PHP :: Bug #74084 :: Out of bound read

Bug #74084	Out of bound read - zend_mm_alloc_small
Submitted:	2017-02-11 14:08 UTC	Modified:	2017-02-12 12:56 UTC
From:	baharirad at gmail dot com	Assigned:	laruence (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.1.1	OS:	Ubuntu 16.04
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	baharirad at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2017-02-11 14:08 UTC] baharirad at gmail dot com

Description:
------------
Out of bound read in zend_mm_alloc_small, crashes php-cli version 7.1.1 and above. I think it is a security bug and it's severity is low.

$ /home/milad/php-src/sapi/cli/php 1          
[1]    7384 segmentation fault (core dumped)  /home/milad/php-src/sapi/cli/php 1




Test script:
---------------
PoC: https://github.com/miladbr/public-poc/blob/master/php/1

Expected result:
----------------
php-cli should fail gracefully.

Actual result:
--------------
Valgrind output:

==7278== Invalid read of size 8
==7278==    at 0xE2A9C1: zend_mm_alloc_small (zend_alloc.c:1261)
==7278==    by 0xE2A9C1: zend_mm_alloc_heap (zend_alloc.c:1332)
==7278==    by 0xE2A9C1: _emalloc (zend_alloc.c:2417)
==7278==    by 0xD947F4: sapi_send_headers (SAPI.c:867)
==7278==    by 0xC63412: php_header (head.c:76)
==7278==    by 0xDADEC7: php_output_header (output.c:123)
==7278==    by 0xDAE790: php_output_op (output.c:1067)
==7278==    by 0xDAE408: php_output_write (output.c:257)
==7278==    by 0xD72391: php_printf (main.c:726)
==7278==    by 0xD7832E: php_error_cb (main.c:1167)
==7278==    by 0xEBA402: zend_error (zend.c:1253)
==7278==    by 0x10F0293: ZEND_ASSIGN_OBJ_SPEC_VAR_CONST_OP_DATA_CONST_HANDLER (zend_vm_execute.h:18224)
==7278==    by 0xF9EEFD: execute_ex (zend_vm_execute.h:432)
==7278==    by 0xF9F963: zend_execute (zend_vm_execute.h:474)
==7278==  Address 0x925c75800 is not stack'd, malloc'd or (recently) free'd
==7278== 
==7278== 
==7278== Process terminating with default action of signal 11 (SIGSEGV)
==7278==  Access not within mapped region at address 0x925C75800
==7278==    at 0xE2A9C1: zend_mm_alloc_small (zend_alloc.c:1261)
==7278==    by 0xE2A9C1: zend_mm_alloc_heap (zend_alloc.c:1332)
==7278==    by 0xE2A9C1: _emalloc (zend_alloc.c:2417)
==7278==    by 0xD947F4: sapi_send_headers (SAPI.c:867)
==7278==    by 0xC63412: php_header (head.c:76)
==7278==    by 0xDADEC7: php_output_header (output.c:123)
==7278==    by 0xDAE790: php_output_op (output.c:1067)
==7278==    by 0xDAE408: php_output_write (output.c:257)
==7278==    by 0xD72391: php_printf (main.c:726)
==7278==    by 0xD7832E: php_error_cb (main.c:1167)
==7278==    by 0xEBA402: zend_error (zend.c:1253)
==7278==    by 0x10F0293: ZEND_ASSIGN_OBJ_SPEC_VAR_CONST_OP_DATA_CONST_HANDLER (zend_vm_execute.h:18224)
==7278==    by 0xF9EEFD: execute_ex (zend_vm_execute.h:432)
==7278==    by 0xF9F963: zend_execute (zend_vm_execute.h:474)
==7278==  If you believe this happened as a result of a stack
==7278==  overflow in your program's main thread (unlikely but
==7278==  possible), you can try to increase the size of the
==7278==  main thread stack using the --main-stacksize= flag.
==7278==  The main thread stack size used in this run was 8388608.



Backtrace:

#0  zend_mm_alloc_small (size=0x0, heap=<optimized out>, bin_num=<optimized out>) at Zend/zend_alloc.c:1261
#1  zend_mm_alloc_heap (heap=0x7ffff3c00040, size=<optimized out>) at Zend/zend_alloc.c:1332
#2  _emalloc (size=<optimized out>) at Zend/zend_alloc.c:2417
#3  0x0000000000d947f5 in sapi_send_headers () at main/SAPI.c:867
#4  0x0000000000c63413 in php_header () at ext/standard/head.c:76
#5  0x0000000000dadec8 in php_output_header () at main/output.c:123
#6  0x0000000000dae791 in php_output_op (op=<optimized out>, 
    str=0x7ffff3c75380 "\nWarning: Creating default object from empty value in /home/milad/1 on line 1\n", len=0x55) at main/output.c:1067
#7  0x0000000000dae409 in php_output_write (str=0x7ffff3c75380 "\nWarning: Creating default object from empty value in /home/milad/1 on line 1\n", len=0x55)
    at main/output.c:257
#8  0x0000000000d72392 in php_printf (format=0x1a84480 <__afl_area_initial> "") at main/main.c:726
#9  0x0000000000d7832f in php_error_cb (type=0x2, error_filename=<optimized out>, error_lineno=<optimized out>, format=<optimized out>, args=<optimized out>)
    at main/main.c:1167
#10 0x0000000000eba403 in zend_error (type=<optimized out>, format=<optimized out>) at Zend/zend.c:1253
#11 0x00000000010f0294 in ZEND_ASSIGN_OBJ_SPEC_VAR_CONST_OP_DATA_CONST_HANDLER (execute_data=0x7ffff3c13030) at Zend/zend_vm_execute.h:18224
#12 0x0000000000f9eefe in execute_ex (ex=<optimized out>) at Zend/zend_vm_execute.h:432
#13 0x0000000000f9f964 in zend_execute (op_array=<optimized out>, return_value=<optimized out>) at Zend/zend_vm_execute.h:474
#14 0x0000000000ebbf0b in zend_execute_scripts (type=<optimized out>, retval=<optimized out>, file_count=<optimized out>) at Zend/zend.c:1543
#15 0x0000000000d796b8 in php_execute_script (primary_file=<optimized out>) at main/main.c:2551
#16 0x000000000118ef31 in do_cli (argc=<optimized out>, argv=<optimized out>) at sapi/cli/php_cli.c:997
#17 0x000000000118cc72 in main (argc=<optimized out>, argv=<optimized out>, argv@entry=0x7fffffffe498) at sapi/cli/php_cli.c:1390
#18 0x00007ffff68f3830 in __libc_start_main (main=0x118c360 <main>, argc=0x2, argv=0x7fffffffe498, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe488) at ../csu/libc-start.c:291
#19 0x0000000000424209 in _start ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-02-12 12:30 UTC] laruence@php.net

-Type: Security +Type: Bug

[2017-02-12 12:30 UTC] laruence@php.net

This is not a security issue. it requires to run specific php codes.

[2017-02-12 12:40 UTC] laruence@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence

[2017-02-12 12:40 UTC] laruence@php.net

fixed in https://github.com/php/php-src/commit/26fdebc63b642417820017e550d46c1b1f773504
thanks for reporting.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC