php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70183 null pointer deref (segfault) in zend_eval_const_expr
Submitted: 2015-08-02 09:32 UTC Modified: 2015-08-02 20:31 UTC
From: hugh at allthethings dot co dot nz Assigned: ab (profile)
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2015-08-02 (Git) OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: hugh at allthethings dot co dot nz
New email:
PHP Version: OS:

 

 [2015-08-02 09:32 UTC] hugh at allthethings dot co dot nz
Description:
------------
Found this using afl-fuzz, see http://lcamtuf.coredump.cx/afl/

To reproduce, compile PHP normally, then run ./sapi/cli/php with the test script
<?php [[][]] ?>
You should get a segfault.

Bisected this back to commit 52e9a772a33fe3fac17f99257c3c5cc767801f66 which is to do with bug #69832.

The test case required to have an array construct with two array constructs in it. This created a ZEND_AST_DIM with only one child, the other of which was NULL. This created a null pointer dereference when checking that child.

I've created a patch that checks the children before deferencing them.

Test script:
---------------
<?php [[][]] ?>


Expected result:
----------------
Fatal error: Cannot use [] for reading in /root/php-crash-tmin3 on line 1


Actual result:
--------------
(gdb) bt
#0  0x00000000005b4b36 in zend_eval_const_expr (ast_ptr=ast_ptr@entry=0x7ffff7074098) at /root/php-src/Zend/zend_compile.c:7377
#1  0x00000000005b50a4 in zend_try_ct_eval_array (result=0x7fffffffaf68, ast=0x7ffff70740a8) at /root/php-src/Zend/zend_compile.c:5793
#2  0x00000000005bbd35 in zend_compile_array (result=0x7fffffffaf60, ast=0x7ffff70740a8) at /root/php-src/Zend/zend_compile.c:6435
#3  0x00000000005b66df in zend_compile_expr (result=result@entry=0x7fffffffaf60, ast=ast@entry=0x7ffff70740a8) at /root/php-src/Zend/zend_compile.c:7180
#4  0x00000000005be02f in zend_compile_stmt (ast=ast@entry=0x7ffff70740a8) at /root/php-src/Zend/zend_compile.c:7068
#5  0x00000000005c0f95 in zend_compile_top_stmt (ast=0x7ffff70740a8) at /root/php-src/Zend/zend_compile.c:6954
#6  zend_compile_top_stmt (ast=0x7ffff7074018) at /root/php-src/Zend/zend_compile.c:6949
#7  0x00000000005947fd in compile_file (file_handle=<optimized out>, type=<optimized out>) at Zend/zend_language_scanner.l:607
#8  0x00000000005d8e46 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /root/php-src/Zend/zend.c:1398
#9  0x00000000005668a0 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd600) at /root/php-src/main/main.c:2475
#10 0x000000000067fc6b in do_cli (argc=2, argv=0xa8c780) at /root/php-src/sapi/cli/php_cli.c:971
#11 0x000000000041ed80 in main (argc=2, argv=0xa8c780) at /root/php-src/sapi/cli/php_cli.c:1338
(gdb) i r
rax            0x0      0
rbx            0x7ffff7074078   140737337835640
rcx            0x7ffff7057188   140737337717128
rdx            0x1      1
rsi            0x0      0
rdi            0x7ffff7074088   140737337835656
rbp            0x7ffff7074098   0x7ffff7074098
rsp            0x7fffffffad40   0x7fffffffad40
r8             0x7c     124
r9             0x7ffff7000000   140737337360384
r10            0xfffffffffffffff        1152921504606846975
r11            0x180    384
r12            0x7ffff7074130   140737337835824
r13            0x1      1
r14            0x7fffffffaf68   140737488334696
r15            0x0      0
rip            0x5b4b36 0x5b4b36 <zend_eval_const_expr+1142>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb) x/i $rip
=> 0x5b4b36 <zend_eval_const_expr+1142>:        cmpw   $0x40,(%rax)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-08-02 09:38 UTC] hugh at allthethings dot co dot nz
Won't let me upload patch for some reason, says still private. See below.

Author: Hugh Davenport <hugh@allthethings.co.nz>
Date:   Sun Aug 2 05:35:25 2015 -0400

    Fix bug #70183 (null pointer deref (segfault) in zend_eval_const_expr)

diff --git a/Zend/tests/bug70183.phpt b/Zend/tests/bug70183.phpt
new file mode 100644
index 0000000..4b038fd
--- /dev/null
+++ b/Zend/tests/bug70183.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Bug #70183 (null pointer deref (segfault) in zend_eval_const_expr)
+--FILE--
+<?php
+[[][]]
+?>
+--EXPECTF--
+Fatal error: Cannot use [] for reading in %sbug70182.php on line 2
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 5d7eec2..0e9f478 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -7374,7 +7374,7 @@ void zend_eval_const_expr(zend_ast **ast_ptr) /* {{{ */
 
                        zend_eval_const_expr(&ast->child[0]);
                        zend_eval_const_expr(&ast->child[1]);
-                       if (ast->child[0]->kind != ZEND_AST_ZVAL || ast->child[1]->kind != ZEND_AST_ZVAL) {
+                       if (!ast->child[0] || !ast->child[1] || ast->child[0]->kind != ZEND_AST_ZVAL || ast->child[1]->kind != ZEND_AST_ZVAL) {
                                return;
                        }
 [2015-08-02 15:36 UTC] ab@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: ab
 [2015-08-02 15:36 UTC] ab@php.net
Patch applied in 2a1a8f9ea75d4c8c9c47c2a391113764b9d0639b. Btw not sure if it makes sense to file security bugs for some pre release.

Thanks.
 [2015-08-02 17:23 UTC] stas@php.net
-Type: Security +Type: Bug
 [2015-08-02 19:23 UTC] hugh at allthethings dot co dot nz
Hey,

Thanks for the quick fix.

No worries about the security flag, wasn't sure. Started fuzzing on 5.6 as well, so hopefully more there :D.

Would any crashes count as security on pre-release?

Cheers,

Hugh
 [2015-08-02 19:25 UTC] hugh at allthethings dot co dot nz
I was basing the security flag of a similar one like bug #68618
 [2015-08-02 20:26 UTC] ab@php.net
Hugh,

#68618 was switched to security, after it turned out it is in a stable branch (5.6) as well. Any crash is a stable branch should be security. But a pre release is explicitly not for production, so ATM - if it's 7.0 only crash, no need for security. Once 7.0 is GA - yes, it's security in any case.

Thanks.
 [2015-08-02 20:31 UTC] hugh at allthethings dot co dot nz
Cool, makes sense. I've got a few more 7.0 ones to submit and some 5.6 ones as well. Changed fuzzing focus to 5.6 for a few days.
 [2015-08-04 20:54 UTC] ab@php.net
Automatic comment on behalf of hugh@allthethings.co.nz
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2a1a8f9ea75d4c8c9c47c2a391113764b9d0639b
Log: Fixed bug #70183 null pointer deref (segfault) in zend_eval_const_expr
 [2016-07-20 11:37 UTC] davey@php.net
Automatic comment on behalf of hugh@allthethings.co.nz
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2a1a8f9ea75d4c8c9c47c2a391113764b9d0639b
Log: Fixed bug #70183 null pointer deref (segfault) in zend_eval_const_expr
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 02 08:01:29 2024 UTC