PHP :: Bug #80183 :: Stack Overflow in zend_try_compile

Bug #80183	Stack Overflow in zend_try_compile_cv
Submitted:	2020-10-04 03:19 UTC	Modified:	2020-10-05 09:05 UTC
From:	m dot aldofirmansyah at gmail dot com	Assigned:
Status:	Not a bug	Package:	Scripting Engine problem
PHP Version:	8.0.0rc1	OS:	Ubuntu 16.04.1
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	m dot aldofirmansyah at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2020-10-04 03:19 UTC] m dot aldofirmansyah at gmail dot com

Description:
------------
When fuzzing I found crashes, here is one of them

And here is the crash summary using crashwalk and exploitable, with ASAN_OPTIONS="abort_on_error=1:symbolize=0"

---CRASH SUMMARY---
Filename: /root/fuzzing-crash-file/php/crash/id:000010,sig:06,src:007382,op:havoc,rep:16
SHA1: 65a6543bc15dc15f6ecaa6444d1c8b1eac649822
Classification: EXPLOITABLE
Hash: c6369cca9f5b474eb58f64460df8222e.69512d8e0fd694d7e12e80288baeaca8
Command: /root/php/SRC/build/bin/php /root/fuzzing-crash-file/php/crash/id:000010,sig:06,src:007382,op:havoc,rep:16
Faulting Frame:
   zend_try_compile_cv @ 0x0000000001e4d36c: in /root/php/SRC/build/bin/php
Disassembly:
Stack Head (1000 entries):
   zend_try_compile_cv       @ 0x0000000001e4d36c: in /root/php/SRC/build/bin/php
   zend_compile_simple_var   @ 0x0000000001ee7048: in /root/php/SRC/build/bin/php
   zend_compile_var_inner    @ 0x0000000001ee6710: in /root/php/SRC/build/bin/php
   zend_compile_var          @ 0x0000000001e4f754: in /root/php/SRC/build/bin/php
   zend_compile_expr_inner   @ 0x0000000001ee4a72: in /root/php/SRC/build/bin/php
   zend_compile_expr         @ 0x0000000001e44cbc: in /root/php/SRC/build/bin/php
   zend_compile_simple_var_n @ 0x0000000001e4d740: in /root/php/SRC/build/bin/php
   zend_compile_simple_var   @ 0x0000000001ee70a5: in /root/php/SRC/build/bin/php
   zend_compile_var_inner    @ 0x0000000001ee6710: in /root/php/SRC/build/bin/php
   zend_compile_var          @ 0x0000000001e4f754: in /root/php/SRC/build/bin/php
   zend_compile_expr_inner   @ 0x0000000001ee4a72: in /root/php/SRC/build/bin/php
   zend_compile_expr         @ 0x0000000001e44cbc: in /root/php/SRC/build/bin/php
   zend_compile_simple_var_n @ 0x0000000001e4d740: in /root/php/SRC/build/bin/php
   zend_compile_simple_var   @ 0x0000000001ee70a5: in /root/php/SRC/build/bin/php
   zend_compile_var_inner    @ 0x0000000001ee6710: in /root/php/SRC/build/bin/php
   zend_compile_var          @ 0x0000000001e4f754: in /root/php/SRC/build/bin/php
Registers:
rax=0x00007ffd9f7b7040 rbx=0x00000ff39e018274 rcx=0x00007ffd9f7b6fe0 rdx=0x00000000049806c0 
rsi=0x00000ff39e01828f rdi=0x00007ffd9f7b7000 rbp=0x00007ffd9f7b70f0 rsp=0x00007ffd9f7b6fe0 
 r8=0x00007ffd9f7b6ff0  r9=0x00007ffd9f7b6fe0 r10=0x00007ffd9f7b76e0 r11=0x00007f9cf00c1398 
r12=0x00000ff39e018200 r13=0x0000000000000018 r14=0x00007f9cf00c1398 r15=0x0000000004974188 
rip=0x0000000001e4d36c efl=0x0000000000010282  cs=0x0000000000000033  ss=0x000000000000002b 
 ds=0x0000000000000000  es=0x0000000000000000  fs=0x0000000000000000  gs=0x0000000000000000 
Extra Data:
   Description: Possible stack corruption
   Short description: PossibleStackCorruption (7/22)
   Explanation: GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/o
r the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable.
---END SUMMARY---

Test script:
---------------
https://gist.github.com/TheCrott/2b0b159f5965b30f5706b78bf4596f5a/raw/1d771d62773335499aec06145d295260e77d79aa/poc3.php

Actual result:
--------------
I don't know how to run this file as it return error

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-10-04 03:25 UTC] stas@php.net

-Type: Security +Type: Bug -Package: Unknown/Other Function +Package: Scripting Engine problem

[2020-10-05 09:05 UTC] nikic@php.net

-Status: Open +Status: Not a bug

[2020-10-05 09:05 UTC] nikic@php.net

Test script look like a hex dump with lots of \x24 in a row, aka $. This is compiler stack overflow from a deeply nested AST, and as such uninteresting.

[2020-10-05 10:27 UTC] cmb@php.net

Related To: Bug #80182

[2020-10-05 10:28 UTC] cmb@php.net

Related To: Bug #80181

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Dec 22 01:01:30 2024 UTC