php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #74954 null deref and segfault in zend_generator_resume()
Submitted: 2017-07-19 19:57 UTC Modified: 2017-07-22 09:06 UTC
From: geeknik at protonmail dot ch Assigned: bwoebi (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.1.7 OS: Fedora 26 x64
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: geeknik at protonmail dot ch
New email:
PHP Version: OS:

 

 [2017-07-19 19:57 UTC] geeknik at protonmail dot ch 
Description:
------------
Compiled with afl-clang-fast on Fedora 26 x64. While fuzzing with AFL this null deref triggered a segfault.

Test script:
---------------
<?php
function from() {
        yield 1;
        throw new Exception();
}

function gen($gen) {
        try {
                var_dump(yield from $gen);
        } catch (Exception $e) { print "Caught exception!\n$e\n"; }
}

$gen = from();
$gens[] = gen($gen);
$gens[] = gen($gen);

foreach ($gens as $g) {
        $g->current();
}

do {
        foreach ($gens as $i => $g) {
                $g->next();
        }
} while($gens[0]->valid());
?>


Expected result:
----------------
No crash.

Actual result:
--------------
Caught exception!
Exception in /root/php-tmp/tmp/1.php:4
Stack trace:
#0 /root/php-tmp/tmp/1.php(9): from()
#1 [internal function]: gen(Object(Generator))
#2 /root/php-tmp/tmp/1.php(23): Generator->next()
#3 {main}
/root/php-7.1.7/Zend/zend_hash.c:1291:41: runtime error: left shift of 32768 by 16 places cannot be represented in type 'int'
SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/Zend/zend_hash.c:1291:41 in
/root/php-7.1.7/Zend/zend_smart_str.c:44:12: runtime error: member access within null pointer of type 'zend_string' (aka 'struct _zend_string')
SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/Zend/zend_smart_str.c:44:12 in
/root/php-7.1.7/Zend/zend_smart_str.c:44:12: runtime error: member access within null pointer of type 'zend_string' (aka 'struct _zend_string')
SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/Zend/zend_smart_str.c:44:12 in
/root/php-7.1.7/Zend/zend_smart_str.c:45:28: runtime error: member access within null pointer of type 'zend_string' (aka 'struct _zend_string')
SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/Zend/zend_smart_str.c:45:28 in
/root/php-7.1.7/Zend/zend_smart_str.c:45:28: runtime error: member access within null pointer of type 'zend_string' (aka 'struct _zend_string')
SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/Zend/zend_smart_str.c:45:28 in
Caught exception!
ClosedGeneratorException: Generator yielded from aborted, no return value available in /root/php-tmp/tmp/1.php:9
Stack trace:
#0 [internal function]: gen(Object(Generator))
#1 /root/php-tmp/tmp/1.php(23): Generator->next()
#2 {main}
/root/php-7.1.7/Zend/zend_generators.c:802:29: runtime error: member access within null pointer of type 'zend_execute_data' (aka 'struct _zend_execute_data')
SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/Zend/zend_generators.c:802:29 in
ASAN:DEADLYSIGNAL
=================================================================
==27573==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x00000207dcb5 bp 0x7fff3545ab10 sp 0x7fff3545a980 T0)
==27573==The signal is caused by a WRITE memory access.
==27573==Hint: address points to the zero page.
    #0 0x207dcb4 in zend_generator_resume /root/php-7.1.7/Zend/zend_generators.c
    #1 0x23792d6 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /root/php-7.1.7/Zend/zend_vm_execute.h:970:4
    #2 0x21a9e8a in execute_ex /root/php-7.1.7/Zend/zend_vm_execute.h:432:7
    #3 0x21ab3f7 in zend_execute /root/php-7.1.7/Zend/zend_vm_execute.h:474:2
    #4 0x1e37ccd in zend_execute_scripts /root/php-7.1.7/Zend/zend.c:1476:4
    #5 0x1aa8eb2 in php_execute_script /root/php-7.1.7/main/main.c:2537:14
    #6 0x2984423 in do_cli /root/php-7.1.7/sapi/cli/php_cli.c:993:5
    #7 0x2980752 in main /root/php-7.1.7/sapi/cli/php_cli.c:1381:18
    #8 0x7f3fc73b54d9 in __libc_start_main /usr/src/debug/glibc-2.25-24-g49f97e6/csu/../csu/libc-start.c:295
    #9 0x43aad9 in _start (/root/php-7.1.7/sapi/cli/php+0x43aad9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/php-7.1.7/Zend/zend_generators.c in zend_generator_resume
==27573==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-22 09:06 UTC] bwoebi@php.net
-Assigned To: +Assigned To: bwoebi
 [2017-07-22 09:14 UTC] bwoebi@php.net 
Automatic comment on behalf of bobwei9@hotmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bad5d0d6c56e078502b21ebdbf829b7a1c9b3bd3
Log: Fixed bug #74954 (null deref and segfault in zend_generator_resume())
 [2017-07-22 09:14 UTC] bwoebi@php.net
-Status: Assigned +Status: Closed
 [2017-07-22 09:15 UTC] bwoebi@php.net 
Automatic comment on behalf of bobwei9@hotmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bad5d0d6c56e078502b21ebdbf829b7a1c9b3bd3
Log: Fixed bug #74954 (null deref and segfault in zend_generator_resume())
 [2017-07-22 09:16 UTC] bwoebi@php.net 
Automatic comment on behalf of bobwei9@hotmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bad5d0d6c56e078502b21ebdbf829b7a1c9b3bd3
Log: Fixed bug #74954 (null deref and segfault in zend_generator_resume())
 [2017-07-22 09:17 UTC] bwoebi@php.net 
Automatic comment on behalf of bobwei9@hotmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bad5d0d6c56e078502b21ebdbf829b7a1c9b3bd3
Log: Fixed bug #74954 (null deref and segfault in zend_generator_resume())
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Dec 03 17:01:29 2024 UTC