|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2016-08-17 19:47 UTC] brian dot carpenter at gmail dot com
Description:
------------
Fuzzing PHP 5.6.24 (x64) with American Fuzzy Lop, ASAN and libdislocator.so.
Test script:
---------------
<?php
print_r(get_loaded_extensions());class SegfaultScenario{private$e;private$t;function __construct(){$this->e=$this;$this->ob0ect=new\stdClass;}public function __destruct(){//
if(!$this->ob0ect)(0);var_dump($this);}}class SomeContainer{public function run(){new SegfaultScenario;}}$container=new SomeContainer();$container->run();gc_collect_cycles();
Expected result:
----------------
No crash.
Actual result:
--------------
geeknik@debian:~/php-tmp/crashers/070816$ ./php segfault_zend_std_object_get_class
Array
(
[0] => Core
[1] => date
[2] => ereg
[3] => libxml
[4] => pcre
[5] => sqlite3
[6] => ctype
[7] => dom
[8] => fileinfo
[9] => filter
[10] => hash
[11] => iconv
[12] => json
[13] => SPL
[14] => PDO
[15] => session
[16] => posix
[17] => Reflection
[18] => standard
[19] => SimpleXML
[20] => pdo_sqlite
[21] => Phar
[22] => tokenizer
[23] => xml
[24] => xmlreader
[25] => xmlwriter
)
object(SegfaultScenario)#2 (3) {
["e":"SegfaultScenario":private]=>
*RECURSION*
["t":"SegfaultScenario":private]=>
NULL
["ob0ect"]=>
ASAN:SIGSEGV
=================================================================
==96937==ERROR: AddressSanitizer: SEGV on unknown address 0x7f7effffffff (pc 0x00000168c99c bp 0x7ffe2bc7d470 sp 0x7ffe2bc7d2f0 T0)
#0 0x168c99b in zend_std_object_get_class /home/geeknik/php-5.6.24/Zend/zend_object_handlers.c:1528:2
#1 0x15b4c5d in zend_get_class_entry /home/geeknik/php-5.6.24/Zend/zend_API.c:238:10
#2 0x167d188 in zend_std_get_debug_info /home/geeknik/php-5.6.24/Zend/zend_object_handlers.c:140:25
#3 0x12daacf in php_var_dump /home/geeknik/php-5.6.24/ext/standard/var.c:129:10
#4 0x12dbfae in php_object_property_dump /home/geeknik/php-5.6.24/ext/standard/var.c:82:2
#5 0x15f6298 in zend_hash_apply_with_arguments /home/geeknik/php-5.6.24/Zend/zend_hash.c:701:12
#6 0x12db3a4 in php_var_dump /home/geeknik/php-5.6.24/ext/standard/var.c:146:4
#7 0x12dc290 in zif_var_dump /home/geeknik/php-5.6.24/ext/standard/var.c:183:3
#8 0x184edb0 in zend_do_fcall_common_helper_SPEC /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:558:5
#9 0x17311d7 in ZEND_DO_FCALL_SPEC_CONST_HANDLER /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:2602:9
#10 0x16a332e in execute_ex /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:363:14
#11 0x16a52da in zend_execute /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:388:2
#12 0x15624f3 in zend_call_function /home/geeknik/php-5.6.24/Zend/zend_execute_API.c:829:4
#13 0x16298ce in zend_call_method /home/geeknik/php-5.6.24/Zend/zend_interfaces.c:97:12
#14 0x167a8c4 in zend_objects_destroy_object /home/geeknik/php-5.6.24/Zend/zend_objects.c:123:3
#15 0x16595ee in gc_collect_cycles /home/geeknik/php-5.6.24/Zend/zend_gc.c:811:6
#16 0x161a247 in zif_gc_collect_cycles /home/geeknik/php-5.6.24/Zend/zend_builtin_functions.c:361:2
#17 0x184edb0 in zend_do_fcall_common_helper_SPEC /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:558:5
#18 0x17311d7 in ZEND_DO_FCALL_SPEC_CONST_HANDLER /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:2602:9
#19 0x16a332e in execute_ex /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:363:14
#20 0x16a52da in zend_execute /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:388:2
#21 0x15b1cc1 in zend_execute_scripts /home/geeknik/php-5.6.24/Zend/zend.c:1341:4
#22 0x13be7f1 in php_execute_script /home/geeknik/php-5.6.24/main/main.c:2613:14
#23 0x1907aaa in do_cli /home/geeknik/php-5.6.24/sapi/cli/php_cli.c:994:5
#24 0x190474d in main /home/geeknik/php-5.6.24/sapi/cli/php_cli.c:1378:18
#25 0x7f7ed0130b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287
#26 0x5095ac in _start (/home/geeknik/php-5.6.24/sapi/cli/php+0x5095ac)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/geeknik/php-5.6.24/Zend/zend_object_handlers.c:1528 zend_std_object_get_class
==96937==ABORTING
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Jul 06 15:01:35 2025 UTC |
Affects 5.6.28: Array ( [0] => Core [1] => date [2] => ereg [3] => libxml [4] => pcre [5] => sqlite3 [6] => ctype [7] => dom [8] => fileinfo [9] => filter [10] => hash [11] => iconv [12] => json [13] => SPL [14] => PDO [15] => session [16] => posix [17] => Reflection [18] => standard [19] => SimpleXML [20] => pdo_sqlite [21] => Phar [22] => tokenizer [23] => xml [24] => xmlreader [25] => xmlwriter ) object(SegfaultScenario)#2 (3) { ["e":"SegfaultScenario":private]=> *RECURSION* ["t":"SegfaultScenario":private]=> NULL ["ob0ect"]=> ASAN:SIGSEGV ================================================================= ==28442==ERROR: AddressSanitizer: SEGV on unknown address 0x7f4effffffff (pc 0x000001a7d3a8 sp 0x7fff22da0dd0 bp 0x7fff22da0df0 T0) #0 0x1a7d3a7 in zend_std_object_get_class /root/php-5.6.28/Zend/zend_object_handlers.c:1528 #1 0x1a7d511 in zend_std_get_debug_info /root/php-5.6.28/Zend/zend_object_handlers.c:140 #2 0x1557d60 in php_var_dump /root/php-5.6.28/ext/standard/var.c:129 #3 0x1558f3d in php_object_property_dump /root/php-5.6.28/ext/standard/var.c:82 #4 0x19c67f7 in zend_hash_apply_with_arguments /root/php-5.6.28/Zend/zend_hash.c:701 #5 0x155819a in php_var_dump /root/php-5.6.28/ext/standard/var.c:146 #6 0x15596ef in zif_var_dump /root/php-5.6.28/ext/standard/var.c:183 #7 0x1dbd765 in zend_do_fcall_common_helper_SPEC /root/php-5.6.28/Zend/zend_vm_execute.h:558 #8 0x1bb6278 in execute_ex /root/php-5.6.28/Zend/zend_vm_execute.h:363 #9 0x18dca5e in zend_call_function /root/php-5.6.28/Zend/zend_execute_API.c:831 #10 0x1a12e16 in zend_call_method /root/php-5.6.28/Zend/zend_interfaces.c:97 #11 0x1a7a4bd in zend_objects_destroy_object /root/php-5.6.28/Zend/zend_objects.c:123 #12 0x1a4e4ee in gc_collect_cycles /root/php-5.6.28/Zend/zend_gc.c:811 #13 0x19e37b0 in zif_gc_collect_cycles /root/php-5.6.28/Zend/zend_builtin_functions.c:361 #14 0x1dbd765 in zend_do_fcall_common_helper_SPEC /root/php-5.6.28/Zend/zend_vm_execute.h:558 #15 0x1bb6278 in execute_ex /root/php-5.6.28/Zend/zend_vm_execute.h:363 #16 0x195e048 in zend_execute_scripts /root/php-5.6.28/Zend/zend.c:1341 #17 0x167b5bf in php_execute_script /root/php-5.6.28/main/main.c:2613 #18 0x1dc6fe4 in do_cli /root/php-5.6.28/sapi/cli/php_cli.c:998 #19 0x4516a0 in main /root/php-5.6.28/sapi/cli/php_cli.c:1382 #20 0x7f4ee9a46b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #21 0x45253e (/root/php-5.6.28/sapi/cli/php+0x45253e) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /root/php-5.6.28/Zend/zend_object_handlers.c:1528 zend_std_object_get_class ==28442==ABORTING