php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71005 Segfault in php_cli_server_dispatch_router()
Submitted: 2015-12-01 00:44 UTC Modified: 2015-12-01 00:57 UTC
From: aharvey@php.net Assigned: aharvey
Status: Closed Package: Built-in web server
PHP Version: 7.0Git-2015-12-01 (Git) OS: Probably irrelevant (OSX; Linux)
Private report: No CVE-ID:
 [2015-12-01 00:44 UTC] aharvey@php.net
Description:
------------
Using a router script that handles an exception with set_exception_handler() results in an invalid read occurring in php_cli_server_dispatch_router() when it attempts to destroy the retval.

PHP was built with --disable-all --enable-debug, then run with "php -S 0.0.0.0:8888 /tmp/test.php" (test.php is provided as the test script below), then curl was used to poke the router script via "curl http://localhost:8888/".

The segfault isn't totally reliable (I've seen it on both OS X 10.11.1 and Ubuntu 15.10, but not completely consistently on either), but the valgrind output is, and is pasted below:

==22135== Memcheck, a memory error detector
==22135== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==22135== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==22135== Command: ./sapi/cli/php -S 0.0.0.0:8888 /tmp/test.php
==22135==
PHP 7.0.1-dev Development Server started at Tue Dec  1 00:41:00 2015
Listening on http://0.0.0.0:8888
Document root is /home/vagrant/php-src/7.0
Press Ctrl-C to quit.
==22135== Conditional jump or move depends on uninitialised value(s)
==22135==    at 0xD11824: php_cli_server_dispatch_router (php_cli_server.c:2054)
==22135==    by 0xD1133D: php_cli_server_dispatch (php_cli_server.c:2092)
==22135==    by 0xD0FF84: php_cli_server_recv_event_read_request (php_cli_server.c:2313)
==22135==    by 0xD144DA: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2393)
==22135==    by 0xD1424B: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==22135==    by 0xD0FE7F: php_cli_server_do_event_for_each_fd (php_cli_server.c:2416)
==22135==    by 0xD0FBB9: php_cli_server_do_event_loop (php_cli_server.c:2426)
==22135==    by 0xD0F5B7: do_cli_server (php_cli_server.c:2527)
==22135==    by 0xD06DA7: main (php_cli.c:1348)
==22135==
==22135== Conditional jump or move depends on uninitialised value(s)
==22135==    at 0xBF14D7: i_zval_ptr_dtor (zend_variables.h:56)
==22135==    by 0xBF0F62: _zval_ptr_dtor (zend_execute_API.c:527)
==22135==    by 0xD11861: php_cli_server_dispatch_router (php_cli_server.c:2056)
==22135==    by 0xD1133D: php_cli_server_dispatch (php_cli_server.c:2092)
==22135==    by 0xD0FF84: php_cli_server_recv_event_read_request (php_cli_server.c:2313)
==22135==    by 0xD144DA: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2393)
==22135==    by 0xD1424B: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==22135==    by 0xD0FE7F: php_cli_server_do_event_for_each_fd (php_cli_server.c:2416)
==22135==    by 0xD0FBB9: php_cli_server_do_event_loop (php_cli_server.c:2426)
==22135==    by 0xD0F5B7: do_cli_server (php_cli_server.c:2527)
==22135==    by 0xD06DA7: main (php_cli.c:1348)
==22135==
==22135== Conditional jump or move depends on uninitialised value(s)
==22135==    at 0xBF15AE: zval_delref_p (zend_types.h:826)
==22135==    by 0xBF14E5: i_zval_ptr_dtor (zend_variables.h:57)
==22135==    by 0xBF0F62: _zval_ptr_dtor (zend_execute_API.c:527)
==22135==    by 0xD11861: php_cli_server_dispatch_router (php_cli_server.c:2056)
==22135==    by 0xD1133D: php_cli_server_dispatch (php_cli_server.c:2092)
==22135==    by 0xD0FF84: php_cli_server_recv_event_read_request (php_cli_server.c:2313)
==22135==    by 0xD144DA: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2393)
==22135==    by 0xD1424B: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==22135==    by 0xD0FE7F: php_cli_server_do_event_for_each_fd (php_cli_server.c:2416)
==22135==    by 0xD0FBB9: php_cli_server_do_event_loop (php_cli_server.c:2426)
==22135==    by 0xD0F5B7: do_cli_server (php_cli_server.c:2527)
==22135==    by 0xD06DA7: main (php_cli.c:1348)
==22135==
==22135== Use of uninitialised value of size 8
==22135==    at 0xBF15DF: zval_delref_p (zend_types.h:827)
==22135==    by 0xBF14E5: i_zval_ptr_dtor (zend_variables.h:57)
==22135==    by 0xBF0F62: _zval_ptr_dtor (zend_execute_API.c:527)
==22135==    by 0xD11861: php_cli_server_dispatch_router (php_cli_server.c:2056)
==22135==    by 0xD1133D: php_cli_server_dispatch (php_cli_server.c:2092)
==22135==    by 0xD0FF84: php_cli_server_recv_event_read_request (php_cli_server.c:2313)
==22135==    by 0xD144DA: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2393)
==22135==    by 0xD1424B: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==22135==    by 0xD0FE7F: php_cli_server_do_event_for_each_fd (php_cli_server.c:2416)
==22135==    by 0xD0FBB9: php_cli_server_do_event_loop (php_cli_server.c:2426)
==22135==    by 0xD0F5B7: do_cli_server (php_cli_server.c:2527)
==22135==    by 0xD06DA7: main (php_cli.c:1348)
==22135==
==22135== Conditional jump or move depends on uninitialised value(s)
==22135==    at 0xBF66A4: gc_check_possible_root (zend_gc.h:134)
==22135==    by 0xBF1511: i_zval_ptr_dtor (zend_variables.h:60)
==22135==    by 0xBF0F62: _zval_ptr_dtor (zend_execute_API.c:527)
==22135==    by 0xD11861: php_cli_server_dispatch_router (php_cli_server.c:2056)
==22135==    by 0xD1133D: php_cli_server_dispatch (php_cli_server.c:2092)
==22135==    by 0xD0FF84: php_cli_server_recv_event_read_request (php_cli_server.c:2313)
==22135==    by 0xD144DA: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2393)
==22135==    by 0xD1424B: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==22135==    by 0xD0FE7F: php_cli_server_do_event_for_each_fd (php_cli_server.c:2416)
==22135==    by 0xD0FBB9: php_cli_server_do_event_loop (php_cli_server.c:2426)
==22135==    by 0xD0F5B7: do_cli_server (php_cli_server.c:2527)
==22135==    by 0xD06DA7: main (php_cli.c:1348)
==22135==
==22135== Conditional jump or move depends on uninitialised value(s)
==22135==    at 0xBF66D4: gc_check_possible_root (zend_gc.h:135)
==22135==    by 0xBF1511: i_zval_ptr_dtor (zend_variables.h:60)
==22135==    by 0xBF0F62: _zval_ptr_dtor (zend_execute_API.c:527)
==22135==    by 0xD11861: php_cli_server_dispatch_router (php_cli_server.c:2056)
==22135==    by 0xD1133D: php_cli_server_dispatch (php_cli_server.c:2092)
==22135==    by 0xD0FF84: php_cli_server_recv_event_read_request (php_cli_server.c:2313)
==22135==    by 0xD144DA: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2393)
==22135==    by 0xD1424B: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==22135==    by 0xD0FE7F: php_cli_server_do_event_for_each_fd (php_cli_server.c:2416)
==22135==    by 0xD0FBB9: php_cli_server_do_event_loop (php_cli_server.c:2426)
==22135==    by 0xD0F5B7: do_cli_server (php_cli_server.c:2527)
==22135==    by 0xD06DA7: main (php_cli.c:1348)
==22135==
==22135== Use of uninitialised value of size 8
==22135==    at 0xBF66E1: gc_check_possible_root (zend_gc.h:135)
==22135==    by 0xBF1511: i_zval_ptr_dtor (zend_variables.h:60)
==22135==    by 0xBF0F62: _zval_ptr_dtor (zend_execute_API.c:527)
==22135==    by 0xD11861: php_cli_server_dispatch_router (php_cli_server.c:2056)
==22135==    by 0xD1133D: php_cli_server_dispatch (php_cli_server.c:2092)
==22135==    by 0xD0FF84: php_cli_server_recv_event_read_request (php_cli_server.c:2313)
==22135==    by 0xD144DA: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2393)
==22135==    by 0xD1424B: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==22135==    by 0xD0FE7F: php_cli_server_do_event_for_each_fd (php_cli_server.c:2416)
==22135==    by 0xD0FBB9: php_cli_server_do_event_loop (php_cli_server.c:2426)
==22135==    by 0xD0F5B7: do_cli_server (php_cli_server.c:2527)
==22135==    by 0xD06DA7: main (php_cli.c:1348)
==22135==
==22135== Use of uninitialised value of size 8
==22135==    at 0xC4DC3A: gc_possible_root (zend_gc.c:226)
==22135==    by 0xBF6713: gc_check_possible_root (zend_gc.h:136)
==22135==    by 0xBF1511: i_zval_ptr_dtor (zend_variables.h:60)
==22135==    by 0xBF0F62: _zval_ptr_dtor (zend_execute_API.c:527)
==22135==    by 0xD11861: php_cli_server_dispatch_router (php_cli_server.c:2056)
==22135==    by 0xD1133D: php_cli_server_dispatch (php_cli_server.c:2092)
==22135==    by 0xD0FF84: php_cli_server_recv_event_read_request (php_cli_server.c:2313)
==22135==    by 0xD144DA: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2393)
==22135==    by 0xD1424B: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==22135==    by 0xD0FE7F: php_cli_server_do_event_for_each_fd (php_cli_server.c:2416)
==22135==    by 0xD0FBB9: php_cli_server_do_event_loop (php_cli_server.c:2426)
==22135==    by 0xD0F5B7: do_cli_server (php_cli_server.c:2527)
==22135==
==22135== Use of uninitialised value of size 8
==22135==    at 0xC4DC4E: gc_possible_root (zend_gc.c:226)
==22135==    by 0xBF6713: gc_check_possible_root (zend_gc.h:136)
==22135==    by 0xBF1511: i_zval_ptr_dtor (zend_variables.h:60)
==22135==    by 0xBF0F62: _zval_ptr_dtor (zend_execute_API.c:527)
==22135==    by 0xD11861: php_cli_server_dispatch_router (php_cli_server.c:2056)
==22135==    by 0xD1133D: php_cli_server_dispatch (php_cli_server.c:2092)
==22135==    by 0xD0FF84: php_cli_server_recv_event_read_request (php_cli_server.c:2313)
==22135==    by 0xD144DA: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2393)
==22135==    by 0xD1424B: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==22135==    by 0xD0FE7F: php_cli_server_do_event_for_each_fd (php_cli_server.c:2416)
==22135==    by 0xD0FBB9: php_cli_server_do_event_loop (php_cli_server.c:2426)
==22135==    by 0xD0F5B7: do_cli_server (php_cli_server.c:2527)
==22135==
php: /home/vagrant/php-src/7.0/Zend/zend_gc.c:226: void gc_possible_root(zend_refcounted *): Assertion `(ref)->gc.u.v.type == 7 || (ref)->gc.u.v.type == 8' failed.
==22135==
==22135== Process terminating with default action of signal 6 (SIGABRT)
==22135==    at 0xA88E267: raise (raise.c:55)
==22135==    by 0xA88FEC9: abort (abort.c:89)
==22135==    by 0xA88703C: __assert_fail_base (assert.c:92)
==22135==    by 0xA8870F1: __assert_fail (assert.c:101)
==22135==    by 0xC4DC81: gc_possible_root (zend_gc.c:226)
==22135==    by 0xBF6713: gc_check_possible_root (zend_gc.h:136)
==22135==    by 0xBF1511: i_zval_ptr_dtor (zend_variables.h:60)
==22135==    by 0xBF0F62: _zval_ptr_dtor (zend_execute_API.c:527)
==22135==    by 0xD11861: php_cli_server_dispatch_router (php_cli_server.c:2056)
==22135==    by 0xD1133D: php_cli_server_dispatch (php_cli_server.c:2092)
==22135==    by 0xD0FF84: php_cli_server_recv_event_read_request (php_cli_server.c:2313)
==22135==    by 0xD144DA: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2393)
==22135==
==22135== HEAP SUMMARY:
==22135==     in use at exit: 2,405,356 bytes in 23,054 blocks
==22135==   total heap usage: 29,250 allocs, 6,196 frees, 3,120,371 bytes allocated
==22135==
==22135== LEAK SUMMARY:
==22135==    definitely lost: 0 bytes in 0 blocks
==22135==    indirectly lost: 0 bytes in 0 blocks
==22135==      possibly lost: 1,673,791 bytes in 18,116 blocks
==22135==    still reachable: 731,565 bytes in 4,938 blocks
==22135==         suppressed: 0 bytes in 0 blocks
==22135== Rerun with --leak-check=full to see details of leaked memory
==22135==
==22135== For counts of detected and suppressed errors, rerun with: -v
==22135== Use --track-origins=yes to see where uninitialised values come from
==22135== ERROR SUMMARY: 9 errors from 9 contexts (suppressed: 0 from 0)
Aborted (core dumped)

Test script:
---------------
<?php

set_exception_handler(function () {});

throw new Exception;


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-12-01 00:57 UTC] aharvey@php.net
-Assigned To: +Assigned To: aharvey
 [2015-12-01 00:57 UTC] aharvey@php.net
I'm an idiot: the fix for this is obvious. I'll push it later tonight.
 [2015-12-01 03:12 UTC] aharvey@php.net
Automatic comment on behalf of aharvey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=91bad929aa0d7b7560a20c58e1e02a76f522b0bd
Log: Fix bug #71005 (Segfault in php_cli_server_dispatch_router()).
 [2015-12-01 03:12 UTC] aharvey@php.net
-Status: Assigned +Status: Closed
 [2016-07-20 11:35 UTC] davey@php.net
Automatic comment on behalf of aharvey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=91bad929aa0d7b7560a20c58e1e02a76f522b0bd
Log: Fix bug #71005 (Segfault in php_cli_server_dispatch_router()).
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC