php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #78182 Segmentation fault during by-reference property assignment
Submitted: 2019-06-19 14:01 UTC Modified: 2019-06-19 14:34 UTC
From: nguyenmanhdung1710 at gmail dot com Assigned:
Status: Closed Package: Testing related
PHP Version: 7.4.0alpha1 OS: Ubuntu 16.04 x64
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nguyenmanhdung1710 at gmail dot com
New email:
PHP Version: OS:

 

 [2019-06-19 14:01 UTC] nguyenmanhdung1710 at gmail dot com 
Description:
------------
Our fuzzer found a crash (a potential false positive) on php version 3.1.6 (commit b1bdae7621) due to a malformed input.

PoC: https://github.com/strongcourage/PoCs/blob/master/php_v3.1.6_b1bdae7621/PoC

Command: php $POC

Valgrind says:
==25180== Invalid read of size 1
==25180==    at 0x12A5359: zend_object_fetch_property_type_info (zend_execute.c:2572)
==25180==    by 0x12A5359: ZEND_ASSIGN_OBJ_REF_SPEC_VAR_TMPVAR_OP_DATA_VAR_HANDLER (zend_vm_execute.h:26956)
==25180==    by 0x12D6428: execute_ex (zend_vm_execute.h:62493)
==25180==    by 0x130F8DB: zend_execute (zend_vm_execute.h:65287)
==25180==    by 0xF374A2: zend_execute_scripts (zend.c:1625)
==25180==    by 0xD08147: php_execute_script (main.c:2650)
==25180==    by 0x131A67C: do_cli (php_cli.c:985)
==25180==    by 0x26F6FC: main (php_cli.c:1375)
==25180==  Address 0x125 is not stack'd, malloc'd or (recently) free'd

ASAN says:
ASAN:DEADLYSIGNAL
=================================================================
==11961==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000124 (pc 0x5654a71320f8 bp 0x7ffc1c9e4470 sp 0x7ffc1c9e4460 T0)
==11961==The signal is caused by a READ memory access.
==11961==Hint: address points to the zero page.
    #0 0x5654a71320f7 in zend_object_fetch_property_type_info /home/dungnm/fuzzing/php-7.3.6/Zend/zend_execute.c:2572
    #1 0x5654a7293da3 in ZEND_ASSIGN_OBJ_REF_SPEC_VAR_TMPVAR_OP_DATA_VAR_HANDLER /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:26956
    #2 0x5654a741388d in execute_ex /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:62493
    #3 0x5654a742a6f5 in zend_execute /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:65287
    #4 0x5654a6fab1e2 in zend_execute_scripts /home/dungnm/fuzzing/php-7.3.6/Zend/zend.c:1625
    #5 0x5654a6e04ee1 in php_execute_script /home/dungnm/fuzzing/php-7.3.6/main/main.c:2650
    #6 0x5654a7433157 in do_cli /home/dungnm/fuzzing/php-7.3.6/sapi/cli/php_cli.c:985
    #7 0x5654a74358aa in main /home/dungnm/fuzzing/php-7.3.6/sapi/cli/php_cli.c:1375
    #8 0x7f4efe1a9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #9 0x5654a6513369 in _start (/home/dungnm/fuzzing/php-7.3.6/obj-asan/sapi/cli/php+0x341369)

Thanks,
Manh Dung

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-06-19 14:12 UTC] danack@php.net 
"php version 3.1.6"

That version of PHP is 'slightly' out of date. Can you confirm you really meant 7.3.6?
 [2019-06-19 14:17 UTC] nikic@php.net
-Status: Open +Status: Verified -PHP Version: 7.3.6 +PHP Version: 7.4.0alpha1
 [2019-06-19 14:17 UTC] nikic@php.net 
Based on the trace this has to be on 7.4 or master. I can confirm the segfault on 7.4.
 [2019-06-19 14:22 UTC] nikic@php.net 
Cleaned up repro:

<?php
$varName = 'var';
$propName = 'prop'; 
$$varName->$propName =& $$varName;
 [2019-06-19 14:34 UTC] nikic@php.net
-Summary: Segmentation Fault in zend_execute.c:2572 +Summary: Segmentation fault during by-reference property assignment
 [2019-06-19 14:36 UTC] nikic@php.net 
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=268b5fec8e42e82dce398b86a4970ad8875978d3
Log: Fixed bug #78182
 [2019-06-19 14:36 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 13:01:29 2024 UTC