php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70895 null ptr deref and segfault (xbuf_format_converter (spprintf.c:744))
Submitted: 2015-11-11 20:51 UTC Modified: 2015-11-11 21:05 UTC
From: brian dot carpenter at gmail dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.0.0rc6 OS:
Private report: No CVE-ID:
 [2015-11-11 20:51 UTC] brian dot carpenter at gmail dot com
Description:
------------
While fuzzing PHP 7.1.0-dev (cli) (built: Nov  8 2015 21:18:49) ( NTS ), I found a script that triggers a null ptr deref and subsequent segfault in xbuf_format_converter at spprintf.c:744.

Test script:
---------------
<?function i(){(0);}function m($f,$a){return array_map($f,0);}echo implode(m("",m("",("i"("",m("%n",("")))))));

Expected result:
----------------
No crash. PHP 5.4.45-0+deb7u2 (cli) (built: Oct 17 2015 08:26:31) returns the following:

PHP Parse error:  syntax error, unexpected '(' in /home/geeknik/php-tmp/out/crashes/test00 on line 1

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000001327717 in xbuf_format_converter (xbuf=xbuf@entry=0x7fffffffa790,
    is_char=is_char@entry=1 '\001', fmt=0x7ffff6073343 "n' not found or invalid function name",
    ap=0x7fffffffa8f0) at /home/geeknik/php-src/main/spprintf.c:744
744                                             *(va_arg(ap, int *)) = is_char? (int)((smart_string *)xbuf)->len : (int)ZSTR_LEN(((smart_str *)xbuf)->s);
(gdb) bt
#0  0x0000000001327717 in xbuf_format_converter (xbuf=xbuf@entry=0x7fffffffa790,
    is_char=is_char@entry=1 '\001', fmt=0x7ffff6073343 "n' not found or invalid function name",
    ap=0x7fffffffa8f0) at /home/geeknik/php-src/main/spprintf.c:744
#1  0x000000000132b5fc in vspprintf (pbuf=pbuf@entry=0x7fffffffa7f0, max_len=1024, format=<optimized out>,
    ap=<optimized out>) at /home/geeknik/php-src/main/spprintf.c:847
#2  0x000000000043c935 in php_error_cb (type=2,
    error_filename=0x7ffff6070068 "/home/geeknik/php-tmp/out/crashes/test00", error_lineno=1,
    format=<optimized out>, args=<optimized out>) at /home/geeknik/php-src/main/main.c:965
#3  0x0000000000446719 in zend_error (type=type@entry=2,
    format=0x7ffff6073300 "array_map() expects parameter 1 to be a valid callback, function '%n' not found or invalid function name") at /home/geeknik/php-src/Zend/zend.c:1164
#4  0x0000000000447c6c in zend_internal_type_error (throw_exception=0 '\000',
    format=format@entry=0x1d43cd0 "%s%s%s() expects parameter %d to be a valid callback, %s")
    at /home/geeknik/php-src/Zend/zend.c:1349
#5  0x0000000000448e74 in zend_wrong_callback_error (severity=severity@entry=2, num=num@entry=1,
    error=0x7ffff60700a0 "function '%n' not found or invalid function name")
    at /home/geeknik/php-src/Zend/zend_API.c:246
#6  0x00000000010cf5c7 in zif_array_map (execute_data=0x7ffff6013380, return_value=0x7ffff6013370)
    at /home/geeknik/php-src/ext/standard/array.c:5223
#7  0x0000000001793dd9 in ZEND_DO_ICALL_SPEC_HANDLER (execute_data=0x7ffff60132f0)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:586
#8  0x00000000017214c8 in execute_ex (ex=<optimized out>)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:417
#9  0x00000000018f706b in zend_execute (op_array=op_array@entry=0x7ffff607f000,
    return_value=return_value@entry=0x0) at /home/geeknik/php-src/Zend/zend_vm_execute.h:458
#10 0x00000000015654a1 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0,
    file_count=file_count@entry=3) at /home/geeknik/php-src/Zend/zend.c:1428
#11 0x00000000013174b8 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd270)
    at /home/geeknik/php-src/main/main.c:2471
#12 0x00000000018ff055 in do_cli (argc=2, argv=0x20789e0) at /home/geeknik/php-src/sapi/cli/php_cli.c:974
#13 0x0000000000468e35 in main (argc=2, argv=0x20789e0) at /home/geeknik/php-src/sapi/cli/php_cli.c:1345

%%%

==12033== Conditional jump or move depends on uninitialised value(s)
==12033==    at 0x15EFD9E: zend_hash_find (zend_hash.c:439)
==12033==    by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033==    by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033==    by 0x164CB0E: zend_register_default_exception (zend_exceptions.c:862)
==12033==    by 0x17059E5: zend_register_default_classes (zend_default_classes.c:34)
==12033==    by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033==    by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033==    by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033==    by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033==    by 0x1314CE9: php_module_startup (main.c:2194)
==12033==    by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033==    by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Conditional jump or move depends on uninitialised value(s)
==12033==    at 0x15F013D: zend_hash_find (zend_hash.c:439)
==12033==    by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033==    by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033==    by 0x164CB0E: zend_register_default_exception (zend_exceptions.c:862)
==12033==    by 0x17059E5: zend_register_default_classes (zend_default_classes.c:34)
==12033==    by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033==    by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033==    by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033==    by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033==    by 0x1314CE9: php_module_startup (main.c:2194)
==12033==    by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033==    by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Conditional jump or move depends on uninitialised value(s)
==12033==    at 0x15EFD9E: zend_hash_find (zend_hash.c:439)
==12033==    by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033==    by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033==    by 0x164CF8D: zend_register_default_exception (zend_exceptions.c:880)
==12033==    by 0x17059E5: zend_register_default_classes (zend_default_classes.c:34)
==12033==    by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033==    by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033==    by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033==    by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033==    by 0x1314CE9: php_module_startup (main.c:2194)
==12033==    by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033==    by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Conditional jump or move depends on uninitialised value(s)
==12033==    at 0x15F013D: zend_hash_find (zend_hash.c:439)
==12033==    by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033==    by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033==    by 0x164CF8D: zend_register_default_exception (zend_exceptions.c:880)
==12033==    by 0x17059E5: zend_register_default_classes (zend_default_classes.c:34)
==12033==    by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033==    by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033==    by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033==    by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033==    by 0x1314CE9: php_module_startup (main.c:2194)
==12033==    by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033==    by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Conditional jump or move depends on uninitialised value(s)
==12033==    at 0x15EFD9E: zend_hash_find (zend_hash.c:439)
==12033==    by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033==    by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033==    by 0x164D14F: zend_register_default_exception (zend_exceptions.c:884)
==12033==    by 0x17059E5: zend_register_default_classes (zend_default_classes.c:34)
==12033==    by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033==    by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033==    by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033==    by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033==    by 0x1314CE9: php_module_startup (main.c:2194)
==12033==    by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033==    by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Conditional jump or move depends on uninitialised value(s)
==12033==    at 0x15F013D: zend_hash_find (zend_hash.c:439)
==12033==    by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033==    by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033==    by 0x164D14F: zend_register_default_exception (zend_exceptions.c:884)
==12033==    by 0x17059E5: zend_register_default_classes (zend_default_classes.c:34)
==12033==    by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033==    by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033==    by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033==    by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033==    by 0x1314CE9: php_module_startup (main.c:2194)
==12033==    by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033==    by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Conditional jump or move depends on uninitialised value(s)
==12033==    at 0x15EFD9E: zend_hash_find (zend_hash.c:439)
==12033==    by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033==    by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033==    by 0x164D31E: zend_register_default_exception (zend_exceptions.c:888)
==12033==    by 0x17059E5: zend_register_default_classes (zend_default_classes.c:34)
==12033==    by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033==    by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033==    by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033==    by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033==    by 0x1314CE9: php_module_startup (main.c:2194)
==12033==    by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033==    by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Conditional jump or move depends on uninitialised value(s)
==12033==    at 0x15F013D: zend_hash_find (zend_hash.c:439)
==12033==    by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033==    by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033==    by 0x164D31E: zend_register_default_exception (zend_exceptions.c:888)
==12033==    by 0x17059E5: zend_register_default_classes (zend_default_classes.c:34)
==12033==    by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033==    by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033==    by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033==    by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033==    by 0x1314CE9: php_module_startup (main.c:2194)
==12033==    by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033==    by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Conditional jump or move depends on uninitialised value(s)
==12033==    at 0x15EFD9E: zend_hash_find (zend_hash.c:439)
==12033==    by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033==    by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033==    by 0x164D4EA: zend_register_default_exception (zend_exceptions.c:892)
==12033==    by 0x17059E5: zend_register_default_classes (zend_default_classes.c:34)
==12033==    by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033==    by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033==    by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033==    by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033==    by 0x1314CE9: php_module_startup (main.c:2194)
==12033==    by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033==    by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Conditional jump or move depends on uninitialised value(s)
==12033==    at 0x15F013D: zend_hash_find (zend_hash.c:439)
==12033==    by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033==    by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033==    by 0x164D4EA: zend_register_default_exception (zend_exceptions.c:892)
==12033==    by 0x17059E5: zend_register_default_classes (zend_default_classes.c:34)
==12033==    by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033==    by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033==    by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033==    by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033==    by 0x1314CE9: php_module_startup (main.c:2194)
==12033==    by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033==    by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Conditional jump or move depends on uninitialised value(s)
==12033==    at 0x15EFD9E: zend_hash_find (zend_hash.c:439)
==12033==    by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033==    by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033==    by 0x16A351C: zend_register_generator_ce (zend_generators.c:1124)
==12033==    by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033==    by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033==    by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033==    by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033==    by 0x1314CE9: php_module_startup (main.c:2194)
==12033==    by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033==    by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Conditional jump or move depends on uninitialised value(s)
==12033==    at 0x15F013D: zend_hash_find (zend_hash.c:439)
==12033==    by 0x17157AC: zend_do_inheritance (zend_inheritance.c:602)
==12033==    by 0x158D21A: zend_register_internal_class_ex (zend_API.c:2662)
==12033==    by 0x16A351C: zend_register_generator_ce (zend_generators.c:1124)
==12033==    by 0x161A599: zm_startup_core (zend_builtin_functions.c:340)
==12033==    by 0x157E3D7: zend_startup_module_ex (zend_API.c:1829)
==12033==    by 0x15DB179: zend_hash_apply (zend_hash.c:1464)
==12033==    by 0x1582E65: zend_startup_modules (zend_API.c:1955)
==12033==    by 0x1314CE9: php_module_startup (main.c:2194)
==12033==    by 0x18FA824: php_cli_startup (php_cli.c:423)
==12033==    by 0x468287: main (php_cli.c:1325)
==12033==
==12033== Invalid write of size 4
==12033==    at 0x1327717: xbuf_format_converter (spprintf.c:744)
==12033==    by 0x132B5FB: vspprintf (spprintf.c:847)
==12033==    by 0x43C934: php_error_cb (main.c:965)
==12033==    by 0x446718: zend_error (zend.c:1164)
==12033==    by 0x447C6B: zend_internal_type_error (zend.c:1349)
==12033==    by 0x448E73: zend_wrong_callback_error (zend_API.c:246)
==12033==    by 0x10CF5C6: zif_array_map (array.c:5223)
==12033==    by 0x1793DD8: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==12033==    by 0x17214C7: execute_ex (zend_vm_execute.h:417)
==12033==    by 0x18F706A: zend_execute (zend_vm_execute.h:458)
==12033==    by 0x15654A0: zend_execute_scripts (zend.c:1428)
==12033==    by 0x13174B7: php_execute_script (main.c:2471)
==12033==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==12033==
==12033==
==12033== Process terminating with default action of signal 11 (SIGSEGV)
==12033==  Access not within mapped region at address 0x0
==12033==    at 0x1327717: xbuf_format_converter (spprintf.c:744)
==12033==    by 0x132B5FB: vspprintf (spprintf.c:847)
==12033==    by 0x43C934: php_error_cb (main.c:965)
==12033==    by 0x446718: zend_error (zend.c:1164)
==12033==    by 0x447C6B: zend_internal_type_error (zend.c:1349)
==12033==    by 0x448E73: zend_wrong_callback_error (zend_API.c:246)
==12033==    by 0x10CF5C6: zif_array_map (array.c:5223)
==12033==    by 0x1793DD8: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==12033==    by 0x17214C7: execute_ex (zend_vm_execute.h:417)
==12033==    by 0x18F706A: zend_execute (zend_vm_execute.h:458)
==12033==    by 0x15654A0: zend_execute_scripts (zend.c:1428)
==12033==    by 0x13174B7: php_execute_script (main.c:2471)
==12033==  If you believe this happened as a result of a stack
==12033==  overflow in your program's main thread (unlikely but
==12033==  possible), you can try to increase the size of the
==12033==  main thread stack using the --main-stacksize= flag.
==12033==  The main thread stack size used in this run was 8388608.
Segmentation fault


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-11-11 21:05 UTC] requinix@php.net
-Status: Open +Status: Verified -PHP Version: 7.0Git-2015-11-11 (Git) +PHP Version: 7.0.0rc6
 [2015-11-11 21:05 UTC] requinix@php.net
Or more simply, array_map("%n", 0). Affects 7.0 as well.

https://3v4l.org/WEBmg
 [2015-11-12 00:44 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=93240102e0830802ca1b27ccabd9a899a1de7570
Log: refix bug #70895
 [2015-11-12 00:44 UTC] ab@php.net
-Status: Verified +Status: Closed
 [2015-11-12 06:39 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=53c03115cfe81780f6ec5647b5d75f01fb8511f5
Log: Re-fixed #70895
 [2015-11-12 06:39 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c245fd7d91c6a2408b8d2bfb8e87b13816540687
Log: Revert &quot;refix bug #70895&quot;
 [2015-11-20 01:03 UTC] ab@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=83bf7ec406dd96c3f4a9c34ba6c1ef96132ed9fa
Log: Re-fixed #70895
 [2016-07-20 11:35 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=53c03115cfe81780f6ec5647b5d75f01fb8511f5
Log: Re-fixed #70895
 [2016-07-20 11:35 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c245fd7d91c6a2408b8d2bfb8e87b13816540687
Log: Revert &quot;refix bug #70895&quot;
 [2016-07-20 11:35 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=93240102e0830802ca1b27ccabd9a899a1de7570
Log: refix bug #70895
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Feb 21 18:01:40 2017 UTC