php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69755 30 byte script causes php-cgi segfault in ZEND_CONCAT_SPEC_TMPVAR_CONST_HANDLER
Submitted: 2015-06-04 02:14 UTC Modified: 2015-06-04 04:15 UTC
From: brian dot carpenter at gmail dot com Assigned: dmitry (profile)
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2015-06-04 (Git) OS: Debian 7
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: brian dot carpenter at gmail dot com
New email:
PHP Version: OS:

 

 [2015-06-04 02:14 UTC] brian dot carpenter at gmail dot com
Description:
------------
This bug was found with American Fuzzy Lop (http://lcamtuf.coredump.cx/afl/).

I pulled down the latest git source today, built it as follows (64-bit):
CC=afl-gcc ./configure
AFL_HARDEN=1 make -j8

System Info: Debian 3.2.68-1+deb7u1 x86_64, gcc 4.9.2, libc 2.13.38+deb7u8

Test script:
---------------
<?php
$j=t.(0);r();$q=<<<H
H;

Expected result:
----------------
No crash as in PHP 5.4.39-0+deb7u2 (cli) where it fails with the following message:

PHP Notice: Use of undefined constant t - assumed 't' in test on line2
PHP Fatal error: Call to undefined function r() in test on line 2

Actual result:
--------------
vex amd64->IR: unhandled instruction bytes: 0xF3 0x4D 0xF 0xBC 0xE4 0x45 0x1 0xC4
==27258== valgrind: Unrecognised instruction at address 0x13176da.
==27258==    at 0x13176DA: zend_mm_alloc_pages (zend_alloc.c:483)
==27258==    by 0x13194BC: zend_mm_alloc_small_slow (zend_alloc.c:1190)
==27258==    by 0x155CFA3: virtual_cwd_startup (zend_virtual_cwd.c:431)
==27258==    by 0x141079C: zend_startup (zend.c:640)
==27258==    by 0x11C4C38: php_module_startup (main.c:2066)
==27258==    by 0x181421C: php_cgi_startup (cgi_main.c:915)
==27258==    by 0x43B45C: main (cgi_main.c:1894)
==27258== Your program just tried to execute an instruction that Valgrind
==27258== did not recognise.  There are two possible reasons for this.
==27258== 1. Your program has a bug and erroneously jumped to a non-code
==27258==    location.  If you are running Memcheck and you just saw a
==27258==    warning about a bad jump, it's probably your program's fault.
==27258== 2. The instruction is legitimate but Valgrind doesn't handle it,
==27258==    i.e. it's Valgrind's fault.  If you think this is the case or
==27258==    you are not sure, please let us know and we'll try to fix it.
==27258== Either way, Valgrind will now raise a SIGILL signal which will
==27258== probably kill your program.
==27258== 
==27258== Process terminating with default action of signal 4 (SIGILL)
==27258==  Illegal opcode at address 0x13176DA
==27258==    at 0x13176DA: zend_mm_alloc_pages (zend_alloc.c:483)
==27258==    by 0x13194BC: zend_mm_alloc_small_slow (zend_alloc.c:1190)
==27258==    by 0x155CFA3: virtual_cwd_startup (zend_virtual_cwd.c:431)
==27258==    by 0x141079C: zend_startup (zend.c:640)
==27258==    by 0x11C4C38: php_module_startup (main.c:2066)
==27258==    by 0x181421C: php_cgi_startup (cgi_main.c:915)
==27258==    by 0x43B45C: main (cgi_main.c:1894)
Illegal instruction

Program received signal SIGSEGV, Segmentation fault.
0x00000000016bd874 in ZEND_CONCAT_SPEC_TMPVAR_CONST_HANDLER ()
(gdb) bt
#0  0x00000000016bd874 in ZEND_CONCAT_SPEC_TMPVAR_CONST_HANDLER ()
#1  0x00000000015e0313 in execute_ex ()
#2  0x00000000017ff745 in zend_execute ()
#3  0x0000000001415a9c in zend_execute_scripts ()
#4  0x00000000011c8510 in php_execute_script ()
#5  0x00000000004426c1 in main () at /home/geeknik/php-src/sapi/cgi/cgi_main.c:2445
(gdb) i r
rax            0x7ffff6013030	140737320661040
rbx            0x7ffff60130b0	140737320661168
rcx            0x7ffff6000080	140737320583296
rdx            0x7ffff6076030	140737321066544
rsi            0x1c2dbc0	29547456
rdi            0x7ffff6063000	140737320988672
rbp            0x1	0x1
rsp            0x7fffffff93e0	0x7fffffff93e0
r8             0x6e696d2d303074	31078165068656756
r9             0x50	80
r10            0x7ffff60630a0	140737320988832
r11            0x7ffff6b54730	140737332463408
r12            0x7ffff60550a0	140737320931488
r13            0x0	0
r14            0x7ffff6013030	140737320661040
r15            0x7ffff6071100	140737321046272
rip            0x16bd874	0x16bd874 <ZEND_CONCAT_SPEC_TMPVAR_CONST_HANDLER+372>
eflags         0x10202	[ IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-04 02:19 UTC] brian dot carpenter at gmail dot com
I was able to further reduce the test case to 27 bytes:

<?php
$j=c.(0);$q=<<<H
H
 [2015-06-04 02:22 UTC] brian dot carpenter at gmail dot com
This 11-byte example causes the same crash:

<?+"".W."";
 [2015-06-04 04:15 UTC] reeze@php.net
-Assigned To: +Assigned To: dmitry
 [2015-06-04 04:16 UTC] reeze@php.net
Simple repro script:

<?php
c . 10;
 [2015-06-04 06:39 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=adb5f93f8514fc588a4d6740eaf1fea8b261bbb6
Log: Fixed bug #69755 (segfault in ZEND_CONCAT_SPEC_TMPVAR_CONST_HANDLER)
 [2015-06-04 06:39 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2016-07-20 11:38 UTC] davey@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=adb5f93f8514fc588a4d6740eaf1fea8b261bbb6
Log: Fixed bug #69755 (segfault in ZEND_CONCAT_SPEC_TMPVAR_CONST_HANDLER)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 22:01:26 2024 UTC