|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2020-01-21 19:39 UTC] stas@php.net
-Type: Security
+Type: Bug
[2020-01-21 22:51 UTC] wxhusst at gmail dot com
[2020-01-22 00:13 UTC] requinix@php.net
[2020-01-22 08:22 UTC] nikic@php.net
-Status: Open
+Status: Verified
[2020-01-22 08:22 UTC] nikic@php.net
[2020-01-23 13:21 UTC] nikic@php.net
[2020-01-23 13:21 UTC] nikic@php.net
-Status: Verified
+Status: Closed
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 10:01:29 2024 UTC |
Description: ------------ ================================================================= ==130430==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400003c1e0 at pc 0x0000015c22b9 bp 0x7ffc23e33710 sp 0x7ffc23e33708 READ of size 4 at 0x60400003c1e0 thread T0 #0 0x15c22b8 in spl_dllist_it_helper_move_forward /home/raven/fuzz/php-src-php-7.4.2/ext/spl/spl_dllist.c:977:3 #1 0x22e3868 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:1618:4 #2 0x2131c97 in execute_ex /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:53611:7 #3 0x2132d52 in zend_execute /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:57913:2 #4 0x1eb6d8c in zend_execute_scripts /home/raven/fuzz/php-src-php-7.4.2/Zend/zend.c:1665:4 #5 0x1a9b754 in php_execute_script /home/raven/fuzz/php-src-php-7.4.2/main/main.c:2617:14 #6 0x255f9f0 in do_cli /home/raven/fuzz/php-src-php-7.4.2/sapi/cli/php_cli.c:961:5 #7 0x255c3a7 in main /home/raven/fuzz/php-src-php-7.4.2/sapi/cli/php_cli.c:1352:18 #8 0x7fea402fa1e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16 #9 0x602b3d in _start (/home/raven/fuzz/php-src-php-7.4.2/sapi/cli/php+0x602b3d) 0x60400003c1e0 is located 16 bytes inside of 40-byte region [0x60400003c1d0,0x60400003c1f8) freed by thread T0 here: #0 0x6adb42 in free /home/buildnode/jenkins/workspace/oss-swift-5.1-package-linux-ubuntu-18_04/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3 #1 0x15c1b47 in spl_ptr_llist_pop /home/raven/fuzz/php-src-php-7.4.2/ext/spl/spl_dllist.c:266:2 #2 0x15c1b47 in spl_dllist_it_helper_move_forward /home/raven/fuzz/php-src-php-7.4.2/ext/spl/spl_dllist.c:959 #3 0x22e3868 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:1618:4 #4 0x2131c97 in execute_ex /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:53611:7 previously allocated by thread T0 here: #0 0x6adec3 in malloc /home/buildnode/jenkins/workspace/oss-swift-5.1-package-linux-ubuntu-18_04/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3 #1 0x1c75540 in __zend_malloc /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_alloc.c:2975:14 #2 0x22e3868 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:1618:4 #3 0x2131c97 in execute_ex /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:53611:7 SUMMARY: AddressSanitizer: heap-use-after-free /home/raven/fuzz/php-src-php-7.4.2/ext/spl/spl_dllist.c:977:3 in spl_dllist_it_helper_move_forward Shadow bytes around the buggy address: 0x0c087ffff7e0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087ffff7f0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087ffff800: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087ffff810: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087ffff820: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa =>0x0c087ffff830: fa fa fd fd fd fd fd fa fa fa fd fd[fd]fd fd fa 0x0c087ffff840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087ffff850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087ffff860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087ffff870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087ffff880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==130430==ABORTING Test script: --------------- <?php $a = new SplDoublyLinkedList(); $a->setIteratorMode(-1); $a->unshift(array(array("a" => 1, "b" => "2", "c" => 3.0), array("a", "xxxxxx", 2.2250738585072011e-308), 2.2250738585072011e-308)); $a->rewind(); $a->unshift(implode(array_map(function($c) {return "\\x" . str_pad(dechex($c), 2, "0");}, range(0, 255)))); $a->pop(); $a->next(); ?> Expected result: ---------------- normal Actual result: -------------- crash