PHP :: Bug #74600 :: crash (SIGSEGV) in _zend_hash_add_or_update

Bug #74600	crash (SIGSEGV) in _zend_hash_add_or_update_i
Submitted:	2017-05-16 09:27 UTC	Modified:	2017-05-16 10:59 UTC
From:	stephan dot zeisberg at splone dot com	Assigned:	laruence (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.1.5	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	stephan dot zeisberg at splone dot com
New email:
PHP Version:		OS:

New Comment:

[2017-05-16 09:27 UTC] stephan dot zeisberg at splone dot com

Description:
------------
PHP crashes when starting with the following malformed php.ini file as input.

Version:
--------
commit 7640e0a5f97ee51ad62580b017ddefb60af5af15
PHP 7.2.0-dev (cli) (built: May 16 2017 11:01:02) ( NTS DEBUG )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.2.0-dev, Copyright (c) 1998-2017 Zend Technologies

Input file (php.ini) hexdump:
------------------------
00000000  5b 50 48 50 5d 0a 3b 0d  73 3d 00 00 3d 0a 3b 0d  |[PHP].;.s=..=.;.|
00000010  5b 50 41 54 48 00 5d 00  fe 20 3d 0a              |[PATH.].. =.|
0000001c

How to reproduce:
-----------------
./sapi/cli/php -c <malformed .ini file>

gdb:
----
(gdb) run -c /tmp/php.ini 
Starting program: /tmp/php/php-src/sapi/cli/php -c /tmp/php.ini
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x000000000098ab63 in _zend_hash_add_or_update_i (ht=0x1410d30, key=0x1410d00, pData=0x7fffffffbd20, 
    flag=1, __zend_filename=0x1085100 "/tmp/php/php-src/main/php_ini.c", __zend_lineno=241)
    at Zend/zend_hash.c:612
612		HT_HASH(ht, nIndex) = HT_IDX_TO_HASH(idx);
(gdb) bt
#0  0x000000000098ab63 in _zend_hash_add_or_update_i (ht=0x1410d30, key=0x1410d00, pData=0x7fffffffbd20, 
    flag=1, __zend_filename=0x1085100 "/tmp/php/php-src/main/php_ini.c", __zend_lineno=241)
    at Zend/zend_hash.c:612
#1  0x000000000098ac0c in _zend_hash_update (ht=0x1410d30, key=0x1410d00, pData=0x7fffffffbd20, 
    __zend_filename=0x1085100 "/tmp/php/php-src/main/php_ini.c", __zend_lineno=241)
    at Zend/zend_hash.c:629
#2  0x00000000008db1b4 in php_ini_parser_cb (arg1=0x7fffffffbd00, arg2=0x7fffffffbd20, arg3=0x0, 
    callback_type=1, target_hash=0x13d5018 <configuration_hash>) at main/php_ini.c:241
#3  0x0000000000926564 in ini_parse () at /tmp/php/php-src/Zend/zend_ini_parser.y:315
#4  0x0000000000925f45 in zend_parse_ini_file (fh=0x7fffffffdf38, unbuffered_errors=1 '\001', 
    scanner_mode=0, ini_parser_cb=0x8dafd0 <php_ini_parser_cb>, arg=0x13d5018 <configuration_hash>)
    at /tmp/php/php-src/Zend/zend_ini_parser.y:229
#5  0x00000000008da78b in php_init_config () at main/php_ini.c:592
#6  0x00000000008cd63e in php_module_startup (sf=0x13bc530 <cli_sapi_module>, additional_modules=0x0, 
    num_additional_modules=0) at main/main.c:2222
#7  0x0000000000a9148b in php_cli_startup (sapi_module=0x13bc530 <cli_sapi_module>)
    at sapi/cli/php_cli.c:431
#8  0x0000000000a8f8b2 in main (argc=3, argv=0x13f1890) at sapi/cli/php_cli.c:1357

valgrind:
---------
==14051== Memcheck, a memory error detector
==14051== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==14051== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==14051== Command: ./sapi/cli/php -c /tmp/php.ini
==14051== 
==14051== Invalid read of size 4
==14051==    at 0x988609: zend_hash_real_init_ex (zend_hash.c:139)
==14051==    by 0x98959A: zend_hash_check_init (zend_hash.c:163)
==14051==    by 0x98A7F8: _zend_hash_add_or_update_i (zend_hash.c:553)
==14051==    by 0x98AC0B: _zend_hash_update (zend_hash.c:629)
==14051==    by 0x8DB1B3: php_ini_parser_cb (php_ini.c:241)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051==  Address 0x92413c0 is 0 bytes after a block of size 32 alloc'd
==14051==    at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14051==    by 0x9342D4: __zend_malloc (zend_alloc.c:2811)
==14051==    by 0x8DC37C: zend_string_alloc (zend_string.h:134)
==14051==    by 0x8DB66E: zend_string_init (zend_string.h:170)
==14051==    by 0x8DC1CA: zend_string_dup (zend_string.h:197)
==14051==    by 0x8DB1C8: php_ini_parser_cb (php_ini.c:242)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051== 
==14051== Invalid read of size 4
==14051==    at 0x98866E: zend_hash_real_init_ex (zend_hash.c:140)
==14051==    by 0x98959A: zend_hash_check_init (zend_hash.c:163)
==14051==    by 0x98A7F8: _zend_hash_add_or_update_i (zend_hash.c:553)
==14051==    by 0x98AC0B: _zend_hash_update (zend_hash.c:629)
==14051==    by 0x8DB1B3: php_ini_parser_cb (php_ini.c:241)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051==  Address 0x92413c0 is 0 bytes after a block of size 32 alloc'd
==14051==    at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14051==    by 0x9342D4: __zend_malloc (zend_alloc.c:2811)
==14051==    by 0x8DC37C: zend_string_alloc (zend_string.h:134)
==14051==    by 0x8DB66E: zend_string_init (zend_string.h:170)
==14051==    by 0x8DC1CA: zend_string_dup (zend_string.h:197)
==14051==    by 0x8DB1C8: php_ini_parser_cb (php_ini.c:242)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051== 
==14051== Invalid read of size 4
==14051==    at 0x98AA38: _zend_hash_add_or_update_i (zend_hash.c:597)
==14051==    by 0x98AC0B: _zend_hash_update (zend_hash.c:629)
==14051==    by 0x8DB1B3: php_ini_parser_cb (php_ini.c:241)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051==  Address 0x92413c4 is 4 bytes after a block of size 32 alloc'd
==14051==    at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14051==    by 0x9342D4: __zend_malloc (zend_alloc.c:2811)
==14051==    by 0x8DC37C: zend_string_alloc (zend_string.h:134)
==14051==    by 0x8DB66E: zend_string_init (zend_string.h:170)
==14051==    by 0x8DC1CA: zend_string_dup (zend_string.h:197)
==14051==    by 0x8DB1C8: php_ini_parser_cb (php_ini.c:242)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051== 
==14051== Use of uninitialised value of size 8
==14051==    at 0x98AA7D: _zend_hash_add_or_update_i (zend_hash.c:602)
==14051==    by 0x98AC0B: _zend_hash_update (zend_hash.c:629)
==14051==    by 0x8DB1B3: php_ini_parser_cb (php_ini.c:241)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051== 
==14051== Use of uninitialised value of size 8
==14051==    at 0x98AAD1: _zend_hash_add_or_update_i (zend_hash.c:608)
==14051==    by 0x98AC0B: _zend_hash_update (zend_hash.c:629)
==14051==    by 0x8DB1B3: php_ini_parser_cb (php_ini.c:241)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051== 
==14051== Use of uninitialised value of size 8
==14051==    at 0x98AB14: _zend_hash_add_or_update_i (zend_hash.c:609)
==14051==    by 0x98AC0B: _zend_hash_update (zend_hash.c:629)
==14051==    by 0x8DB1B3: php_ini_parser_cb (php_ini.c:241)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051== 
==14051== Use of uninitialised value of size 8
==14051==    at 0x98AB21: _zend_hash_add_or_update_i (zend_hash.c:609)
==14051==    by 0x98AC0B: _zend_hash_update (zend_hash.c:629)
==14051==    by 0x8DB1B3: php_ini_parser_cb (php_ini.c:241)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051== 
==14051== Invalid read of size 4
==14051==    at 0x98AB4A: _zend_hash_add_or_update_i (zend_hash.c:611)
==14051==    by 0x98AC0B: _zend_hash_update (zend_hash.c:629)
==14051==    by 0x8DB1B3: php_ini_parser_cb (php_ini.c:241)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051==  Address 0xae5d90c is not stack'd, malloc'd or (recently) free'd
==14051== 
==14051== 
==14051== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==14051==  Access not within mapped region at address 0xAE5D90C
==14051==    at 0x98AB4A: _zend_hash_add_or_update_i (zend_hash.c:611)
==14051==    by 0x98AC0B: _zend_hash_update (zend_hash.c:629)
==14051==    by 0x8DB1B3: php_ini_parser_cb (php_ini.c:241)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051==  If you believe this happened as a result of a stack
==14051==  overflow in your program's main thread (unlikely but
==14051==  possible), you can try to increase the size of the
==14051==  main thread stack using the --main-stacksize= flag.
==14051==  The main thread stack size used in this run was 8388608.
==14051== 
==14051== HEAP SUMMARY:
==14051==     in use at exit: 115,915 bytes in 672 blocks
==14051==   total heap usage: 758 allocs, 86 frees, 201,039 bytes allocated
==14051== 
==14051== LEAK SUMMARY:
==14051==    definitely lost: 0 bytes in 0 blocks
==14051==    indirectly lost: 0 bytes in 0 blocks
==14051==      possibly lost: 98,536 bytes in 316 blocks
==14051==    still reachable: 17,379 bytes in 356 blocks
==14051==         suppressed: 0 bytes in 0 blocks
==14051== Rerun with --leak-check=full to see details of leaked memory
==14051== 
==14051== For counts of detected and suppressed errors, rerun with: -v
==14051== Use --track-origins=yes to see where uninitialised values come from
==14051== ERROR SUMMARY: 8 errors from 8 contexts (suppressed: 0 from 0)
[1]    14051 segmentation fault  valgrind ./sapi/cli/php -c /tmp/php.ini

The crash has been found with afl-fuzz.

Best Regards,
Stephan Zeisberg

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-05-16 09:34 UTC] stephan dot zeisberg at splone dot com

-PHP Version: Next Major Version +PHP Version: 7.1.5

[2017-05-16 09:34 UTC] stephan dot zeisberg at splone dot com

Also affects PHP 7.1.5 (cli) (built: May  9 2017 16:55:02) ( NTS )

[2017-05-16 09:53 UTC] requinix@php.net

-Status: Open +Status: Verified -Package: *General Issues +Package: Reproducible crash

[2017-05-16 09:53 UTC] requinix@php.net

Doesn't seem to affect parse_ini_file/string.

[2017-05-16 10:36 UTC] laruence@php.net

could you please paste the original text out? I dont' know how to get it from the output of hexdump :<

[2017-05-16 10:43 UTC] requinix@php.net

"[PHP]\n;\rs=\000\000=\n;\r[PATH\000]\000\376 =\n"

$hex = "5b5048505d0a3b0d733d00003d0a3b0d5b50415448005d00fe203d0a";
echo addcslashes(hex2bin($hex), "\x00..\x1f\x7e..\xff");

[2017-05-16 10:59 UTC] laruence@php.net

-Assigned To: +Assigned To: laruence

[2017-05-16 10:59 UTC] laruence@php.net

thanks,  I've figure it out

[2017-05-16 11:33 UTC] laruence@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9f49ebb5baf1e52ce3184ea34977274040f835e9
Log: Fixed bug #74600 (crash (SIGSEGV) in _zend_hash_add_or_update_i)

[2017-05-16 11:33 UTC] laruence@php.net

-Status: Verified +Status: Closed

[2017-06-12 09:22 UTC] laruence@php.net

Automatic comment on behalf of manuel@mausz.at
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ee0e6963f39cc8f30bbd5675a0c4880a18b63b00
Log: Fixed bug #74600

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC