php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70253 segfault at _efree () in zend_alloc.c:1389
Submitted: 2015-08-12 21:23 UTC Modified: 2015-08-13 04:17 UTC
From: brian dot carpenter at gmail dot com Assigned: laruence
Status: Closed Package: Reproducible crash
PHP Version: 7.0Git-2015-08-12 (Git) OS: Debian 7
Private report: No CVE-ID:
 [2015-08-12 21:23 UTC] brian dot carpenter at gmail dot com
Description:
------------
While fuzzing PHP built from Git source (PHP 7.0.0-dev (cli) (built: Aug 12 2015 14:47:41)), I found this script that causes a reproducible crash. According to 3v4l.org, it crashes PHP 5.6.7 through 7.0.0beta3 (and hhvm-3.3.1 - 3.8.1).

Test script:
---------------
<?php
class e{public	function p(){(0);}}$f=pack();$d=unserialize('a:2:{i:0;O:9:"000000000":10000000');for(;;);

Expected result:
----------------
No crash. PHP 5.4.41-0+deb7u1 (cli) (built: May 22 2015 12:49:18) does hang indefinitely though, but no crash.

Actual result:
--------------
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 4831838208 bytes) in /home/geeknik/php-tmp/out/fuzzer01/crashes/test00 on line 21
==3946== Invalid read of size 8
==3946==    at 0x132652E: zend_mm_free_heap (zend_alloc.c:1389)
==3946==    by 0x132652E: _efree (zend_alloc.c:2400)
==3946==    by 0x147E8B4: zend_array_destroy (zend_hash.c:1284)
==3946==    by 0x1597898: zend_object_std_dtor (zend_objects.c:60)
==3946==    by 0x15B287D: zend_objects_store_free_object_storage (zend_objects_API.c:102)
==3946==    by 0x139EE62: shutdown_executor (zend_execute_API.c:356)
==3946==    by 0x140AC37: zend_deactivate (zend.c:969)
==3946==    by 0x11BC980: php_request_shutdown (main.c:1814)
==3946==    by 0x1802C3A: do_cli (php_cli.c:1139)
==3946==    by 0x43E670: main (php_cli.c:1338)
==3946==  Address 0xffffffffe6e00000 is not stack'd, malloc'd or (recently) free'd
==3946== 
==3946== 
==3946== Process terminating with default action of signal 11 (SIGSEGV)
==3946==  Access not within mapped region at address 0xFFFFFFFFE6E00000
==3946==    at 0x132652E: zend_mm_free_heap (zend_alloc.c:1389)
==3946==    by 0x132652E: _efree (zend_alloc.c:2400)
==3946==    by 0x147E8B4: zend_array_destroy (zend_hash.c:1284)
==3946==    by 0x1597898: zend_object_std_dtor (zend_objects.c:60)
==3946==    by 0x15B287D: zend_objects_store_free_object_storage (zend_objects_API.c:102)
==3946==    by 0x139EE62: shutdown_executor (zend_execute_API.c:356)
==3946==    by 0x140AC37: zend_deactivate (zend.c:969)
==3946==    by 0x11BC980: php_request_shutdown (main.c:1814)
==3946==    by 0x1802C3A: do_cli (php_cli.c:1139)
==3946==    by 0x43E670: main (php_cli.c:1338)
==3946==  If you believe this happened as a result of a stack
==3946==  overflow in your program's main thread (unlikely but
==3946==  possible), you can try to increase the size of the
==3946==  main thread stack using the --main-stacksize= flag.
==3946==  The main thread stack size used in this run was 8388608.
Segmentation fault



Warning: pack() expects at least 1 parameter, 0 given in /home/geeknik/php-tmp/out/fuzzer01/crashes/test00-min on line 2

Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 603979776 bytes) in /home/geeknik/php-tmp/out/fuzzer01/crashes/test00-min on line 2

Program received signal SIGSEGV, Segmentation fault.
_efree () at /home/geeknik/php-src/Zend/zend_alloc.c:1389
1389			ZEND_MM_CHECK(chunk->heap == heap, "zend_mm_heap corrupted");
(gdb) bt
#0  _efree () at /home/geeknik/php-src/Zend/zend_alloc.c:1389
#1  0x000000000147e8b5 in zend_array_destroy ()
#2  0x0000000001597899 in zend_object_std_dtor ()
#3  0x00000000015b287e in zend_objects_store_free_object_storage ()
#4  0x000000000139ee63 in shutdown_executor ()
#5  0x000000000140ac38 in zend_deactivate ()
#6  0x00000000011bc981 in php_request_shutdown ()
#7  0x0000000001802c3b in do_cli () at /home/geeknik/php-src/sapi/cli/php_cli.c:1139
#8  0x000000000043e671 in main () at /home/geeknik/php-src/sapi/cli/php_cli.c:1338
(gdb) i r
rax            0x7ffff6000040	140737320583232
rbx            0x7ffff605c900	140737320962304
rcx            0x7ffff6000070	140737320583280
rdx            0x5c	92
rsi            0x7ffff2000000	140737253474304
rdi            0x7ffff205c8e0	140737253853408
rbp            0x1000000	0x1000000
rsp            0x7fffffffba10	0x7fffffffba10
r8             0x1fd4ac0	33376960
r9             0x38	56
r10            0x7ffff6002000	140737320591360
r11            0x0	0
r12            0x4000000	67108864
r13            0x7ffff6002230	140737320591920
r14            0x1	1
r15            0x1fd5100	33378560
rip            0x132652e	0x132652e <_efree+238>
eflags         0x10206	[ PF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-08-13 04:15 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a089ce0cc6e0bade9bf94399a13bbd63448874b0
Log: Fixed bug #70258 and #70253
 [2015-08-13 04:17 UTC] laruence@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence
 [2015-08-18 16:24 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a089ce0cc6e0bade9bf94399a13bbd63448874b0
Log: Fixed bug #70258 and #70253
 [2016-07-20 11:37 UTC] davey@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a089ce0cc6e0bade9bf94399a13bbd63448874b0
Log: Fixed bug #70258 and #70253
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Thu Jul 20 18:01:35 2017 UTC