php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70898 SIGBUS/GPF zend_mm_alloc_small (zend_alloc.c:1291)
Submitted: 2015-11-12 03:34 UTC Modified: 2015-11-12 04:18 UTC
From: brian dot carpenter at gmail dot com Assigned: ab
Status: Closed Package: Reproducible crash
PHP Version: 7.0Git-2015-11-12 (Git) OS:
Private report: No CVE-ID:
 [2015-11-12 03:34 UTC] brian dot carpenter at gmail dot com
Description:
------------
This might be related to #70895 which was just fixed, however, the crash points to a different location despite the test case similarities. Regardless, this was found while fuzzing PHP 7.1.0-dev (cli) (built: Nov 12 2015 01:37:06) ( NTS ) with American Fuzzy Lop.

Test script:
---------------
<?php function i(){(0);}function m($f,$a){return array_map($f,0);}echo implode(m("",m("",m("",m("",m("0000000000000000000000000000000000",("")))))));

Expected result:
----------------
No crash. PHP 5.4.45-0+deb7u2 (cli) (built: Oct 17 2015 08:26:31) returns the following:

PHP Warning:  array_map() expects parameter 1 to be a valid callback, function '0000000000000000000000000000000000' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1
PHP Warning:  array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1
PHP Warning:  array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1
PHP Warning:  array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1
PHP Warning:  array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1
PHP Warning:  implode(): Argument must be an array in /home/geeknik/php-tmp/out/crashes/test00 on line 1


Actual result:
--------------
Warning: array_map() expects parameter 1 to be a valid callback, function '0000000000000000000000000000000000' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1

Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1

Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1

Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1

Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1

Program received signal SIGBUS, Bus error.
zend_mm_alloc_small (bin_num=8, heap=0x7ffff6000040, size=<optimized out>)
    at /home/geeknik/php-src/Zend/zend_alloc.c:1291
1291                    heap->free_slot[bin_num] = p->next_free_slot;
(gdb) bt
#0  zend_mm_alloc_small (bin_num=8, heap=0x7ffff6000040, size=<optimized out>)
    at /home/geeknik/php-src/Zend/zend_alloc.c:1291
#1  zend_mm_alloc_heap (size=<optimized out>, heap=0x7ffff6000040)
    at /home/geeknik/php-src/Zend/zend_alloc.c:1358
#2  zend_mm_realloc_heap (heap=0x7ffff6000040, ptr=<optimized out>, size=<optimized out>,
    copy_size=<optimized out>) at /home/geeknik/php-src/Zend/zend_alloc.c:1454
#3  0x0000000001329805 in xbuf_format_converter (xbuf=xbuf@entry=0x7fffffffaa10,
    is_char=is_char@entry=1 '\001', fmt=0x1cea044 "s: %s", ap=ap@entry=0x7fffffffaa50)
    at /home/geeknik/php-src/main/spprintf.c:818
#4  0x000000000132b7fc in vspprintf (pbuf=0x7fffffffab98, max_len=0, format=<optimized out>,
    ap=ap@entry=0x7fffffffaa50) at /home/geeknik/php-src/main/spprintf.c:847
#5  0x000000000132bc3a in spprintf (pbuf=pbuf@entry=0x7fffffffab98, max_len=max_len@entry=0,
    format=format@entry=0x1cea043 "%s: %s") at /home/geeknik/php-src/main/spprintf.c:871
#6  0x000000000043fed3 in php_verror (docref=0x7ffff6070100 "function.implode",
    params=params@entry=0x1d00f2f "", type=2, format=<optimized out>, args=args@entry=0x7fffffffac00)
    at /home/geeknik/php-src/main/main.c:855
#7  0x0000000000440b16 in php_error_docref0 (docref=<optimized out>, type=<optimized out>,
    format=<optimized out>) at /home/geeknik/php-src/main/main.c:896
#8  0x0000000001796b79 in ZEND_DO_ICALL_SPEC_HANDLER (execute_data=0x7ffff6013030)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:586
#9  0x0000000001722558 in execute_ex (ex=<optimized out>)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:417
#10 0x00000000018f25eb in zend_execute (op_array=op_array@entry=0x7ffff607f000,
    return_value=return_value@entry=0x0) at /home/geeknik/php-src/Zend/zend_vm_execute.h:458
#11 0x00000000015665e1 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0,
    file_count=file_count@entry=3) at /home/geeknik/php-src/Zend/zend.c:1428
#12 0x00000000013176b8 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd270)
    at /home/geeknik/php-src/main/main.c:2471
#13 0x00000000018fa5d5 in do_cli (argc=2, argv=0x20739e0) at /home/geeknik/php-src/sapi/cli/php_cli.c:974
#14 0x0000000000469035 in main (argc=2, argv=0x20739e0) at /home/geeknik/php-src/sapi/cli/php_cli.c:1345

%%%

valgrind -q ~/php-src/sapi/cli/php test00
==19727== Conditional jump or move depends on uninitialised value(s)
==19727==    at 0x15F0EBE: zend_hash_find (zend_hash.c:439)
==19727==    by 0x171683C: zend_do_inheritance (zend_inheritance.c:602)
==19727==    by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682)
==19727==    by 0x164DB9E: zend_register_default_exception (zend_exceptions.c:862)
==19727==    by 0x1706A75: zend_register_default_classes (zend_default_classes.c:34)
==19727==    by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340)
==19727==    by 0x157F517: zend_startup_module_ex (zend_API.c:1849)
==19727==    by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464)
==19727==    by 0x1583FA5: zend_startup_modules (zend_API.c:1975)
==19727==    by 0x1314EE9: php_module_startup (main.c:2194)
==19727==    by 0x18F5DA4: php_cli_startup (php_cli.c:423)
==19727==    by 0x468487: main (php_cli.c:1325)
==19727==
==19727== Conditional jump or move depends on uninitialised value(s)
==19727==    at 0x15F125D: zend_hash_find (zend_hash.c:439)
==19727==    by 0x171683C: zend_do_inheritance (zend_inheritance.c:602)
==19727==    by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682)
==19727==    by 0x164DB9E: zend_register_default_exception (zend_exceptions.c:862)
==19727==    by 0x1706A75: zend_register_default_classes (zend_default_classes.c:34)
==19727==    by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340)
==19727==    by 0x157F517: zend_startup_module_ex (zend_API.c:1849)
==19727==    by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464)
==19727==    by 0x1583FA5: zend_startup_modules (zend_API.c:1975)
==19727==    by 0x1314EE9: php_module_startup (main.c:2194)
==19727==    by 0x18F5DA4: php_cli_startup (php_cli.c:423)
==19727==    by 0x468487: main (php_cli.c:1325)
==19727==
==19727== Conditional jump or move depends on uninitialised value(s)
==19727==    at 0x15F0EBE: zend_hash_find (zend_hash.c:439)
==19727==    by 0x171683C: zend_do_inheritance (zend_inheritance.c:602)
==19727==    by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682)
==19727==    by 0x164E01D: zend_register_default_exception (zend_exceptions.c:880)
==19727==    by 0x1706A75: zend_register_default_classes (zend_default_classes.c:34)
==19727==    by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340)
==19727==    by 0x157F517: zend_startup_module_ex (zend_API.c:1849)
==19727==    by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464)
==19727==    by 0x1583FA5: zend_startup_modules (zend_API.c:1975)
==19727==    by 0x1314EE9: php_module_startup (main.c:2194)
==19727==    by 0x18F5DA4: php_cli_startup (php_cli.c:423)
==19727==    by 0x468487: main (php_cli.c:1325)
==19727==
==19727== Conditional jump or move depends on uninitialised value(s)
==19727==    at 0x15F125D: zend_hash_find (zend_hash.c:439)
==19727==    by 0x171683C: zend_do_inheritance (zend_inheritance.c:602)
==19727==    by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682)
==19727==    by 0x164E01D: zend_register_default_exception (zend_exceptions.c:880)
==19727==    by 0x1706A75: zend_register_default_classes (zend_default_classes.c:34)
==19727==    by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340)
==19727==    by 0x157F517: zend_startup_module_ex (zend_API.c:1849)
==19727==    by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464)
==19727==    by 0x1583FA5: zend_startup_modules (zend_API.c:1975)
==19727==    by 0x1314EE9: php_module_startup (main.c:2194)
==19727==    by 0x18F5DA4: php_cli_startup (php_cli.c:423)
==19727==    by 0x468487: main (php_cli.c:1325)
==19727==
==19727== Conditional jump or move depends on uninitialised value(s)
==19727==    at 0x15F0EBE: zend_hash_find (zend_hash.c:439)
==19727==    by 0x171683C: zend_do_inheritance (zend_inheritance.c:602)
==19727==    by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682)
==19727==    by 0x164E1DF: zend_register_default_exception (zend_exceptions.c:884)
==19727==    by 0x1706A75: zend_register_default_classes (zend_default_classes.c:34)
==19727==    by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340)
==19727==    by 0x157F517: zend_startup_module_ex (zend_API.c:1849)
==19727==    by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464)
==19727==    by 0x1583FA5: zend_startup_modules (zend_API.c:1975)
==19727==    by 0x1314EE9: php_module_startup (main.c:2194)
==19727==    by 0x18F5DA4: php_cli_startup (php_cli.c:423)
==19727==    by 0x468487: main (php_cli.c:1325)
==19727==
==19727== Conditional jump or move depends on uninitialised value(s)
==19727==    at 0x15F125D: zend_hash_find (zend_hash.c:439)
==19727==    by 0x171683C: zend_do_inheritance (zend_inheritance.c:602)
==19727==    by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682)
==19727==    by 0x164E1DF: zend_register_default_exception (zend_exceptions.c:884)
==19727==    by 0x1706A75: zend_register_default_classes (zend_default_classes.c:34)
==19727==    by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340)
==19727==    by 0x157F517: zend_startup_module_ex (zend_API.c:1849)
==19727==    by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464)
==19727==    by 0x1583FA5: zend_startup_modules (zend_API.c:1975)
==19727==    by 0x1314EE9: php_module_startup (main.c:2194)
==19727==    by 0x18F5DA4: php_cli_startup (php_cli.c:423)
==19727==    by 0x468487: main (php_cli.c:1325)
==19727==
==19727== Conditional jump or move depends on uninitialised value(s)
==19727==    at 0x15F0EBE: zend_hash_find (zend_hash.c:439)
==19727==    by 0x171683C: zend_do_inheritance (zend_inheritance.c:602)
==19727==    by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682)
==19727==    by 0x164E3AE: zend_register_default_exception (zend_exceptions.c:888)
==19727==    by 0x1706A75: zend_register_default_classes (zend_default_classes.c:34)
==19727==    by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340)
==19727==    by 0x157F517: zend_startup_module_ex (zend_API.c:1849)
==19727==    by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464)
==19727==    by 0x1583FA5: zend_startup_modules (zend_API.c:1975)
==19727==    by 0x1314EE9: php_module_startup (main.c:2194)
==19727==    by 0x18F5DA4: php_cli_startup (php_cli.c:423)
==19727==    by 0x468487: main (php_cli.c:1325)
==19727==
==19727== Conditional jump or move depends on uninitialised value(s)
==19727==    at 0x15F125D: zend_hash_find (zend_hash.c:439)
==19727==    by 0x171683C: zend_do_inheritance (zend_inheritance.c:602)
==19727==    by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682)
==19727==    by 0x164E3AE: zend_register_default_exception (zend_exceptions.c:888)
==19727==    by 0x1706A75: zend_register_default_classes (zend_default_classes.c:34)
==19727==    by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340)
==19727==    by 0x157F517: zend_startup_module_ex (zend_API.c:1849)
==19727==    by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464)
==19727==    by 0x1583FA5: zend_startup_modules (zend_API.c:1975)
==19727==    by 0x1314EE9: php_module_startup (main.c:2194)
==19727==    by 0x18F5DA4: php_cli_startup (php_cli.c:423)
==19727==    by 0x468487: main (php_cli.c:1325)
==19727==
==19727== Conditional jump or move depends on uninitialised value(s)
==19727==    at 0x15F0EBE: zend_hash_find (zend_hash.c:439)
==19727==    by 0x171683C: zend_do_inheritance (zend_inheritance.c:602)
==19727==    by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682)
==19727==    by 0x164E57A: zend_register_default_exception (zend_exceptions.c:892)
==19727==    by 0x1706A75: zend_register_default_classes (zend_default_classes.c:34)
==19727==    by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340)
==19727==    by 0x157F517: zend_startup_module_ex (zend_API.c:1849)
==19727==    by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464)
==19727==    by 0x1583FA5: zend_startup_modules (zend_API.c:1975)
==19727==    by 0x1314EE9: php_module_startup (main.c:2194)
==19727==    by 0x18F5DA4: php_cli_startup (php_cli.c:423)
==19727==    by 0x468487: main (php_cli.c:1325)
==19727==
==19727== Conditional jump or move depends on uninitialised value(s)
==19727==    at 0x15F125D: zend_hash_find (zend_hash.c:439)
==19727==    by 0x171683C: zend_do_inheritance (zend_inheritance.c:602)
==19727==    by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682)
==19727==    by 0x164E57A: zend_register_default_exception (zend_exceptions.c:892)
==19727==    by 0x1706A75: zend_register_default_classes (zend_default_classes.c:34)
==19727==    by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340)
==19727==    by 0x157F517: zend_startup_module_ex (zend_API.c:1849)
==19727==    by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464)
==19727==    by 0x1583FA5: zend_startup_modules (zend_API.c:1975)
==19727==    by 0x1314EE9: php_module_startup (main.c:2194)
==19727==    by 0x18F5DA4: php_cli_startup (php_cli.c:423)
==19727==    by 0x468487: main (php_cli.c:1325)
==19727==
==19727== Conditional jump or move depends on uninitialised value(s)
==19727==    at 0x15F0EBE: zend_hash_find (zend_hash.c:439)
==19727==    by 0x171683C: zend_do_inheritance (zend_inheritance.c:602)
==19727==    by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682)
==19727==    by 0x16A45AC: zend_register_generator_ce (zend_generators.c:1124)
==19727==    by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340)
==19727==    by 0x157F517: zend_startup_module_ex (zend_API.c:1849)
==19727==    by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464)
==19727==    by 0x1583FA5: zend_startup_modules (zend_API.c:1975)
==19727==    by 0x1314EE9: php_module_startup (main.c:2194)
==19727==    by 0x18F5DA4: php_cli_startup (php_cli.c:423)
==19727==    by 0x468487: main (php_cli.c:1325)
==19727==
==19727== Conditional jump or move depends on uninitialised value(s)
==19727==    at 0x15F125D: zend_hash_find (zend_hash.c:439)
==19727==    by 0x171683C: zend_do_inheritance (zend_inheritance.c:602)
==19727==    by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682)
==19727==    by 0x16A45AC: zend_register_generator_ce (zend_generators.c:1124)
==19727==    by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340)
==19727==    by 0x157F517: zend_startup_module_ex (zend_API.c:1849)
==19727==    by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464)
==19727==    by 0x1583FA5: zend_startup_modules (zend_API.c:1975)
==19727==    by 0x1314EE9: php_module_startup (main.c:2194)
==19727==    by 0x18F5DA4: php_cli_startup (php_cli.c:423)
==19727==    by 0x468487: main (php_cli.c:1325)
==19727==

Warning: array_map() expects parameter 1 to be a valid callback, function '0000000000000000000000000000000000' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1

Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1

Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1

Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1

Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1
==19727== Invalid read of size 8
==19727==    at 0x14686D4: zend_mm_realloc_heap (zend_alloc.c:1291)
==19727==    by 0x1329804: xbuf_format_converter (spprintf.c:818)
==19727==    by 0x132B7FB: vspprintf (spprintf.c:847)
==19727==    by 0x132BC39: spprintf (spprintf.c:871)
==19727==    by 0x43FED2: php_verror (main.c:855)
==19727==    by 0x440B15: php_error_docref0 (main.c:896)
==19727==    by 0x1796B78: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==19727==    by 0x1722557: execute_ex (zend_vm_execute.h:417)
==19727==    by 0x18F25EA: zend_execute (zend_vm_execute.h:458)
==19727==    by 0x15665E0: zend_execute_scripts (zend.c:1428)
==19727==    by 0x13176B7: php_execute_script (main.c:2471)
==19727==    by 0x18FA5D4: do_cli (php_cli.c:974)
==19727==  Address 0x2061206562206f74 is not stack'd, malloc'd or (recently) free'd
==19727==
==19727==
==19727== Process terminating with default action of signal 11 (SIGSEGV)
==19727==  General Protection Fault
==19727==    at 0x14686D4: zend_mm_realloc_heap (zend_alloc.c:1291)
==19727==    by 0x1329804: xbuf_format_converter (spprintf.c:818)
==19727==    by 0x132B7FB: vspprintf (spprintf.c:847)
==19727==    by 0x132BC39: spprintf (spprintf.c:871)
==19727==    by 0x43FED2: php_verror (main.c:855)
==19727==    by 0x440B15: php_error_docref0 (main.c:896)
==19727==    by 0x1796B78: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==19727==    by 0x1722557: execute_ex (zend_vm_execute.h:417)
==19727==    by 0x18F25EA: zend_execute (zend_vm_execute.h:458)
==19727==    by 0x15665E0: zend_execute_scripts (zend.c:1428)
==19727==    by 0x13176B7: php_execute_script (main.c:2471)
==19727==    by 0x18FA5D4: do_cli (php_cli.c:974)
Segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-11-12 04:18 UTC] laruence@php.net
-Assigned To: +Assigned To: ab
 [2015-11-12 06:19 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e4e54f33ceb4ecce33397c867b45862af85c1fda
Log: Fixed bug #70898 (SIGBUS/GPF zend_mm_alloc_small (zend_alloc.c:1291))
 [2015-11-12 06:19 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2015-11-12 06:39 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=75f85288f4f94f3a59f55da9edebec1d57e8df27
Log: Revert &quot;Fixed bug #70898 (SIGBUS/GPF zend_mm_alloc_small (zend_alloc.c:1291))&quot;
 [2016-07-20 11:35 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=75f85288f4f94f3a59f55da9edebec1d57e8df27
Log: Revert &quot;Fixed bug #70898 (SIGBUS/GPF zend_mm_alloc_small (zend_alloc.c:1291))&quot;
 [2016-07-20 11:35 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e4e54f33ceb4ecce33397c867b45862af85c1fda
Log: Fixed bug #70898 (SIGBUS/GPF zend_mm_alloc_small (zend_alloc.c:1291))
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC