PHP :: Bug #79922 :: Crash after multiple calls to xml_parser

Bug #79922	Crash after multiple calls to xml_parser_free()
Submitted:	2020-08-01 23:26 UTC	Modified:	2020-08-10 10:30 UTC
From:	srivas41 at purdue dot edu	Assigned:	cmb (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.3	OS:	Ubuntu 18.04
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	srivas41 at purdue dot edu
New email:
PHP Version:		OS:

New Comment:

[2020-08-01 23:26 UTC] srivas41 at purdue dot edu

Description:
------------
It is possible to trigger a null pointer dereference in `date_parse` which causes the PHP interpreter to crash.

# Build instructions

## Download and build PHP-7.4.8
wget https://www.php.net/distributions/php-7.4.8.tar.gz && tar -xf php.7.4.8.tar.gz && cd php-7.4.8

## Setup PHP interpreter
./buildconf --force && CC=clang-9 CXX=clang++-9 CFLAGS="-fsanitize=address -g" ./configure && make -j`nproc`

## Run instructions
./sapi/cli/php -f test_script.php

# Authors

Prashast Srivastava, Mathias Payer


Test script:
---------------
<?php 
$c=xml_parser_create_ns();
$a=xml_parser_free($c);
$a=xml_parser_free($c);
$c=0;
date_parse($a);
?>

Expected result:
----------------
The PHP interpreter should not crash.

Actual result:
--------------
# ASAN-disabled interpreter result

$ ./sapi/cli/php -f null-ptr-deref.php

Segmentation fault (core dumped)  ./sapi/cli/php -f

# ASAN Backtrace from ASAN-enabled interpreter

$ ./sapi/cli/php -f null-ptr-deref.php

AddressSanitizer:DEADLYSIGNAL
=================================================================
==10121==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000141b0d0 bp 0x7ffffffeef20 sp 0x7ffffffeee00 T0)
==10121==The signal is caused by a READ memory access.
==10121==Hint: address points to the zero page.
    #0 0x141b0cf in zend_mm_alloc_small /root/build/php-7.4.8/Zend/zend_alloc.c:1255:33
    #1 0x141b0cf in zend_mm_alloc_heap /root/build/php-7.4.8/Zend/zend_alloc.c:1326:9
    #2 0x141b0cf in _emalloc /root/build/php-7.4.8/Zend/zend_alloc.c:2539:9
    #3 0x1421348 in _estrdup /root/build/php-7.4.8/Zend/zend_alloc.c:2622:15
    #4 0x54fdf9 in add_error /root/build/php-7.4.8/parse_date.re:350:66
    #5 0x5518be in scan /root/build/php-7.4.8/parse_date.re:1814:3
    #6 0x54ef13 in timelib_strtotime /root/build/php-7.4.8/parse_date.re:1878:7
    #7 0x50e22a in zif_date_parse /root/build/php-7.4.8/ext/date/php_date.c:3188:16
    #8 0x1b0a280 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /root/build/php-7.4.8/Zend/zend_vm_execute.h:1269:2
    #9 0x17bee0a in execute_ex /root/build/php-7.4.8/Zend/zend_vm_execute.h:53618:7
    #10 0x17c0377 in zend_execute /root/build/php-7.4.8/Zend/zend_vm_execute.h:57920:2
    #11 0x155204a in zend_execute_scripts /root/build/php-7.4.8/Zend/zend.c:1678:4
    #12 0x1283457 in php_execute_script /root/build/php-7.4.8/main/main.c:2621:14
    #13 0x1c3cbb8 in do_cli /root/build/php-7.4.8/sapi/cli/php_cli.c:964:5
    #14 0x1c39f29 in main /root/build/php-7.4.8/sapi/cli/php_cli.c:1359:18
    #15 0x7ffff6307b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
    #16 0x440049 in _start (/root/build/php-7.4.8/sapi/cli/php+0x440049)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/build/php-7.4.8/Zend/zend_alloc.c:1255:33 in zend_mm_alloc_small
==10121==ABORTING

Patches

Pull Requests

Pull requests:

Fix #79922: Crash after multiple calls to xml_parser_free() (php-src/5969)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-08-01 23:29 UTC] srivas41 at purdue dot edu

-Summary: Lack of error checking in `posix_kill` +Summary: Null-pointer-dereference in `date_parse` -Operating System: Ubuntu 16.04 +Operating System: Ubuntu 18.04

[2020-08-01 23:29 UTC] srivas41 at purdue dot edu

The summary details (OS, version, summary) were incorrect while I was submitting the bug report. Fixed them now.

[2020-08-02 03:21 UTC] stas@php.net

-Type: Security +Type: Bug

[2020-08-08 14:03 UTC] cmb@php.net

-Summary: Null-pointer-dereference in `date_parse` +Summary: Crash after multiple calls to xml_parser_free() -Status: Open +Status: Verified -Assigned To: +Assigned To: cmb

[2020-08-08 14:03 UTC] cmb@php.net

I can confirm the crash; this is not particularly related to
date_parse(), but rather to multiple calls to xml_parser_free() on
the same XML parsers.

[2020-08-08 14:04 UTC] cmb@php.net

-PHP Version: 7.4.8 +PHP Version: 7.3

[2020-08-08 14:04 UTC] cmb@php.net

7.3 is affected as well, but not PHP 8.0.

[2020-08-10 09:15 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #79922: Crash after multiple calls to xml_parser_free()
On GitHub:  https://github.com/php/php-src/pull/5969
Patch:      https://github.com/php/php-src/pull/5969.patch

[2020-08-10 10:30 UTC] cmb@php.net

-Status: Verified +Status: Closed

[2020-08-10 10:30 UTC] cmb@php.net

Fixed with <http://git.php.net/?p=php-src.git;a=commit;h=0af3f493121f8eb5f71051303c5ee1a42a81fc6f>.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 14:01:29 2024 UTC