PHP :: Bug #80362 :: Running dtrace scripts can cause php to crash

Bug #80362	Running dtrace scripts can cause php to crash
Submitted:	2020-11-13 15:40 UTC	Modified:	2020-11-24 12:03 UTC
From:	al at coralnet dot name	Assigned:	nikic (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.4.12	OS:	OmniOS r151034
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	al at coralnet dot name
New email:
PHP Version:		OS:

New Comment:

[2020-11-13 15:40 UTC] al at coralnet dot name

Description:
------------
Running dtace scripts using the php dtrace probes causes php to crash

The following patch seems to fix the issue

--- Zend/zend.c.orig    2020-09-29 10:17:15.000000000 +0000
+++ Zend/zend.c
@@ -1309,7 +1309,9 @@ static ZEND_COLD void zend_error_va_list
 #ifdef HAVE_DTRACE
        if (DTRACE_ERROR_ENABLED()) {
                char *dtrace_error_buffer;
-               zend_vspprintf(&dtrace_error_buffer, 0, format, args);
+               va_copy(usr_copy, args);
+               zend_vspprintf(&dtrace_error_buffer, 0, format, usr_copy);
+               va_end(usr_copy);
                DTRACE_ERROR(dtrace_error_buffer, (char *)error_filename, error_lineno);
                efree(dtrace_error_buffer);
        }


Test script:
---------------
Dtrace script

#!/usr/sbin/dtrace -Zs -x bufsize=20m

#pragma D option quiet

php*:::error
{
    printf("%Y Error '%s' %s:%d\n", walltimestamp, copyinstr(arg0), copyinstr(arg1), (int)arg2);
}

php*:::exception-caught
{
    printf("%Y Caught %s\n", walltimestamp, copyinstr(arg0));
}

php*:::exception-thrown
{
    printf("%Y Thrown %s\n", walltimestamp, copyinstr(arg0));
}


test.php
<?php

throw a

?>



Expected result:
----------------
php test.php 
PHP Warning:  Module 'dom' already loaded in Unknown on line 0
PHP Warning:  Use of undefined constant a - assumed 'a' (this will throw an Error in a future version of PHP) in /export/home/aslate/tmp/tuiuksys/public/test.php on line 3
PHP Fatal error:  Uncaught Error: Can only throw objects in /export/home/aslate/tmp/tuiuksys/public/test.php:3
Stack trace:
#0 {main}
  thrown in /export/home/aslate/tmp/tuiuksys/public/test.php on line 3


Actual result:
--------------
php test.php 
Segmentation Fault (core dumped)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-11-24 12:02 UTC] nikic@php.net

Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fa713ec17ba6c1b7cbf4c00b121f34a1a6f77919
Log: Fixed bug #80362: Running dtrace scripts can cause php to crash

[2020-11-24 12:02 UTC] nikic@php.net

-Status: Open +Status: Closed

[2020-11-24 12:03 UTC] nikic@php.net

-Assigned To: +Assigned To: nikic

[2020-11-24 12:03 UTC] nikic@php.net

I don't have a way to test this, but your patch looks sensible, so I've applied it.

In PHP 8.0 this issue has already been fixed as a side-effect of some refactorings (a pre-formatted message is provided).

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Feb 03 08:01:31 2025 UTC