php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #78702 Refreshable PHP crash
Submitted: 2019-10-21 05:18 UTC Modified: 2019-10-21 08:27 UTC
From: songmingxuan at cert dot org dot cn Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 7.3.10 OS: #31~18.04.1-Ubuntu
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: songmingxuan at cert dot org dot cn
New email:
PHP Version: OS:

 

 [2019-10-21 05:18 UTC] songmingxuan at cert dot org dot cn 
Description:
------------
#php test.php

crash.

Test script:
---------------
test.php

<?php
spl_autoload_register(function ($name) {
  echo "IN:  autoload($name)\n";

  static $i = 0;
  if ($i++ > 10) {
      echo "-> Recursion detected - as expected.\n";
      retu^n;
  }

  class_exists('UndefinedClass' . $i);

  echo "OUT: autoload($name)\n";
});

var_dump(class_exists('UndefinedClass0'));
?>


Expected result:
----------------
no crash.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7fffff7ff618 --> 0x13 
RCX: 0x7fffff7ff620 --> 0x3000000008 
RDX: 0x55555740ebe7 ("%s\n%s: %s in %s on line %u\n%s")
RSI: 0x1 
RDI: 0x7fffff7ff5d0 --> 0x0 
RBP: 0x25 ('%')
RSP: 0x7fffff7fefe8 
RIP: 0x555556c3047c (<xbuf_format_converter+140>:	mov    QWORD PTR [rsp],rdx)
R8 : 0x7ffff2a69358 ("/home/fuzz/Desktop/phpcrash/crash1.php")
R9 : 0x8 
R10: 0x55555740ebe7 ("%s\n%s: %s in %s on line %u\n%s")
R11: 0x4 
R12: 0x2 
R13: 0x5555573d16c4 --> 0x676e696e726157 ('Warning')
R14: 0x5555573d63da --> 0x276e646c756f6300 ('')
R15: 0x7ffff2a91000 ("Use of undefined constant retu - assumed 'retu' (this will throw an Error in a future version of PHP)")
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555556c3046c <xbuf_format_converter+124>:	je     0x555556c308f8 <xbuf_format_converter+1288>
   0x555556c30472 <xbuf_format_converter+130>:	xchg   ax,ax
   0x555556c30474 <xbuf_format_converter+132>:	lea    rsp,[rsp-0x98]
=> 0x555556c3047c <xbuf_format_converter+140>:	mov    QWORD PTR [rsp],rdx
   0x555556c30480 <xbuf_format_converter+144>:	mov    QWORD PTR [rsp+0x8],rcx
   0x555556c30485 <xbuf_format_converter+149>:	mov    QWORD PTR [rsp+0x10],rax
   0x555556c3048a <xbuf_format_converter+154>:	mov    rcx,0x5422
   0x555556c30491 <xbuf_format_converter+161>:	call   0x555556c36d68 <__afl_maybe_log>
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fefe8
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555556c3047c in xbuf_format_converter (xbuf=0x7fffff7ff5d0, is_char=0x1, 
    fmt=0x55555740ebe7 "%s\n%s: %s in %s on line %u\n%s", ap=0x7fffff7ff620)
    at /home/fuzz/Desktop/fuzz_php/php-7.3.10/main/spprintf.c:237
237		while (*fmt) {
gdb-peda$

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-21 07:57 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2019-10-21 07:57 UTC] nikic@php.net 
Standard "magic" recursion stack overflow, tracked at bug #64196.
 [2019-10-21 07:59 UTC] nikic@php.net 
Related To: Bug #78703
 [2019-10-21 08:27 UTC] songmingxuan at cert dot org dot cn 
I want to ask. Can I apply for CVE for this duplicate? Ha ha ha????
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 18:01:29 2024 UTC