|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2018-07-26 16:02 UTC] cmb@php.net
-Status: Open
+Status: Verified
[2018-07-26 16:02 UTC] cmb@php.net
[2018-07-27 05:03 UTC] laruence@php.net
[2018-07-27 05:03 UTC] laruence@php.net
-Status: Verified
+Status: Closed
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Nov 23 07:01:29 2024 UTC |
Description: ------------ Found while fuzzing typed properties but reproducible on master (7a41e4c0d0ddb2cfb91e31b210d7bceb158d2ab4) PHP was compiled with: --disable-all In the test case the undefined variable in __get and assign op in __set seem to be the core of this crash. Defining the var or changing the assign op to a different one prevent it. Test script: --------------- <?php class T { public function __get($k) { return $undefined->$k; } public function __set($k, $v) { return $this->$v /= 0; } }; $x = new T; $x->x = 1; Expected result: ---------------- No segfault Actual result: -------------- (lldb) r /home/leigh/php-src/crash.php Process 4852 launched: '/home/leigh/php-src/sapi/cli/php' (x86_64) Warning: Division by zero in /home/leigh/php-src/crash.php on line 11 Warning: Division by zero in /home/leigh/php-src/crash.php on line 11 Process 4852 stopped * thread #1, name = 'php', stop reason = signal SIGSEGV: invalid address (fault address: 0x0) frame #0: 0x00005555558f04b5 php`zend_mm_alloc_small(heap=0x00007ffff6c00040, size=256, bin_num=15, __zend_filename="/home/leigh/php-src/Zend/zend_smart_str.c", __zend_lineno=155, __zend_orig_filename=0x0000000000000000, __zend_orig_lineno=0) at zend_alloc.c:1283 1280 1281 if (EXPECTED(heap->free_slot[bin_num] != NULL)) { 1282 zend_mm_free_slot *p = heap->free_slot[bin_num]; -> 1283 heap->free_slot[bin_num] = p->next_free_slot; 1284 return (void*)p; 1285 } else { 1286 return zend_mm_alloc_small_slow(heap, bin_num ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC); (lldb) bt * thread #1, name = 'php', stop reason = signal SIGSEGV: invalid address (fault address: 0x0) * frame #0: 0x00005555558f04b5 php`zend_mm_alloc_small(heap=0x00007ffff6c00040, size=256, bin_num=15, __zend_filename="/home/leigh/php-src/Zend/zend_smart_str.c", __zend_lineno=155, __zend_orig_filename=0x0000000000000000, __zend_orig_lineno=0) at zend_alloc.c:1283 frame #1: 0x00005555558f0760 php`zend_mm_alloc_heap(heap=0x00007ffff6c00040, size=256, __zend_filename="/home/leigh/php-src/Zend/zend_smart_str.c", __zend_lineno=155, __zend_orig_filename=0x0000000000000000, __zend_orig_lineno=0) at zend_alloc.c:1354 frame #2: 0x00005555558f3409 php`_emalloc(size=224, __zend_filename="/home/leigh/php-src/Zend/zend_smart_str.c", __zend_lineno=155, __zend_orig_filename=0x0000000000000000, __zend_orig_lineno=0) at zend_alloc.c:2494 frame #3: 0x00005555559855f1 php`_smart_string_alloc(str=0x00007fffffff8800, len=1) at zend_smart_str.c:155 frame #4: 0x000055555589b337 php`smart_string_alloc(str=0x00007fffffff8800, len=1, persistent='\0') at zend_smart_string.h:61 frame #5: 0x000055555589b375 php`smart_string_appendc_ex(dest=0x00007fffffff8800, ch='U', persistent='\0') at zend_smart_string.h:82 frame #6: 0x000055555589b4be php`xbuf_format_converter(xbuf=0x00007fffffff8800, is_char='\x01', fmt="Undefined variable: %s", ap=0x00007fffffff8a00) at spprintf.c:239 frame #7: 0x000055555589d846 php`php_printf_to_smart_string(buf=0x00007fffffff8800, format="Undefined variable: %s", ap=0x00007fffffff8a00) at spprintf.c:830 frame #8: 0x0000555555927181 php`zend_vspprintf(pbuf=0x00007fffffff8868, max_len=1024, format="Undefined variable: %s", ap=0x00007fffffff8a00) at zend.c:184 frame #9: 0x000055555589490e php`php_error_cb(type=8, error_filename="/home/leigh/php-src/crash.php", error_lineno=6, format="Undefined variable: %s", args=0x00007fffffff8a00) at main.c:1199 frame #10: 0x00005555559290a2 php`zend_error(type=8, format="Undefined variable: %s") at zend.c:1289 frame #11: 0x00005555559878e4 php`zval_undefined_cv(var=96) at zend_execute.c:259 frame #12: 0x000055555598796f php`_get_zval_cv_lookup_BP_VAR_R(ptr=0x00007ffff6c202c0, var=96) at zend_execute.c:285 frame #13: 0x00005555559f8d05 php`ZEND_FETCH_OBJ_R_SPEC_CV_CV_HANDLER at zend_vm_execute.h:48800 frame #14: 0x0000555555a01ea4 php`execute_ex(ex=0x00007ffff6c20260) at zend_vm_execute.h:60188 frame #15: 0x0000555555912969 php`zend_call_function(fci=0x00007fffffff8ee0, fci_cache=0x00007fffffff8ec0) at zend_execute_API.c:756 frame #16: 0x00005555559783b1 php`zend_std_call_getter(zobj=0x00007ffff6c64ae0, member=0x00007fffffff8fd0, retval=0x00007fffffff9090) at zend_object_handlers.c:203 frame #17: 0x0000555555979999 php`zend_std_read_property(object=0x00007fffffff90a0, member=0x00007fffffff8fd0, type=0, cache_slot=0x0000000000000000, rv=0x00007fffffff9090) at zend_object_handlers.c:706 frame #18: 0x000055555598aebb php`zend_assign_op_overloaded_property(object=0x00007ffff6c20200, property=0x00007ffff6c20240, cache_slot=0x0000000000000000, value=0x00007ffff6c854c0, binary_op=(php`div_function at zend_operators.c:1236)) at zend_execute.c:1525 frame #19: 0x00005555559da114 php`zend_binary_assign_op_obj_helper_SPEC_UNUSED_CV(binary_op=(php`div_function at zend_operators.c:1236)) at zend_vm_execute.h:34715 frame #20: 0x00005555559da168 php`zend_binary_assign_op_helper_SPEC_UNUSED_CV_OBJ(binary_op=(php`div_function at zend_operators.c:1236)) at zend_vm_execute.h:34745 frame #21: 0x00005555559da1c0 php`ZEND_ASSIGN_DIV_SPEC_UNUSED_CV_OBJ_HANDLER at zend_vm_execute.h:34766 frame #22: 0x0000555555a003a4 php`execute_ex(ex=0x00007ffff6c201e0) at zend_vm_execute.h:58546 frame #23: 0x0000555555912969 php`zend_call_function(fci=0x00007fffffff94b0, fci_cache=0x00007fffffff9490) at zend_execute_API.c:756 frame #24: 0x000055555597856a php`zend_std_call_setter(zobj=0x00007ffff6c64ae0, member=0x00007fffffff95a0, value=0x00007fffffff9670) at zend_object_handlers.c:240 frame #25: 0x0000555555979df3 php`zend_std_write_property(object=0x00007fffffff9660, member=0x00007fffffff95a0, value=0x00007fffffff9670, cache_slot=0x0000000000000000) at zend_object_handlers.c:791 frame #26: 0x000055555598b002 php`zend_assign_op_overloaded_property(object=0x00007ffff6c20180, property=0x00007ffff6c201c0, cache_slot=0x0000000000000000, value=0x00007ffff6c854c0, binary_op=(php`div_function at zend_operators.c:1236)) at zend_execute.c:1543 frame #27: 0x00005555559da114 php`zend_binary_assign_op_obj_helper_SPEC_UNUSED_CV(binary_op=(php`div_function at zend_operators.c:1236)) at zend_vm_execute.h:34715 frame #28: 0x00005555559da168 php`zend_binary_assign_op_helper_SPEC_UNUSED_CV_OBJ(binary_op=(php`div_function at zend_operators.c:1236)) at zend_vm_execute.h:34745 frame #29: 0x00005555559da1c0 php`ZEND_ASSIGN_DIV_SPEC_UNUSED_CV_OBJ_HANDLER at zend_vm_execute.h:34766 frame #30: 0x0000555555a003a4 php`execute_ex(ex=0x00007ffff6c20160) at zend_vm_execute.h:58546 frame #31: 0x0000555555912969 php`zend_call_function(fci=0x00007fffffff9a70, fci_cache=0x00007fffffff9a50) at zend_execute_API.c:756 frame #32: 0x000055555597856a php`zend_std_call_setter(zobj=0x00007ffff6c64ae0, member=0x00007fffffff9b60, value=0x00007fffffff9c30) at zend_object_handlers.c:240 frame #33: 0x0000555555979df3 php`zend_std_write_property(object=0x00007fffffff9c20, member=0x00007fffffff9b60, value=0x00007fffffff9c30, cache_slot=0x0000000000000000) at zend_object_handlers.c:791 frame #34: 0x000055555598b002 php`zend_assign_op_overloaded_property(object=0x00007ffff6c20100, property=0x00007ffff6c20140, cache_slot=0x0000000000000000, value=0x00007ffff6c854c0, binary_op=(php`div_function at zend_operators.c:1236)) at zend_execute.c:1543 frame #35: 0x00005555559da114 php`zend_binary_assign_op_obj_helper_SPEC_UNUSED_CV(binary_op=(php`div_function at zend_operators.c:1236)) at zend_vm_execute.h:34715 frame #36: 0x00005555559da168 php`zend_binary_assign_op_helper_SPEC_UNUSED_CV_OBJ(binary_op=(php`div_function at zend_operators.c:1236)) at zend_vm_execute.h:34745 frame #37: 0x00005555559da1c0 php`ZEND_ASSIGN_DIV_SPEC_UNUSED_CV_OBJ_HANDLER at zend_vm_execute.h:34766 frame #38: 0x0000555555a003a4 php`execute_ex(ex=0x00007ffff6c200e0) at zend_vm_execute.h:58546 frame #39: 0x0000555555912969 php`zend_call_function(fci=0x00007fffffffa030, fci_cache=0x00007fffffffa010) at zend_execute_API.c:756 frame #40: 0x000055555597856a php`zend_std_call_setter(zobj=0x00007ffff6c64ae0, member=0x00007ffff6c6e700, value=0x00007ffff6c6e710) at zend_object_handlers.c:240 frame #41: 0x0000555555979df3 php`zend_std_write_property(object=0x00007ffff6c20080, member=0x00007ffff6c6e700, value=0x00007ffff6c6e710, cache_slot=0x00007ffff6c01120) at zend_object_handlers.c:791 frame #42: 0x00005555559e4c70 php`ZEND_ASSIGN_OBJ_SPEC_CV_CONST_OP_DATA_CONST_HANDLER at zend_vm_execute.h:39861 frame #43: 0x0000555555a00f24 php`execute_ex(ex=0x00007ffff6c20030) at zend_vm_execute.h:59196 frame #44: 0x0000555555a0214f php`zend_execute(op_array=0x00007ffff6c85300, return_value=0x0000000000000000) at zend_vm_execute.h:60344 frame #45: 0x000055555592a00d php`zend_execute_scripts(type=8, retval=0x0000000000000000, file_count=3) at zend.c:1562 frame #46: 0x00005555558976ce php`php_execute_script(primary_file=0x00007fffffffc9e0) at main.c:2630 frame #47: 0x0000555555a04dd0 php`do_cli(argc=2, argv=0x0000555555e85990) at php_cli.c:1000 frame #48: 0x0000555555a05e87 php`main(argc=2, argv=0x0000555555e85990) at php_cli.c:1393 frame #49: 0x00007ffff7040b97 libc.so.6`__libc_start_main(main=(php`main at php_cli.c:1191), argc=2, argv=0x00007fffffffdd68, init=<unavailable>, fini=<unavailable>, rtld_fini=<unavailable>, stack_end=0x00007fffffffdd58) at libc-start.c:310 frame #50: 0x000055555565408a php`_start + 42