php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #72907 null pointer deref, segfault in gc_remove_zval_from_buffer (zend_gc.c:260)
Submitted: 2016-08-20 19:14 UTC Modified: 2016-08-21 09:34 UTC
From: brian dot carpenter at gmail dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.6.25 OS: Debian 8.5 x64
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: brian dot carpenter at gmail dot com
New email:
PHP Version: OS:

 

 [2016-08-20 19:14 UTC] brian dot carpenter at gmail dot com 
Description:
------------
Fuzzing PHP 5.6.25 x64 w/ American Fuzzy Lop and ASAN.

Test script:
---------------
https://dl.dropboxusercontent.com/u/6088006/php/segfault_gc_remove_zval_from_buffer

Expected result:
----------------
No crash.



Actual result:
--------------
ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-3.5/bin/llvm-symbolizer ASAN_OPTIONS=symbolizer=1 ./php test00

Warning: Attempt to modify property of non-object in /root/php-tmp/out/crashes/test00 on line 1

Warning: Attempt to modify property of non-object in /root/php-tmp/out/crashes/test00 on line 1

Warning: Creating default object from empty value in /root/php-tmp/out/crashes/test00 on line 1
ASAN:SIGSEGV
=================================================================
==28119==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000009 (pc 0x00000197cd3f sp 0x7ffe8a728df0 bp 0x7ffbeb6c8d78 T0)
    #0 0x197cd3e in gc_remove_from_buffer /root/php-5.6.25/Zend/zend_gc.h:190
    #1 0x197cd3e in gc_remove_zval_from_buffer /root/php-5.6.25/Zend/zend_gc.c:260
    #2 0x1b2c41f in i_zval_ptr_dtor_nogc /root/php-5.6.25/Zend/zend_execute.h:94
    #3 0x1b2c41f in ZEND_BW_XOR_SPEC_VAR_VAR_HANDLER /root/php-5.6.25/Zend/zend_vm_execute.h:19132
    #4 0x1a2d076 in execute_ex /root/php-5.6.25/Zend/zend_vm_execute.h:363
    #5 0x1898248 in zend_execute_scripts /root/php-5.6.25/Zend/zend.c:1341
    #6 0x15cd9af in php_execute_script /root/php-5.6.25/main/main.c:2613
    #7 0x1e5cf19 in do_cli /root/php-5.6.25/sapi/cli/php_cli.c:994
    #8 0x4565ec in main /root/php-5.6.25/sapi/cli/php_cli.c:1378
    #9 0x7ffbe91f0b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #10 0x45761e (/root/php-5.6.25/sapi/cli/php+0x45761e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/php-5.6.25/Zend/zend_gc.h:190 gc_remove_from_buffer
==28119==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-21 04:26 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-08-21 09:41 UTC] laruence@php.net 
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b740bb3987ba4f181dfda91ce3bd9fe663155574
Log: Fixed bug #72907 (null pointer deref, segfault in gc_remove_zval_from_buffer (zend_gc.c:260))
 [2016-08-21 09:41 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-10-17 10:09 UTC] bwoebi@php.net 
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b740bb3987ba4f181dfda91ce3bd9fe663155574
Log: Fixed bug #72907 (null pointer deref, segfault in gc_remove_zval_from_buffer (zend_gc.c:260))
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 13:01:29 2024 UTC