php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #74702 segfault in gc_zval_possible_root()
Submitted: 2017-06-06 21:03 UTC Modified: 2017-08-12 19:06 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: brian dot carpenter at gmail dot com Assigned:
Status: Wont fix Package: Reproducible crash
PHP Version: 5.6.30 OS: Debian 8 x64
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: brian dot carpenter at gmail dot com
New email:
PHP Version: OS:

 

 [2017-06-06 21:03 UTC] brian dot carpenter at gmail dot com 
Description:
------------
The attached script crashes PHP 5.6.30.

Test script:
---------------
<?php
class bad{function t(){$h[]=0;}function __destruct(){global$bar;$bar=$this;}}$foo->f=$foo=$d=new bad;unserialize(serialize($foo));gc_collect_cycles();

Expected result:
----------------
No crash.

Actual result:
--------------
==12586==ERROR: AddressSanitizer: SEGV on unknown address 0x100139182d88 (pc 0x00000198aad7 sp 0x7fffc2f3a1c0 bp 0x7fe67d2d1840 T0)
    #0 0x198aad6 in gc_zval_possible_root /root/php-5.6.30/Zend/zend_gc.c:143
    #1 0x19019d6 in zend_hash_destroy /root/php-5.6.30/Zend/zend_hash.c:548
    #2 0x19b32da in zend_object_std_dtor /root/php-5.6.30/Zend/zend_objects.c:44
    #3 0x19b3650 in zend_objects_free_object_storage /root/php-5.6.30/Zend/zend_objects.c:137
    #4 0x19e201a in zend_objects_store_del_ref_by_handle_ex /root/php-5.6.30/Zend/zend_objects_API.c:226
    #5 0x19e25b5 in zend_objects_store_del_ref /root/php-5.6.30/Zend/zend_objects_API.c:178
    #6 0x18162c7 in _zval_dtor /root/php-5.6.30/Zend/zend_variables.h:35
    #7 0x18162c7 in i_zval_ptr_dtor /root/php-5.6.30/Zend/zend_execute.h:79
    #8 0x18162c7 in _zval_ptr_dtor /root/php-5.6.30/Zend/zend_execute_API.c:424
    #9 0x1906e8e in i_zend_hash_bucket_delete /root/php-5.6.30/Zend/zend_hash.c:182
    #10 0x1906e8e in zend_hash_bucket_delete /root/php-5.6.30/Zend/zend_hash.c:192
    #11 0x1906e8e in zend_hash_reverse_apply /root/php-5.6.30/Zend/zend_hash.c:733
    #12 0x1817940 in shutdown_destructors /root/php-5.6.30/Zend/zend_execute_API.c:214
    #13 0x1898593 in zend_call_destructors /root/php-5.6.30/Zend/zend.c:944
    #14 0x15d2974 in php_request_shutdown /root/php-5.6.30/main/main.c:1840
    #15 0x1e68480 in do_cli /root/php-5.6.30/sapi/cli/php_cli.c:1181
    #16 0x456468 in main /root/php-5.6.30/sapi/cli/php_cli.c:1382
    #17 0x7fe67ae0cb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #18 0x45730e (/root/php-5.6.30/sapi/cli/php+0x45730e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/php-5.6.30/Zend/zend_gc.c:143 gc_zval_possible_root
==12586==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-06-07 10:19 UTC] andrew dot nester dot dev at gmail dot com 
Since PHP 5.6+ supports only security fixes and this issue is not reproducible in PHP 7+ I guess this issue should be closed as `won't fix`
 [2017-08-12 19:06 UTC] nikic@php.net
-Status: Open +Status: Wont fix
 [2017-08-12 19:06 UTC] nikic@php.net 
Right. There's one variation of this issue that still exists in PHP 7, but that's tracked in bug #72530.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 15:01:29 2024 UTC