php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #71859 zend_objects_store_call_destructors operates on realloced memory, crashing.
Submitted: 2016-03-19 15:01 UTC Modified: -
From: jasper dot mattsson at gmail dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.0.4 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: jasper dot mattsson at gmail dot com
New email:
PHP Version: OS:

 

 [2016-03-19 15:01 UTC] jasper dot mattsson at gmail dot com 
Description:
------------
If a destructor instantiates new objects, objects->object_buckets might be reallocated in zend_objects_store_put, making obj_ptr dangle and sometimes crashing PHP. 

Test script:
---------------
<?php
class constructs_in_destructor {
  public function __destruct() {
    //We are now in zend_objects_store_call_destructors
    //This causes a realloc in zend_objects_store_put
    for ($i = 0; $i < 10000; ++$i) {
      $GLOBALS["a$i"] = new stdClass;
    }
    //Returns to zend_objects_store_call_destructors, to access freed memory.
  }
}

gc_disable();
$a = new constructs_in_destructor;
//Create cycle so destructors are ran only in zend_objects_store_call_destructors
$a->a = $a;

// Create some objects so zend_objects_store_call_destructors has something
// to do after constructs_in_destructor is destroyed.
for ($i = 0; $i < 200; ++$i) {
  $GLOBALS["b$i"] = new stdClass;
}


Expected result:
----------------
No crash

Actual result:
--------------
#0  0x00000000008528ef in zend_objects_store_call_destructors (objects=0x1145ff0 <executor_globals+816>) at /var/lib/yaourt/yaourt-tmp-jasu/abs-php/src/php-7.0.4/Zend/zend_objects_API.c:54
#1  0x00000000007e9a57 in shutdown_destructors () at /var/lib/yaourt/yaourt-tmp-jasu/abs-php/src/php-7.0.4/Zend/zend_execute_API.c:242
#2  0x00000000008028c1 in zend_call_destructors () at /var/lib/yaourt/yaourt-tmp-jasu/abs-php/src/php-7.0.4/Zend/zend.c:952
#3  0x000000000076b5fe in php_request_shutdown (dummy=0x0) at /var/lib/yaourt/yaourt-tmp-jasu/abs-php/src/php-7.0.4/main/main.c:1774
#4  0x00000000008cc813 in do_cli (argc=2, argv=0x114b9f0) at /var/lib/yaourt/yaourt-tmp-jasu/abs-php/src/php-7.0.4/sapi/cli/php_cli.c:1142
#5  0x00000000008cd099 in main (argc=2, argv=0x114b9f0) at /var/lib/yaourt/yaourt-tmp-jasu/abs-php/src/php-7.0.4/sapi/cli/php_cli.c:1345

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-03-19 19:31 UTC] vvvaagn at gmail dot com 
root@TZDG001:/tmp/data2# valgrind -q ../php-7.0.4/sapi/cli/php test.php ret/crash13
==20538== Invalid read of size 8
==20538==    at 0xC70678: zend_mm_alloc_small (zend_alloc.c:1291)
==20538==    by 0xC70678: zend_mm_alloc_heap (zend_alloc.c:1358)
==20538==    by 0xC70678: _emalloc (zend_alloc.c:2442)
==20538==    by 0xC7696F: _estrndup (zend_alloc.c:2565)
==20538==    by 0x76BD95: phar_split_fname (phar.c:2229)
==20538==    by 0x732F19: phar_parse_url (stream.c:74)
==20538==    by 0x747A26: phar_wrapper_open_dir (dirstream.c:315)
==20538==    by 0xBA6BB7: _php_stream_opendir (streams.c:1982)
==20538==    by 0x85DDB2: spl_filesystem_dir_open (spl_directory.c:236)
==20538==    by 0x869E39: spl_filesystem_object_construct (spl_directory.c:724)
==20538==    by 0x869E39: zim_spl_RecursiveDirectoryIterator___construct (spl_directory.c:1563)
==20538==    by 0xCE6370: zend_call_function (zend_execute_API.c:879)
==20538==    by 0xE0662A: zend_call_method (zend_interfaces.c:104)
==20538==    by 0x779BC1: zim_Phar___construct (phar_object.c:1233)
==20538==    by 0x101447C: ZEND_DO_FCALL_SPEC_HANDLER (zend_vm_execute.h:842)
==20538==  Address 0x73752f2e20656c75 is not stack'd, malloc'd or (recently) free'd
==20538== 
==20538== 
==20538== Process terminating with default action of signal 11 (SIGSEGV)
==20538==  General Protection Fault
==20538==    at 0xC70678: zend_mm_alloc_small (zend_alloc.c:1291)
==20538==    by 0xC70678: zend_mm_alloc_heap (zend_alloc.c:1358)
==20538==    by 0xC70678: _emalloc (zend_alloc.c:2442)
==20538==    by 0xC7696F: _estrndup (zend_alloc.c:2565)
==20538==    by 0x76BD95: phar_split_fname (phar.c:2229)
==20538==    by 0x732F19: phar_parse_url (stream.c:74)
==20538==    by 0x747A26: phar_wrapper_open_dir (dirstream.c:315)
==20538==    by 0xBA6BB7: _php_stream_opendir (streams.c:1982)
==20538==    by 0x85DDB2: spl_filesystem_dir_open (spl_directory.c:236)
==20538==    by 0x869E39: spl_filesystem_object_construct (spl_directory.c:724)
==20538==    by 0x869E39: zim_spl_RecursiveDirectoryIterator___construct (spl_directory.c:1563)
==20538==    by 0xCE6370: zend_call_function (zend_execute_API.c:879)
==20538==    by 0xE0662A: zend_call_method (zend_interfaces.c:104)
==20538==    by 0x779BC1: zim_Phar___construct (phar_object.c:1233)
==20538==    by 0x101447C: ZEND_DO_FCALL_SPEC_HANDLER (zend_vm_execute.h:842)
 [2016-03-20 11:56 UTC] laruence@php.net 
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9564998e490092fdefa6630944e38692c75e30de
Log: Fixed Bug #71859 (zend_objects_store_call_destructors operates on realloced memory, crashing)
 [2016-03-20 11:56 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-07-20 11:32 UTC] davey@php.net 
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9564998e490092fdefa6630944e38692c75e30de
Log: Fixed Bug #71859 (zend_objects_store_call_destructors operates on realloced memory, crashing)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC