php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #69905 null ptr deref and segfault in ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED_HANDLER
Submitted: 2015-06-23 06:58 UTC Modified: 2015-06-23 12:11 UTC
From: brian dot carpenter at gmail dot com Assigned: dmitry (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.0Git-2015-06-23 (Git) OS: Debian 7
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: brian dot carpenter at gmail dot com
New email:
PHP Version: OS:

 

 [2015-06-23 06:58 UTC] brian dot carpenter at gmail dot com 
Description:
------------
While fuzzing PHP 7 built from git source with AFL (http://lcamtuf.coredump.cx/afl/), I discoved a script that causes a null ptr deref and a seg fault at ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED_HANDLER (zend_vm_execute.h:19170).

Test script:
---------------
<?md5(0)[]--;

Expected result:
----------------
No crash. PHP 5.4.41-0+deb7u1 (cli) (built: May 22 2015 12:49:18) fails with the following:
PHP Warning:  md5() expects at least 1 parameter, 0 given in /home/geeknik/tmp/test.php on line 1

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x000000000187175b in ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED_HANDLER (
    execute_data=0x7ffff6013030)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:19170
19170                   EXTRACT_ZVAL_PTR(EX_VAR(opline->result.var));
(gdb) bt
#0  0x000000000187175b in ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED_HANDLER (
    execute_data=0x7ffff6013030)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:19170
#1  0x0000000001703548 in execute_ex (ex=<optimized out>)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:406
#2  0x00000000018d3c0b in zend_execute (
    op_array=op_array@entry=0x7ffff607f000,
    return_value=return_value@entry=0x0)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:447
#3  0x000000000154068d in zend_execute_scripts (type=type@entry=8,
    retval=retval@entry=0x0, file_count=file_count@entry=3)
    at /home/geeknik/php-src/Zend/zend.c:1389
#4  0x00000000012efaf8 in php_execute_script (
    primary_file=primary_file@entry=0x7fffffffd270)
    at /home/geeknik/php-src/main/main.c:2475
#5  0x00000000018daa85 in do_cli (argc=2, argv=0x20509f0)
    at /home/geeknik/php-src/sapi/cli/php_cli.c:967
#6  0x0000000000458c15 in main (argc=2, argv=0x20509f0)
    at /home/geeknik/php-src/sapi/cli/php_cli.c:1334
(gdb) i r
rax            0x0      0
rbx            0x7ffff6013030   140737320661040
rcx            0xc      12
rdx            0x1d19a40        30513728
rsi            0x14     20
rdi            0x7ffff60130a0   140737320661152
rbp            0x7ffff6013090   0x7ffff6013090
rsp            0x7fffffffacc0   0x7fffffffacc0
r8             0x0      0
r9             0x7ffff6070140   140737321042240
r10            0x7ffff606a040   140737321017408
r11            0x1      1
r12            0x7ffff6073480   140737321055360
r13            0x0      0
r14            0x0      0
r15            0x7ffff607f000   140737321103360
rip            0x187175b        0x187175b <ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED_HANDLER+1595>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-23 12:11 UTC] tyrael@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: dmitry
 [2015-06-23 12:11 UTC] tyrael@php.net 
dmitry, could you look into this please?
 [2015-06-23 13:32 UTC] dmitry@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7a01c44ab268820c2365798fde0fe010cf6c5e20
Log: Fixed bug #69905 (null ptr deref and segfault in ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED_HANDLER)
 [2015-06-23 13:32 UTC] dmitry@php.net
-Status: Verified +Status: Closed
 [2015-06-23 18:04 UTC] ab@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7a01c44ab268820c2365798fde0fe010cf6c5e20
Log: Fixed bug #69905 (null ptr deref and segfault in ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED_HANDLER)
 [2016-07-20 11:38 UTC] davey@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7a01c44ab268820c2365798fde0fe010cf6c5e20
Log: Fixed bug #69905 (null ptr deref and segfault in ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED_HANDLER)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 23 15:01:32 2024 UTC