PHP :: Bug #70084 :: segfault (general protection fault) in sub_function (zend

Bug #70084	segfault (general protection fault) in sub_function (zend_operators.c:957)
Submitted:	2015-07-15 17:23 UTC	Modified:	2015-07-16 07:38 UTC
From:	brian dot carpenter at gmail dot com	Assigned:	bwoebi (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.0Git-2015-07-15 (Git)	OS:	Debian 7
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	brian dot carpenter at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2015-07-15 17:23 UTC] brian dot carpenter at gmail dot com

Description:
------------
While fuzzing PHP 7.0.0-dev (cli) I came across this script that causes a segfault (GPF) in sub_function (zend_operators.c:957). It also crashes PHP 5.4.41-0+deb7u1 due to a null ptr deref. If I run afl-tmin on this test case, it produces a similar script to the one in Sec Bug #70083, however this might be a different issue altogether.

3v4l.org throws this up for PHP 5.0.4:

Notice: Use of undefined constant Linteresting - assumed 'Linteresting' in /in/J4A60 on line 18

Fatal error: Unsupported operand types in /in/J4A60 on line 18
*** Error in `/bin/php-5.0.4': double free or corruption (fasttop): 0x0000000001e95f10 ***

Process exited with code 139.

Test script:
---------------
<?php

class wpq {
    private $unrenced;

    public functiOn __get($name) {
       return $this;~$name;
    }
}

function ret_assoc() {
    return array('foo' => 'bar);
$x = $wpq-Linteresti');
}

$wpq = new wpq;
$wpq->interesting =& ret_assoc();
$x = $wpq-Linteresting;
printf("%s\n", $x);

Expected result:
----------------
No crash.

Actual result:
--------------
Warning: Unexpected character in input:  '' (ASCII=17) state=0 in /home/geeknik/php-tmp/out/crashes/test89 on line 7
==11387== Invalid read of size 8
==11387==    at 0x15251FB: sub_function (zend_operators.c:957)
==11387==    by 0x181E7CA: ZEND_SUB_SPEC_CV_TMPVAR_HANDLER (zend_vm_execute.h:37581)
==11387==    by 0x170A197: execute_ex (zend_vm_execute.h:409)
==11387==    by 0x18DD62A: zend_execute (zend_vm_execute.h:450)
==11387==    by 0x154769C: zend_execute_scripts (zend.c:1399)
==11387==    by 0x12F1217: php_execute_script (main.c:2475)
==11387==    by 0x18E44A4: do_cli (php_cli.c:971)
==11387==    by 0x4593A4: main (php_cli.c:1338)
==11387==  Address 0x7265746e694c2144 is not stack'd, malloc'd or (recently) free'd
==11387==
==11387==
==11387== Process terminating with default action of signal 11 (SIGSEGV)
==11387==  General Protection Fault
==11387==    at 0x15251FB: sub_function (zend_operators.c:957)
==11387==    by 0x181E7CA: ZEND_SUB_SPEC_CV_TMPVAR_HANDLER (zend_vm_execute.h:37581)
==11387==    by 0x170A197: execute_ex (zend_vm_execute.h:409)
==11387==    by 0x18DD62A: zend_execute (zend_vm_execute.h:450)
==11387==    by 0x154769C: zend_execute_scripts (zend.c:1399)
==11387==    by 0x12F1217: php_execute_script (main.c:2475)
==11387==    by 0x18E44A4: do_cli (php_cli.c:971)
==11387==    by 0x4593A4: main (php_cli.c:1338)
Segmentation fault

Warning: Unexpected character in input:  '' (ASCII=17) state=0 in /home/geeknik/php-tmp/out/crashes/test89 on line 7

Program received signal SIGSEGV, Segmentation fault.
0x00000000015251fb in sub_function (result=0x7ffff6013130, op1=0x7ffff6013090, op2=op2@entry=0x7ffff6013120)
    at /home/geeknik/php-src/Zend/zend_operators.c:957
957                                             ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_SUB, sub_function);
(gdb) bt
#0  0x00000000015251fb in sub_function (result=0x7ffff6013130, op1=0x7ffff6013090,
    op2=op2@entry=0x7ffff6013120) at /home/geeknik/php-src/Zend/zend_operators.c:957
#1  0x000000000181e7cb in ZEND_SUB_SPEC_CV_TMPVAR_HANDLER (execute_data=0x7ffff6013030)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:37581
#2  0x000000000170a198 in execute_ex (ex=<optimized out>)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:409
#3  0x00000000018dd62b in zend_execute (op_array=op_array@entry=0x7ffff607f000,
    return_value=return_value@entry=0x0) at /home/geeknik/php-src/Zend/zend_vm_execute.h:450
#4  0x000000000154769d in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0,
    file_count=file_count@entry=3) at /home/geeknik/php-src/Zend/zend.c:1399
#5  0x00000000012f1218 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd270)
    at /home/geeknik/php-src/main/main.c:2475
#6  0x00000000018e44a5 in do_cli (argc=2, argv=0x205a9f0) at /home/geeknik/php-src/sapi/cli/php_cli.c:971
#7  0x00000000004593a5 in main (argc=2, argv=0x205a9f0) at /home/geeknik/php-src/sapi/cli/php_cli.c:1338
(gdb) i r
rax            0x86     134
rbx            0x7ffff6013090   140737320661136
rcx            0x6      6
rdx            0x7ffff6013120   140737320661280
rsi            0x6      6
rdi            0x7ffff6013130   140737320661296
rbp            0x7ffff6013120   0x7ffff6013120
rsp            0x7fffffffac30   0x7fffffffac30
r8             0x8      8
r9             0x0      0
r10            0x7ffff60700a0   140737321042080
r11            0x7265746e694c2074       8243122710533382260
r12            0x7ffff6013130   140737320661296
r13            0x7fffffffac40   140737488333888
r14            0x1d26d94        30567828
r15            0x1d26dbc        30567868
rip            0x15251fb        0x15251fb <sub_function+4603>
eflags         0x10287  [ CF PF SF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-07-16 06:05 UTC] laruence@php.net

this is not reproducible after #70083 is fixed.

[2015-07-16 06:05 UTC] laruence@php.net

-Status: Open +Status: Feedback

[2015-07-16 06:08 UTC] stas@php.net

-Type: Security +Type: Bug

[2015-07-16 07:38 UTC] bwoebi@php.net

-Status: Feedback +Status: Closed -Assigned To: +Assigned To: bwoebi

[2015-07-16 07:38 UTC] bwoebi@php.net

No, that's just the same origin.
The bug had caused $this/$wpq to be freed too early… and hence everything what accesses it next will crash.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue May 14 15:01:30 2024 UTC