php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68933 Invalid read of size 8 in zend_std_read_property
Submitted: 2015-01-28 13:04 UTC Modified: 2015-02-06 10:35 UTC
From: arjen at react dot com Assigned: ab
Status: Closed Package: Scripting Engine problem
PHP Version: master-Git-2015-01-28 (Git) OS: Linux
Private report: No CVE-ID:
 [2015-01-28 13:04 UTC] arjen at react dot com
Description:
------------
Running complete testsuite with valgrind (USE_ZEND_ALLOC=0 valgrind --vgdb-error=1 --track-origins=yes --leak-check=full php-src/sapi/cli/php testsuite.php) gives following error:

==27978== Invalid read of size 8
==27978==    at 0x97C7E7: zend_std_read_property (zend_object_handlers.c:540)
==27978==    by 0x9ACB6A: ZEND_FETCH_OBJ_R_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:13108)
==27978==    by 0x98ED2A: execute_ex (zend_vm_execute.h:352)
==27978==    by 0x98EE83: zend_execute (zend_vm_execute.h:381)
==27978==    by 0x941C8C: zend_execute_scripts (zend.c:1271)
==27978==    by 0x8B8BEA: php_execute_script (main.c:2554)
==27978==    by 0x9E512E: do_cli (php_cli.c:982)
==27978==    by 0x9E60D7: main (php_cli.c:1361)
==27978==  Address 0xd34a220 is 480 bytes inside a block of size 576 free'd
==27978==    at 0x4C2C29E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==27978==    by 0x9121D8: _erealloc (zend_alloc.c:2219)
==27978==    by 0x9123D3: _safe_erealloc (zend_alloc.c:2257)
==27978==    by 0x953B41: zend_hash_do_resize (zend_hash.c:573)
==27978==    by 0x95296E: _zend_hash_add_or_update_i (zend_hash.c:299)
==27978==    by 0x952BFF: _zend_hash_add_new (zend_hash.c:343)
==27978==    by 0x97C54C: zend_get_property_guard (zend_object_handlers.c:490)
==27978==    by 0x97C73B: zend_std_read_property (zend_object_handlers.c:532)
==27978==    by 0x9ACB6A: ZEND_FETCH_OBJ_R_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:13108)
==27978==    by 0x98ED2A: execute_ex (zend_vm_execute.h:352)
==27978==    by 0x92A5E8: zend_call_function (zend_execute_API.c:835)
==27978==    by 0x965853: zend_call_method (zend_interfaces.c:101)

After this error another error is triggered and ends with a segfault:


==27978== Invalid write of size 8
==27978==    at 0x97C7F5: zend_std_read_property (zend_object_handlers.c:540)
==27978==    by 0x9ACB6A: ZEND_FETCH_OBJ_R_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:13108)
==27978==    by 0x98ED2A: execute_ex (zend_vm_execute.h:352)
==27978==    by 0x98EE83: zend_execute (zend_vm_execute.h:381)
==27978==    by 0x941C8C: zend_execute_scripts (zend.c:1271)
==27978==    by 0x8B8BEA: php_execute_script (main.c:2554)
==27978==    by 0x9E512E: do_cli (php_cli.c:982)
==27978==    by 0x9E60D7: main (php_cli.c:1361)
==27978==  Address 0xd34a220 is 480 bytes inside a block of size 576 free'd
==27978==    at 0x4C2C29E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==27978==    by 0x9121D8: _erealloc (zend_alloc.c:2219)
==27978==    by 0x9123D3: _safe_erealloc (zend_alloc.c:2257)
==27978==    by 0x953B41: zend_hash_do_resize (zend_hash.c:573)
==27978==    by 0x95296E: _zend_hash_add_or_update_i (zend_hash.c:299)
==27978==    by 0x952BFF: _zend_hash_add_new (zend_hash.c:343)
==27978==    by 0x97C54C: zend_get_property_guard (zend_object_handlers.c:490)
==27978==    by 0x97C73B: zend_std_read_property (zend_object_handlers.c:532)
==27978==    by 0x9ACB6A: ZEND_FETCH_OBJ_R_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:13108)
==27978==    by 0x98ED2A: execute_ex (zend_vm_execute.h:352)
==27978==    by 0x92A5E8: zend_call_function (zend_execute_API.c:835)
==27978==    by 0x965853: zend_call_method (zend_interfaces.c:101)
==27978== 
==27978== (action on error) vgdb me ... 

==27978== Invalid read of size 1
==27978==    at 0x41C7814: ???
==27978==    by 0x4EF798: _pcre_jit_exec (pcre_jit_compile.c:10433)
==27978==    by 0x4BC8A9: php_pcre_exec (pcre_exec.c:6487)
==27978==    by 0x4F265F: php_pcre_match_impl (php_pcre.c:679)
==27978==    by 0x4F225B: php_do_pcre_match (php_pcre.c:565)
==27978==    by 0x4F3445: zif_preg_match (php_pcre.c:895)
==27978==    by 0x98F788: ZEND_DO_FCALL_SPEC_HANDLER (zend_vm_execute.h:596)
==27978==    by 0x98ED2A: execute_ex (zend_vm_execute.h:352)
==27978==    by 0x92A5E8: zend_call_function (zend_execute_API.c:835)
==27978==    by 0x965853: zend_call_method (zend_interfaces.c:101)
==27978==    by 0x965F20: zend_user_it_rewind (zend_interfaces.c:242)
==27978==    by 0x9A823B: ZEND_FE_RESET_SPEC_VAR_HANDLER (zend_vm_execute.h:11903)
==27978==  Address 0xffffffffffffffc4 is not stack'd, malloc'd or (recently) free'd
==27978== 
==27978== (action on error) vgdb me ... 
==27978== Continuing ...
==27978== 
==27978== Process terminating with default action of signal 11 (SIGSEGV)
==27978==  Access not within mapped region at address 0xFFFFFFFFFFFFFFC4
==27978==    at 0x41C7814: ???
==27978==    by 0x4EF798: _pcre_jit_exec (pcre_jit_compile.c:10433)
==27978==    by 0x4BC8A9: php_pcre_exec (pcre_exec.c:6487)
==27978==    by 0x4F265F: php_pcre_match_impl (php_pcre.c:679)
==27978==    by 0x4F225B: php_do_pcre_match (php_pcre.c:565)
==27978==    by 0x4F3445: zif_preg_match (php_pcre.c:895)
==27978==    by 0x98F788: ZEND_DO_FCALL_SPEC_HANDLER (zend_vm_execute.h:596)
==27978==    by 0x98ED2A: execute_ex (zend_vm_execute.h:352)
==27978==    by 0x92A5E8: zend_call_function (zend_execute_API.c:835)
==27978==    by 0x965853: zend_call_method (zend_interfaces.c:101)
==27978==    by 0x965F20: zend_user_it_rewind (zend_interfaces.c:242)
==27978==    by 0x9A823B: ZEND_FE_RESET_SPEC_VAR_HANDLER (zend_vm_execute.h:11903)


Test script:
---------------
No simple testcase available.

Expected result:
----------------
No memory errors or segfault.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-28 15:54 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2015-01-28 15:54 UTC] laruence@php.net
where couldI get the testsuite.php?
 [2015-01-29 14:15 UTC] arjen at react dot com
-Status: Feedback +Status: Open
 [2015-01-29 14:15 UTC] arjen at react dot com
Sorry, testsuite.php is an internal testsuite which I cannot provide.

I understand it's difficult to debug this without testcase. If I can provide anything which makes it easier to debug, please ask. I'll try to create a separate testcase, but I don't know if that's possible.
 [2015-01-30 13:11 UTC] arjen at react dot com
Too some time, but I've created a testcase!

See https://gist.github.com/arjenschol/3d94195ca51aa44db1c6

It happens when a guard is in active, and a new guard on the same object requires a hashtable resize. So you need to put some guards to trigger the resize.

It's for the first part. The php_pcre_exec part causes the segfault is unknown.
 [2015-01-31 09:11 UTC] laruence@php.net
-Assigned To: +Assigned To: dmitry
 [2015-01-31 09:11 UTC] laruence@php.net
a fix could be: https://gist.github.com/laruence/31d0bbbef990bb548520

but this introuced a new hash lookup, seems a little expensive...
 [2015-01-31 10:17 UTC] laruence@php.net
the first part must be fixed in: https://github.com/php/php-src/commit/1a60175e2595a24ebc3b6d80a112d574c6c98f58

thanks
 [2015-01-31 15:55 UTC] laruence@php.net
-Status: Assigned +Status: Feedback -Assigned To: dmitry +Assigned To: laruence
 [2015-01-31 15:55 UTC] laruence@php.net
could you verify the pcre segfaults still there?
 [2015-02-02 09:00 UTC] arjen at react dot com
-Status: Feedback +Status: Assigned
 [2015-02-02 09:00 UTC] arjen at react dot com
The error in zend_get_property_guard is fixed indeed!

pcre still crashes, but with a better message now:

vex amd64->IR: unhandled instruction bytes: 0x7 0x48 0xC1 0xE8 0x3 0x48 0xF 0xB6
vex amd64->IR:   REX=0 REX.W=0 REX.R=0 REX.X=0 REX.B=0
vex amd64->IR:   VEX=0 VEX.L=0 VEX.nVVVV=0x0 ESC=NONE
vex amd64->IR:   PFX.66=0 PFX.F2=0 PFX.F3=0
==11776== Invalid read of size 4
==11776==    at 0x41CD864: ???
==11776==    by 0x4EFAF2: _pcre_jit_exec (pcre_jit_compile.c:10433)
==11776==    by 0x4BCC03: php_pcre_exec (pcre_exec.c:6487)
==11776==    by 0x4F29B9: php_pcre_match_impl (php_pcre.c:679)
==11776==    by 0x4F25B5: php_do_pcre_match (php_pcre.c:565)
==11776==    by 0x4F379F: zif_preg_match (php_pcre.c:895)
==11776==    by 0x990F08: ZEND_DO_FCALL_SPEC_HANDLER (zend_vm_execute.h:596)
==11776==    by 0x9904AA: execute_ex (zend_vm_execute.h:352)
==11776==    by 0x92BD5F: zend_call_function (zend_execute_API.c:835)
==11776==    by 0x966ED9: zend_call_method (zend_interfaces.c:101)
==11776==    by 0x9675A6: zend_user_it_rewind (zend_interfaces.c:242)
==11776==    by 0x9A99BB: ZEND_FE_RESET_SPEC_VAR_HANDLER (zend_vm_execute.h:11905)
==11776==  Address 0xc5f13ad is 3 bytes before a block of size 4 alloc'd
==11776==    at 0x4C29F90: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11776==    by 0x91385C: _emalloc (zend_alloc.c:2197)
==11776==    by 0x92F164: init_op_array (zend_opcode.c:55)
==11776==    by 0x920119: zend_compile_func_decl (zend_compile.c:4221)
==11776==    by 0x926009: zend_compile_stmt (zend_compile.c:6241)
==11776==    by 0x91EAA9: zend_compile_stmt_list (zend_compile.c:3791)
==11776==    by 0x925ED2: zend_compile_stmt (zend_compile.c:6185)
==11776==    by 0x92124D: zend_compile_class_decl (zend_compile.c:4627)
==11776==    by 0x926047: zend_compile_stmt (zend_compile.c:6253)
==11776==    by 0x925CB5: zend_compile_top_stmt (zend_compile.c:6163)
==11776==    by 0x925C97: zend_compile_top_stmt (zend_compile.c:6158)
==11776==    by 0x8F239F: compile_file (zend_language_scanner.l:598)
==11776== 
==11776== Invalid read of size 4
==11776==    at 0x41CD867: ???
==11776==    by 0x4EFAF2: _pcre_jit_exec (pcre_jit_compile.c:10433)
==11776==    by 0x4BCC03: php_pcre_exec (pcre_exec.c:6487)
==11776==    by 0x4F29B9: php_pcre_match_impl (php_pcre.c:679)
==11776==    by 0x4F25B5: php_do_pcre_match (php_pcre.c:565)
==11776==    by 0x4F379F: zif_preg_match (php_pcre.c:895)
==11776==    by 0x990F08: ZEND_DO_FCALL_SPEC_HANDLER (zend_vm_execute.h:596)
==11776==    by 0x9904AA: execute_ex (zend_vm_execute.h:352)
==11776==    by 0x92BD5F: zend_call_function (zend_execute_API.c:835)
==11776==    by 0x966ED9: zend_call_method (zend_interfaces.c:101)
==11776==    by 0x9675A6: zend_user_it_rewind (zend_interfaces.c:242)
==11776==    by 0x9A99BB: ZEND_FE_RESET_SPEC_VAR_HANDLER (zend_vm_execute.h:11905)
==11776==  Address 0xc5f13a7 is 9 bytes before a block of size 4 alloc'd
==11776==    at 0x4C29F90: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11776==    by 0x91385C: _emalloc (zend_alloc.c:2197)
==11776==    by 0x92F164: init_op_array (zend_opcode.c:55)
==11776==    by 0x920119: zend_compile_func_decl (zend_compile.c:4221)
==11776==    by 0x926009: zend_compile_stmt (zend_compile.c:6241)
==11776==    by 0x91EAA9: zend_compile_stmt_list (zend_compile.c:3791)
==11776==    by 0x925ED2: zend_compile_stmt (zend_compile.c:6185)
==11776==    by 0x92124D: zend_compile_class_decl (zend_compile.c:4627)
==11776==    by 0x926047: zend_compile_stmt (zend_compile.c:6253)
==11776==    by 0x925CB5: zend_compile_top_stmt (zend_compile.c:6163)
==11776==    by 0x925C97: zend_compile_top_stmt (zend_compile.c:6158)
==11776==    by 0x8F239F: compile_file (zend_language_scanner.l:598)
==11776== 
==11776== valgrind: Unrecognised instruction at address 0x41cd86b.
==11776==    at 0x41CD86B: ???
==11776==    by 0x4EFAF2: _pcre_jit_exec (pcre_jit_compile.c:10433)
==11776==    by 0x4BCC03: php_pcre_exec (pcre_exec.c:6487)
==11776==    by 0x4F29B9: php_pcre_match_impl (php_pcre.c:679)
==11776==    by 0x4F25B5: php_do_pcre_match (php_pcre.c:565)
==11776==    by 0x4F379F: zif_preg_match (php_pcre.c:895)
==11776==    by 0x990F08: ZEND_DO_FCALL_SPEC_HANDLER (zend_vm_execute.h:596)
==11776==    by 0x9904AA: execute_ex (zend_vm_execute.h:352)
==11776==    by 0x92BD5F: zend_call_function (zend_execute_API.c:835)
==11776==    by 0x966ED9: zend_call_method (zend_interfaces.c:101)
==11776==    by 0x9675A6: zend_user_it_rewind (zend_interfaces.c:242)
==11776==    by 0x9A99BB: ZEND_FE_RESET_SPEC_VAR_HANDLER (zend_vm_execute.h:11905)


But most of the times:

==12443== Invalid read of size 1
==12443==    at 0x41C7814: ???
==12443==    by 0x4EFAF2: _pcre_jit_exec (pcre_jit_compile.c:10433)
==12443==    by 0x4BCC03: php_pcre_exec (pcre_exec.c:6487)
==12443==    by 0x4F29B9: php_pcre_match_impl (php_pcre.c:679)
==12443==    by 0x4F25B5: php_do_pcre_match (php_pcre.c:565)
==12443==    by 0x4F379F: zif_preg_match (php_pcre.c:895)
==12443==    by 0x990F08: ZEND_DO_FCALL_SPEC_HANDLER (zend_vm_execute.h:596)
==12443==    by 0x9904AA: execute_ex (zend_vm_execute.h:352)
==12443==    by 0x92BD5F: zend_call_function (zend_execute_API.c:835)
==12443==    by 0x966ED9: zend_call_method (zend_interfaces.c:101)
==12443==    by 0x9675A6: zend_user_it_rewind (zend_interfaces.c:242)
==12443==    by 0x9A99BB: ZEND_FE_RESET_SPEC_VAR_HANDLER (zend_vm_execute.h:11905)
==12443==  Address 0xffffffffffffffc4 is not stack'd, malloc'd or (recently) free'd
==12443== 
==12443== 
==12443== Process terminating with default action of signal 11 (SIGSEGV)
==12443==  Access not within mapped region at address 0xFFFFFFFFFFFFFFC4
==12443==    at 0x41C7814: ???
==12443==    by 0x4EFAF2: _pcre_jit_exec (pcre_jit_compile.c:10433)
==12443==    by 0x4BCC03: php_pcre_exec (pcre_exec.c:6487)
==12443==    by 0x4F29B9: php_pcre_match_impl (php_pcre.c:679)
==12443==    by 0x4F25B5: php_do_pcre_match (php_pcre.c:565)
==12443==    by 0x4F379F: zif_preg_match (php_pcre.c:895)
==12443==    by 0x990F08: ZEND_DO_FCALL_SPEC_HANDLER (zend_vm_execute.h:596)
==12443==    by 0x9904AA: execute_ex (zend_vm_execute.h:352)
==12443==    by 0x92BD5F: zend_call_function (zend_execute_API.c:835)
==12443==    by 0x966ED9: zend_call_method (zend_interfaces.c:101)
==12443==    by 0x9675A6: zend_user_it_rewind (zend_interfaces.c:242)
==12443==    by 0x9A99BB: ZEND_FE_RESET_SPEC_VAR_HANDLER (zend_vm_execute.h:11905)
 [2015-02-02 15:03 UTC] arjen at react dot com
Looks like the pcre memory error/segfault is fixed by upgrading the bundles pcre library to 8.36 (currently 8.35).

Could you upgrade the bundles pcre lib?
 [2015-02-04 13:13 UTC] arjen at react dot com
See https://github.com/php/php-src/pull/1047
 [2015-02-05 02:07 UTC] pajoye@php.net
-Assigned To: laruence +Assigned To: ab
 [2015-02-05 02:07 UTC] pajoye@php.net
@anatol can you tale a look at it pls?
 [2015-02-06 10:35 UTC] ab@php.net
-Status: Assigned +Status: Closed
 [2015-02-06 10:35 UTC] ab@php.net
Ok, looks fine so I've merged it. With the the second part of this ticket is done, thus closing.

Btw. wondering whether we should already start with intergating PCRE2 into master.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Wed Jun 28 01:01:41 2017 UTC