php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80244 SEGV in zend_gc_delref()
Submitted: 2020-10-16 03:21 UTC Modified: 2021-12-14 14:14 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: sanjeev dot das at ibm dot com Assigned:
Status: Open Package: Scripting Engine problem
PHP Version: 8.0.0rc1 OS: 18.04.4 LTS
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: sanjeev dot das at ibm dot com
New email:
PHP Version: OS:

 

 [2020-10-16 03:21 UTC] sanjeev dot das at ibm dot com
Description:
------------
php(cli) triggers segmentation fault with a crafted php file. The input triggers out of bounds read in zend_string_release_ex(). Address sanitizer also shows the crash caused by invalid read memory access in zend_string_release_ex(), which can potentially lead to information leakage or DOS. 
========================
Command : php -f crash_1.php (shown below)
 
Addrsan logs:
-----------------
Fatal error: Allowed memory size of 134217728 bytes exhausted at Zend/zend_string.h:141 (tried to allocate 14672 bytes) in crash_1.php on line 7
AddressSanitizer:DEADLYSIGNAL
=================================================================
==57581==ERROR: AddressSanitizer: SEGV on unknown address 0x7eff7ebf9000 (pc 0x0000024c9914 bp 0x7ffe413e5a90 sp 0x7ffe413e5a20 T0)
==57581==The signal is caused by a READ memory access.
    #0 0x24c9913 in zend_gc_delref php-src/Zend/zend_types.h:1172:2
    #1 0x24c976b in i_zval_ptr_dtor php-src/Zend/zend_variables.h:43:8
    #2 0x24896df in zend_unclean_zval_ptr_dtor php-src/Zend/zend_execute_API.c:214:2
    #3 0x26f7bad in _zend_hash_del_el_ex php-src/Zend/zend_hash.c:1330:3
    #4 0x26f2e16 in _zend_hash_del_el php-src/Zend/zend_hash.c:1353:2
    #5 0x2710b94 in zend_hash_graceful_reverse_destroy php-src/Zend/zend_hash.c:1807:3
    #6 0x248a20e in shutdown_executor php-src/Zend/zend_execute_API.c:279:3
    #7 0x25d4520 in zend_deactivate php-src/Zend/zend.c:1225:2
    #8 0x1f09573 in php_request_shutdown php-src/main/main.c:1807:2
    #9 0x358184c in do_cli php-src/sapi/cli/php_cli.c:1112:3
    #10 0x3579a07 in main php-src/sapi/cli/php_cli.c:1338:18
    #11 0x7eff8981ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x4368a9 in _start (php-src/sapi/cli/php+0x4368a9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV php-src/Zend/zend_types.h:1172:2 in zend_gc_delref
==57581==ABORTING
====================================

Test script:
---------------
<?php
$name = 'a';
for ($i = 0; $i < 100000; $i++) {
    if ($name .= 'i') {
        $$name =& $GLOBALS;
    }
    $name++;
}
?>

Expected result:
----------------
Should not seg fault.

Actual result:
--------------
Segmentation fault.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-10-16 08:31 UTC] stas@php.net
-Type: Security +Type: Bug
 [2021-12-14 14:14 UTC] cmb@php.net
-Package: CGI/CLI related +Package: Scripting Engine problem
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 01:01:30 2024 UTC