php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72040 AddressSanitizer: heap-use-after-free zend_alloc.c:924 zend_mm_del_segment
Submitted: 2016-04-17 06:53 UTC Modified: 2016-07-14 09:32 UTC
From: fernando at null-life dot com Assigned: dmitry (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.6.20 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2016-04-17 06:53 UTC] fernando at null-life dot com
Description:
------------
1. compile PHP 5.6.20 with ASAN
2. Run attached script on a while loop, sometimes you will get the ASAN crash.

  while true; do /home/fmunozs/phpgit/php56/sapi/cli/php -n jet.php ; done

if php_request_shutdown is called during the fscanf, ASAN reports a heap-use-after-free in some cases.

Test script:
---------------
<?php

set_time_limit(1);
$arr = []; for($i=0;$i<165536; ++$i) { $arr[$i]= "aa"; }
$var1=fopen("/dev/zero", "r");
$var2="AAA";
try{fscanf($var1, $var2);}catch(Exception $a) {}

Expected result:
----------------
No warning

Actual result:
--------------
Fatal error: Maximum execution time of 1 second exceeded in /ramdisk/wtf/wtf/jet.php on line 7
=================================================================
==29856==ERROR: AddressSanitizer: heap-use-after-free on address 0xac533804 at pc 0x0930ffba bp 0xbfdf0358 sp 0xbfdf0348
READ of size 4 at 0xac533804 thread T0
    #0 0x930ffb9 in zend_mm_del_segment /home/fmunozs/phpgit/php56/Zend/zend_alloc.c:924
    #1 0x930ffb9 in _zend_mm_free_int /home/fmunozs/phpgit/php56/Zend/zend_alloc.c:2115
    #2 0x930ffb9 in _efree /home/fmunozs/phpgit/php56/Zend/zend_alloc.c:2440
    #3 0x94d1d4f in zend_hash_destroy /home/fmunozs/phpgit/php56/Zend/zend_hash.c:553
    #4 0x94612d1 in _zval_dtor_func /home/fmunozs/phpgit/php56/Zend/zend_variables.c:45
    #5 0x93d83e8 in _zval_dtor /home/fmunozs/phpgit/php56/Zend/zend_variables.h:35
    #6 0x93d83e8 in i_zval_ptr_dtor /home/fmunozs/phpgit/php56/Zend/zend_execute.h:79
    #7 0x93d83e8 in _zval_ptr_dtor /home/fmunozs/phpgit/php56/Zend/zend_execute_API.c:424
    #8 0x94d3f53 in i_zend_hash_bucket_delete /home/fmunozs/phpgit/php56/Zend/zend_hash.c:182
    #9 0x94d3f53 in zend_hash_bucket_delete /home/fmunozs/phpgit/php56/Zend/zend_hash.c:192
    #10 0x94d3f53 in zend_hash_graceful_reverse_destroy /home/fmunozs/phpgit/php56/Zend/zend_hash.c:613
    #11 0x93daf4d in shutdown_executor /home/fmunozs/phpgit/php56/Zend/zend_execute_API.c:244
    #12 0x9467c8b in zend_deactivate /home/fmunozs/phpgit/php56/Zend/zend.c:960
    #13 0x91a88d0 in php_request_shutdown /home/fmunozs/phpgit/php56/main/main.c:1899
    #14 0x9a83ac3 in do_cli /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:1177
    #15 0x808a502 in main /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:1378
    #16 0xb6dcd645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645)
    #17 0x808aaba  (/home/fmunozs/phpgit/php56/sapi/cli/php+0x808aaba)

0xac533804 is located 4 bytes inside of 13369344-byte region [0xac533800,0xad1f3800)
freed by thread T0 here:
    #0 0xb727f06c in __interceptor_realloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x9706c)
    #1 0x92e89cb in zend_mm_mem_malloc_realloc /home/fmunozs/phpgit/php56/Zend/zend_alloc.c:292

previously allocated by thread T0 here:
    #0 0xb727f06c in __interceptor_realloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x9706c)
    #1 0x92e89cb in zend_mm_mem_malloc_realloc /home/fmunozs/phpgit/php56/Zend/zend_alloc.c:292

SUMMARY: AddressSanitizer: heap-use-after-free /home/fmunozs/phpgit/php56/Zend/zend_alloc.c:924 zend_mm_del_segment
Shadow bytes around the buggy address:
  0x358a66b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x358a66c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x358a66d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x358a66e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x358a66f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x358a6700:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x358a6710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x358a6720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x358a6730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x358a6740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x358a6750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==29856==ABORTING


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-04-18 00:31 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-04-18 00:31 UTC] stas@php.net
Does not look like a security issue - specially crafted code that also makes little sense.
 [2016-04-19 01:45 UTC] fernando at null-life dot com
I can't ask my fuzzer to make sense :) but please take a look, it keeps appearing on my fuzzing session, seems to happen also if the shutdown occurs during fgetcsv call too.
 [2016-04-19 09:46 UTC] dmitry@php.net
PHP doesn't handle execution time-out gracefully.
In some cases it may cause crash on request shutdown.

exit_on_timeout=1 in php.ini should minimize the risk.

The only way to fix this properly - is delaying the actual signal handling until the safe place. E.g like PHP on Windows do, setting EG(timed_out) in signal handler, and checking it from time to time in interpreter. However, this approach won't interrupt long running internal functions.
 [2016-07-14 09:32 UTC] dmitry@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: dmitry
 [2016-07-14 09:32 UTC] dmitry@php.net
Graceful execution time-out handling is implemented in PHP-7.1.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Wed Jul 16 09:01:33 2025 UTC