|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2015-10-24 21:21 UTC] nikic@php.net
[2015-10-24 21:21 UTC] nikic@php.net
-Status: Open
+Status: Closed
[2015-10-25 12:42 UTC] ab@php.net
[2016-07-20 11:35 UTC] davey@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Oct 26 15:00:01 2025 UTC |
Description: ------------ While fuzzing PHP 7.1.0-dev (cli) (built: Oct 22 2015 08:22:38) ( NTS ) with American Fuzzy Lop, I was able to trigger a null ptr deref and segfault. Test script: --------------- <?for(;;){?><?(-0)::$h;} Expected result: ---------------- No crash. For example, PHP 5.4.45-0+deb7u1 fails with the following error: PHP Parse error: syntax error, unexpected '::' (T_PAAMAYIM_NEKUDOTAYIM) in /home/geeknik/php-tmp/out/crashes/test0 on line 1 Actual result: -------------- valgrind -q ~/php-src/sapi/cli/php test0 ==7684== Conditional jump or move depends on uninitialised value(s) ==7684== at 0x15F013E: zend_hash_find (zend_hash.c:439) ==7684== by 0x17157BC: zend_do_inheritance (zend_inheritance.c:602) ==7684== by 0x158D5DA: zend_register_internal_class_ex (zend_API.c:2662) ==7684== by 0x164CEAE: zend_register_default_exception (zend_exceptions.c:862) ==7684== by 0x17059F5: zend_register_default_classes (zend_default_classes.c:34) ==7684== by 0x161A939: zm_startup_core (zend_builtin_functions.c:340) ==7684== by 0x157E797: zend_startup_module_ex (zend_API.c:1829) ==7684== by 0x15DB519: zend_hash_apply (zend_hash.c:1460) ==7684== by 0x1583225: zend_startup_modules (zend_API.c:1955) ==7684== by 0x1314AD9: php_module_startup (main.c:2194) ==7684== by 0x18F0C54: php_cli_startup (php_cli.c:423) ==7684== by 0x468257: main (php_cli.c:1325) ==7684== ==7684== Conditional jump or move depends on uninitialised value(s) ==7684== at 0x15F04DD: zend_hash_find (zend_hash.c:439) ==7684== by 0x17157BC: zend_do_inheritance (zend_inheritance.c:602) ==7684== by 0x158D5DA: zend_register_internal_class_ex (zend_API.c:2662) ==7684== by 0x164CEAE: zend_register_default_exception (zend_exceptions.c:862) ==7684== by 0x17059F5: zend_register_default_classes (zend_default_classes.c:34) ==7684== by 0x161A939: zm_startup_core (zend_builtin_functions.c:340) ==7684== by 0x157E797: zend_startup_module_ex (zend_API.c:1829) ==7684== by 0x15DB519: zend_hash_apply (zend_hash.c:1460) ==7684== by 0x1583225: zend_startup_modules (zend_API.c:1955) ==7684== by 0x1314AD9: php_module_startup (main.c:2194) ==7684== by 0x18F0C54: php_cli_startup (php_cli.c:423) ==7684== by 0x468257: main (php_cli.c:1325) ==7684== ==7684== Conditional jump or move depends on uninitialised value(s) ==7684== at 0x15F013E: zend_hash_find (zend_hash.c:439) ==7684== by 0x17157BC: zend_do_inheritance (zend_inheritance.c:602) ==7684== by 0x158D5DA: zend_register_internal_class_ex (zend_API.c:2662) ==7684== by 0x164D32D: zend_register_default_exception (zend_exceptions.c:880) ==7684== by 0x17059F5: zend_register_default_classes (zend_default_classes.c:34) ==7684== by 0x161A939: zm_startup_core (zend_builtin_functions.c:340) ==7684== by 0x157E797: zend_startup_module_ex (zend_API.c:1829) ==7684== by 0x15DB519: zend_hash_apply (zend_hash.c:1460) ==7684== by 0x1583225: zend_startup_modules (zend_API.c:1955) ==7684== by 0x1314AD9: php_module_startup (main.c:2194) ==7684== by 0x18F0C54: php_cli_startup (php_cli.c:423) ==7684== by 0x468257: main (php_cli.c:1325) ==7684== ==7684== Conditional jump or move depends on uninitialised value(s) ==7684== at 0x15F04DD: zend_hash_find (zend_hash.c:439) ==7684== by 0x17157BC: zend_do_inheritance (zend_inheritance.c:602) ==7684== by 0x158D5DA: zend_register_internal_class_ex (zend_API.c:2662) ==7684== by 0x164D32D: zend_register_default_exception (zend_exceptions.c:880) ==7684== by 0x17059F5: zend_register_default_classes (zend_default_classes.c:34) ==7684== by 0x161A939: zm_startup_core (zend_builtin_functions.c:340) ==7684== by 0x157E797: zend_startup_module_ex (zend_API.c:1829) ==7684== by 0x15DB519: zend_hash_apply (zend_hash.c:1460) ==7684== by 0x1583225: zend_startup_modules (zend_API.c:1955) ==7684== by 0x1314AD9: php_module_startup (main.c:2194) ==7684== by 0x18F0C54: php_cli_startup (php_cli.c:423) ==7684== by 0x468257: main (php_cli.c:1325) ==7684== ==7684== Conditional jump or move depends on uninitialised value(s) ==7684== at 0x15F013E: zend_hash_find (zend_hash.c:439) ==7684== by 0x17157BC: zend_do_inheritance (zend_inheritance.c:602) ==7684== by 0x158D5DA: zend_register_internal_class_ex (zend_API.c:2662) ==7684== by 0x164D4EF: zend_register_default_exception (zend_exceptions.c:884) ==7684== by 0x17059F5: zend_register_default_classes (zend_default_classes.c:34) ==7684== by 0x161A939: zm_startup_core (zend_builtin_functions.c:340) ==7684== by 0x157E797: zend_startup_module_ex (zend_API.c:1829) ==7684== by 0x15DB519: zend_hash_apply (zend_hash.c:1460) ==7684== by 0x1583225: zend_startup_modules (zend_API.c:1955) ==7684== by 0x1314AD9: php_module_startup (main.c:2194) ==7684== by 0x18F0C54: php_cli_startup (php_cli.c:423) ==7684== by 0x468257: main (php_cli.c:1325) ==7684== ==7684== Conditional jump or move depends on uninitialised value(s) ==7684== at 0x15F04DD: zend_hash_find (zend_hash.c:439) ==7684== by 0x17157BC: zend_do_inheritance (zend_inheritance.c:602) ==7684== by 0x158D5DA: zend_register_internal_class_ex (zend_API.c:2662) ==7684== by 0x164D4EF: zend_register_default_exception (zend_exceptions.c:884) ==7684== by 0x17059F5: zend_register_default_classes (zend_default_classes.c:34) ==7684== by 0x161A939: zm_startup_core (zend_builtin_functions.c:340) ==7684== by 0x157E797: zend_startup_module_ex (zend_API.c:1829) ==7684== by 0x15DB519: zend_hash_apply (zend_hash.c:1460) ==7684== by 0x1583225: zend_startup_modules (zend_API.c:1955) ==7684== by 0x1314AD9: php_module_startup (main.c:2194) ==7684== by 0x18F0C54: php_cli_startup (php_cli.c:423) ==7684== by 0x468257: main (php_cli.c:1325) ==7684== ==7684== Conditional jump or move depends on uninitialised value(s) ==7684== at 0x15F013E: zend_hash_find (zend_hash.c:439) ==7684== by 0x17157BC: zend_do_inheritance (zend_inheritance.c:602) ==7684== by 0x158D5DA: zend_register_internal_class_ex (zend_API.c:2662) ==7684== by 0x164D6BE: zend_register_default_exception (zend_exceptions.c:888) ==7684== by 0x17059F5: zend_register_default_classes (zend_default_classes.c:34) ==7684== by 0x161A939: zm_startup_core (zend_builtin_functions.c:340) ==7684== by 0x157E797: zend_startup_module_ex (zend_API.c:1829) ==7684== by 0x15DB519: zend_hash_apply (zend_hash.c:1460) ==7684== by 0x1583225: zend_startup_modules (zend_API.c:1955) ==7684== by 0x1314AD9: php_module_startup (main.c:2194) ==7684== by 0x18F0C54: php_cli_startup (php_cli.c:423) ==7684== by 0x468257: main (php_cli.c:1325) ==7684== ==7684== Conditional jump or move depends on uninitialised value(s) ==7684== at 0x15F04DD: zend_hash_find (zend_hash.c:439) ==7684== by 0x17157BC: zend_do_inheritance (zend_inheritance.c:602) ==7684== by 0x158D5DA: zend_register_internal_class_ex (zend_API.c:2662) ==7684== by 0x164D6BE: zend_register_default_exception (zend_exceptions.c:888) ==7684== by 0x17059F5: zend_register_default_classes (zend_default_classes.c:34) ==7684== by 0x161A939: zm_startup_core (zend_builtin_functions.c:340) ==7684== by 0x157E797: zend_startup_module_ex (zend_API.c:1829) ==7684== by 0x15DB519: zend_hash_apply (zend_hash.c:1460) ==7684== by 0x1583225: zend_startup_modules (zend_API.c:1955) ==7684== by 0x1314AD9: php_module_startup (main.c:2194) ==7684== by 0x18F0C54: php_cli_startup (php_cli.c:423) ==7684== by 0x468257: main (php_cli.c:1325) ==7684== ==7684== Conditional jump or move depends on uninitialised value(s) ==7684== at 0x15F013E: zend_hash_find (zend_hash.c:439) ==7684== by 0x17157BC: zend_do_inheritance (zend_inheritance.c:602) ==7684== by 0x158D5DA: zend_register_internal_class_ex (zend_API.c:2662) ==7684== by 0x164D88A: zend_register_default_exception (zend_exceptions.c:892) ==7684== by 0x17059F5: zend_register_default_classes (zend_default_classes.c:34) ==7684== by 0x161A939: zm_startup_core (zend_builtin_functions.c:340) ==7684== by 0x157E797: zend_startup_module_ex (zend_API.c:1829) ==7684== by 0x15DB519: zend_hash_apply (zend_hash.c:1460) ==7684== by 0x1583225: zend_startup_modules (zend_API.c:1955) ==7684== by 0x1314AD9: php_module_startup (main.c:2194) ==7684== by 0x18F0C54: php_cli_startup (php_cli.c:423) ==7684== by 0x468257: main (php_cli.c:1325) ==7684== ==7684== Conditional jump or move depends on uninitialised value(s) ==7684== at 0x15F04DD: zend_hash_find (zend_hash.c:439) ==7684== by 0x17157BC: zend_do_inheritance (zend_inheritance.c:602) ==7684== by 0x158D5DA: zend_register_internal_class_ex (zend_API.c:2662) ==7684== by 0x164D88A: zend_register_default_exception (zend_exceptions.c:892) ==7684== by 0x17059F5: zend_register_default_classes (zend_default_classes.c:34) ==7684== by 0x161A939: zm_startup_core (zend_builtin_functions.c:340) ==7684== by 0x157E797: zend_startup_module_ex (zend_API.c:1829) ==7684== by 0x15DB519: zend_hash_apply (zend_hash.c:1460) ==7684== by 0x1583225: zend_startup_modules (zend_API.c:1955) ==7684== by 0x1314AD9: php_module_startup (main.c:2194) ==7684== by 0x18F0C54: php_cli_startup (php_cli.c:423) ==7684== by 0x468257: main (php_cli.c:1325) ==7684== ==7684== Conditional jump or move depends on uninitialised value(s) ==7684== at 0x15F013E: zend_hash_find (zend_hash.c:439) ==7684== by 0x17157BC: zend_do_inheritance (zend_inheritance.c:602) ==7684== by 0x158D5DA: zend_register_internal_class_ex (zend_API.c:2662) ==7684== by 0x16A37AC: zend_register_generator_ce (zend_generators.c:1124) ==7684== by 0x161A939: zm_startup_core (zend_builtin_functions.c:340) ==7684== by 0x157E797: zend_startup_module_ex (zend_API.c:1829) ==7684== by 0x15DB519: zend_hash_apply (zend_hash.c:1460) ==7684== by 0x1583225: zend_startup_modules (zend_API.c:1955) ==7684== by 0x1314AD9: php_module_startup (main.c:2194) ==7684== by 0x18F0C54: php_cli_startup (php_cli.c:423) ==7684== by 0x468257: main (php_cli.c:1325) ==7684== ==7684== Conditional jump or move depends on uninitialised value(s) ==7684== at 0x15F04DD: zend_hash_find (zend_hash.c:439) ==7684== by 0x17157BC: zend_do_inheritance (zend_inheritance.c:602) ==7684== by 0x158D5DA: zend_register_internal_class_ex (zend_API.c:2662) ==7684== by 0x16A37AC: zend_register_generator_ce (zend_generators.c:1124) ==7684== by 0x161A939: zm_startup_core (zend_builtin_functions.c:340) ==7684== by 0x157E797: zend_startup_module_ex (zend_API.c:1829) ==7684== by 0x15DB519: zend_hash_apply (zend_hash.c:1460) ==7684== by 0x1583225: zend_startup_modules (zend_API.c:1955) ==7684== by 0x1314AD9: php_module_startup (main.c:2194) ==7684== by 0x18F0C54: php_cli_startup (php_cli.c:423) ==7684== by 0x468257: main (php_cli.c:1325) ==7684== ==7684== Invalid read of size 8 ==7684== at 0x1495EC6: zend_get_class_fetch_type (zend_compile.c:1322) ==7684== by 0x14C6214: zend_compile_class_ref (zend_compile.c:2130) ==7684== by 0x14CECA7: zend_compile_static_prop_common (zend_compile.c:2364) ==7684== by 0x14CF253: zend_compile_static_prop (zend_compile.c:2392) ==7684== by 0x14C241A: zend_compile_expr (zend_compile.c:7104) ==7684== by 0x14BF62A: zend_compile_stmt (zend_compile.c:7073) ==7684== by 0x14E106E: zend_compile_stmt_list (zend_compile.c:4340) ==7684== by 0x14BF143: zend_compile_stmt (zend_compile.c:6985) ==7684== by 0x14E7201: zend_compile_for (zend_compile.c:3853) ==7684== by 0x14BFA67: zend_compile_stmt (zend_compile.c:7022) ==7684== by 0x14E9665: zend_compile_top_stmt (zend_compile.c:6959) ==7684== by 0x13E34F7: compile_file (zend_language_scanner.l:607) ==7684== Address 0x10 is not stack'd, malloc'd or (recently) free'd ==7684== ==7684== ==7684== Process terminating with default action of signal 11 (SIGSEGV) ==7684== Access not within mapped region at address 0x10 ==7684== at 0x1495EC6: zend_get_class_fetch_type (zend_compile.c:1322) ==7684== by 0x14C6214: zend_compile_class_ref (zend_compile.c:2130) ==7684== by 0x14CECA7: zend_compile_static_prop_common (zend_compile.c:2364) ==7684== by 0x14CF253: zend_compile_static_prop (zend_compile.c:2392) ==7684== by 0x14C241A: zend_compile_expr (zend_compile.c:7104) ==7684== by 0x14BF62A: zend_compile_stmt (zend_compile.c:7073) ==7684== by 0x14E106E: zend_compile_stmt_list (zend_compile.c:4340) ==7684== by 0x14BF143: zend_compile_stmt (zend_compile.c:6985) ==7684== by 0x14E7201: zend_compile_for (zend_compile.c:3853) ==7684== by 0x14BFA67: zend_compile_stmt (zend_compile.c:7022) ==7684== by 0x14E9665: zend_compile_top_stmt (zend_compile.c:6959) ==7684== by 0x13E34F7: compile_file (zend_language_scanner.l:607) ==7684== If you believe this happened as a result of a stack ==7684== overflow in your program's main thread (unlikely but ==7684== possible), you can try to increase the size of the ==7684== main thread stack using the --main-stacksize= flag. ==7684== The main thread stack size used in this run was 8388608. Segmentation fault Program received signal SIGSEGV, Segmentation fault. zend_get_class_fetch_type (name=0x0) at /home/geeknik/php-src/Zend/zend_compile.c:1322 1322 if (zend_string_equals_literal_ci(name, "self")) { (gdb) bt #0 zend_get_class_fetch_type (name=0x0) at /home/geeknik/php-src/Zend/zend_compile.c:1322 #1 0x00000000014c6215 in zend_compile_class_ref (result=result@entry=0x7fffffffa740, name_ast=name_ast@entry=0x7ffff6077090, throw_exception=throw_exception@entry=1) at /home/geeknik/php-src/Zend/zend_compile.c:2130 #2 0x00000000014ceca8 in zend_compile_static_prop_common (result=0x7fffffffa870, ast=<optimized out>, type=type@entry=0, delayed=0) at /home/geeknik/php-src/Zend/zend_compile.c:2364 #3 0x00000000014cf254 in zend_compile_static_prop (result=<optimized out>, ast=<optimized out>, type=0, delayed=<optimized out>) at /home/geeknik/php-src/Zend/zend_compile.c:2392 #4 0x00000000014c241b in zend_compile_expr (result=result@entry=0x7fffffffa870, ast=ast@entry=0x7ffff60770b8) at /home/geeknik/php-src/Zend/zend_compile.c:7104 #5 0x00000000014bf62b in zend_compile_stmt (ast=0x7ffff60770b8) at /home/geeknik/php-src/Zend/zend_compile.c:7073 #6 0x00000000014e106f in zend_compile_stmt_list (ast=ast@entry=0x7ffff6077048) at /home/geeknik/php-src/Zend/zend_compile.c:4340 #7 0x00000000014bf144 in zend_compile_stmt (ast=ast@entry=0x7ffff6077048) at /home/geeknik/php-src/Zend/zend_compile.c:6985 #8 0x00000000014e7202 in zend_compile_for (ast=ast@entry=0x7ffff60770d0) at /home/geeknik/php-src/Zend/zend_compile.c:3853 #9 0x00000000014bfa68 in zend_compile_stmt (ast=ast@entry=0x7ffff60770d0) at /home/geeknik/php-src/Zend/zend_compile.c:7022 #10 0x00000000014e9666 in zend_compile_top_stmt (ast=0x7ffff60770d0) at /home/geeknik/php-src/Zend/zend_compile.c:6959 #11 zend_compile_top_stmt (ast=0x7ffff6077018) at /home/geeknik/php-src/Zend/zend_compile.c:6954 #12 0x00000000013e34f8 in compile_file (file_handle=<optimized out>, type=<optimized out>) at Zend/zend_language_scanner.l:607 #13 0x0000000000e95f50 in phar_compile_file (file_handle=0x7fffffffd270, type=8) at /home/geeknik/php-src/ext/phar/phar.c:3311 #14 0x0000000001565777 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /home/geeknik/php-src/Zend/zend.c:1422 #15 0x00000000013172a8 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd270) at /home/geeknik/php-src/main/main.c:2471 #16 0x00000000018f5485 in do_cli (argc=2, argv=0x206d9f0) at /home/geeknik/php-src/sapi/cli/php_cli.c:974 #17 0x0000000000468e05 in main (argc=2, argv=0x206d9f0) at /home/geeknik/php-src/sapi/cli/php_cli.c:1345 (gdb) i r rax 0x0 0 rbx 0x7fffffffa740 140737488332608 rcx 0x4 4 rdx 0x0 0 rsi 0x0 0 rdi 0x0 0 rbp 0x7ffff6077090 0x7ffff6077090 rsp 0x7fffffffa6c0 0x7fffffffa6c0 r8 0x4 4 r9 0x0 0 r10 0x0 0 r11 0x7ffff6b53fb0 140737332461488 r12 0x1 1 r13 0x0 0 r14 0x7ffff60770b8 140737321070776 r15 0x7fffffffa870 140737488332912 rip 0x1495ec6 0x1495ec6 <zend_get_class_fetch_type+86> eflags 0x10246 [ PF ZF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0