php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #39558 Heap corrupted and segmentation fault from zend_alloc.c
Submitted: 2006-11-20 13:24 UTC Modified: 2006-11-20 18:27 UTC
From: sheltren at cs dot ucsb dot edu Assigned:
Status: Not a bug Package: Reproducible crash
PHP Version: 5.2.0 OS: Linux - CentOS 4
Private report: No CVE-ID: None
 [2006-11-20 13:24 UTC] sheltren at cs dot ucsb dot edu
Description:
------------
When running a script which uses the crack extension to check passwords against dictionary files, a "heap corrupted" message is output and then php segfaults.  The strange thing is, it crashes when $passwd is set to "jeffpass", but other strings I have tried do not cause the crash.

Reproduce code:
---------------
Code to reproduce is located here:
http://www.cs.ucsb.edu/~jeff/crashes.phps

$ php crashes.php
Heap corrupted
Segmentation fault (core dumped)


Expected result:
----------------
Should loop through dictionaries and return from function successfully - this same code works fine in php 5.1.6.

Actual result:
--------------
(gdb) bt
#0  0x00a7e7a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1  0x00abec46 in kill () from /lib/tls/libc.so.6
#2  0x0827b345 in zend_mm_panic (message=0x83a4ea0 "Heap corrupted")
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_alloc.c:61
#3  0x0827b7fa in zend_mm_remove_from_free_list (heap=0xa26c130, mm_block=0xb7f25a00)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_alloc.c:476
#4  0x0827cfee in _zend_mm_free_int (heap=0xa26c130, p=0xb7f251d4, 
    __zend_filename=0x117048 "/local/jeff/crack-0.4/libcrack/src/packlib.c", __zend_lineno=221, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_alloc.c:1357
#5  0x0827d815 in _efree (ptr=0xb7f251d4, 
    __zend_filename=0x117048 "/local/jeff/crack-0.4/libcrack/src/packlib.c", __zend_lineno=221, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_alloc.c:1653
#6  0x00114a30 in cracklib_pw_close (pwp=0xb7f251d4)
    at /local/jeff/crack-0.4/libcrack/src/packlib.c:221
#7  0x001133cb in php_crack_module_dtor (rsrc=0xb7f22c9c) at /local/jeff/crack-0.4/crack.c:177
#8  0x082a20d9 in list_entry_destructor (ptr=0xb7f22c9c)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_list.c:184
#9  0x0829ffa8 in zend_hash_del_key_or_index (ht=0x83d9b08, arKey=0x0, nKeyLength=0, h=3, flag=1)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_hash.c:492
#10 0x082a1dcd in _zend_list_delete (id=3)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_list.c:58
#11 0x082949b2 in _zval_dtor_func (zvalue=0xb7f22b00, 
    __zend_filename=0x83a66cc "/local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_variables.h", 
    __zend_lineno=35) at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_variables.c:60
#12 0x08288db2 in _zval_dtor (zvalue=0xb7f22b00, 
    __zend_filename=0x83a6644 "/local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_execute_API.c", 
    __zend_lineno=414) at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_variables.h:35
#13 0x08288f65 in _zval_ptr_dtor (zval_ptr=0xb7f22b84, 
    __zend_filename=0x83a77a8 "/local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_variables.c", 
    __zend_lineno=175) at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_execute_API.c:414
#14 0x08294c67 in _zval_ptr_dtor_wrapper (zval_ptr=0xb7f22b84)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_variables.c:175
#15 0x082a01fa in zend_hash_clean (ht=0xb7f22450)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_hash.c:547
#16 0x082b4724 in zend_do_fcall_common_helper_SPEC (execute_data=0xbffc4bd0)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_vm_execute.h:255
#17 0x082b8edd in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbffc4bd0)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_vm_execute.h:1681
#18 0x082b40c2 in execute (op_array=0xb7f21e14)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_vm_execute.h:92
#19 0x082967ec in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend.c:1097
#20 0x08251376 in php_execute_script (primary_file=0xbffc6fa0)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/main/main.c:1758
#21 0x082fa7a1 in main (argc=2, argv=0xbffc7084)
at /local/jeff/rpmbuild/SOURCES/php-5.2.0/sapi/cgi/cgi_main.c:1625

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-11-20 13:27 UTC] tony2001@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip


 [2006-11-20 17:33 UTC] sheltren at cs dot ucsb dot edu
The problem still exists with the latest CVS snapshot.

$ php crashes.php 
[Mon Nov 20 09:29:19 2006]  Script:  'crashes.php'
---------------------------------------
/local/jeff/php/crack-0.4/libcrack/src/packlib.c(221) : Block 0xB7EE71D8 status:
Invalid pointer: ((size=0x0000084D) != (next.prev=0x6C087905))
---------------------------------------
X-Powered-By: PHP/5.2.1-dev
Content-type: text/html

zend_mm_heap corrupted
Segmentation fault
 [2006-11-20 17:42 UTC] tony2001@php.net
Are you able to reproduce NOT using PECL/crack?
 [2006-11-20 18:11 UTC] sheltren at cs dot ucsb dot edu
So far that is the only code I have had crash on me in this manner.
 [2006-11-20 18:15 UTC] tony2001@php.net
Ok, then please report it to PECL/crack developers:
http://pecl.php.net/bugs/search.php?cmd=display&status=Open&package_name[]=crack
Thanks.
 [2006-11-20 18:27 UTC] sheltren at cs dot ucsb dot edu
Gladly... PECL bug opened for crack here: http://pecl.php.net/bugs/bug.php?id=9395
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Apr 10 07:01:23 2020 UTC