-2.0.0RC5-old/tests
diff -u yaml-2.0.0RC5/yaml.c yaml-2.0.0RC5-old/yaml.c
--- yaml-2.0.0RC5/yaml.c	2015-10-18 04:54:05.000000000 +0800
+++ yaml-2.0.0RC5-old/yaml.c	2015-12-07 11:33:36.508438745 +0800
@@ -411,7 +411,7 @@
 PHP_FUNCTION(yaml_parse_file)
 {
 	char *filename = { 0 };
-	int filename_len = 0;
+	size_t filename_len = 0;
 	zend_long pos = 0;
 	zval *zndocs = { 0 };
 	zval *zcallbacks = { 0 };



thanks
 [2015-12-07 03:48 UTC] laruence@php.net
-Assigned To: +Assigned To: bd808
 [2015-12-08 03:59 UTC] sean at siobud dot com 
This was already fixed upstream

https://github.com/php/pecl-file_formats-yaml/commit/39642ce370f3bce7f4d4c96dd9cad31653e09a80

Try building the php7 branch, and that should fix your issue.
 [2015-12-08 04:28 UTC] bd808@php.net
-Status: Assigned +Status: Closed
 [2015-12-08 04:28 UTC] bd808@php.net 
Suggested changes not included in Sean's patch added in https://github.com/php/pecl-file_formats-yaml/commit/36d5be6ff42d78ff2d3589750a99c61d283dcd5b

Thanks for the report and the help fixing it everyone.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Jan 03 03:01:29 2025 UTC