PHP :: Bug #71045 :: zend_mm_alloc_small crashes with zend_string

Bug #71045	zend_mm_alloc_small crashes with zend_string_alloc
Submitted:	2015-12-06 20:52 UTC	Modified:	2015-12-08 04:28 UTC
From:	kak dot serpom dot po dot yaitsam at gmail dot com	Assigned:	bd808 (profile)
Status:	Closed	Package:	yaml (PECL)
PHP Version:	7.0.0	OS:	CentOS
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	kak dot serpom dot po dot yaitsam at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2015-12-06 20:52 UTC] kak dot serpom dot po dot yaitsam at gmail dot com

Description:
------------
A segmentation fault.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff7fe57c0 (LWP 81104)]
zend_mm_alloc_small (size=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_alloc.c:1291
1291			heap->free_slot[bin_num] = p->next_free_slot;
Missing separate debuginfos, use: debuginfo-install libidn-1.18-2.el6.x86_64 libssh2-1.4.2-2.el6.x86_64
(gdb) bt
#0  zend_mm_alloc_small (size=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_alloc.c:1291
#1  zend_mm_alloc_heap (size=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_alloc.c:1358
#2  _emalloc (size=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_alloc.c:2442
#3  0x00000000005ac391 in zend_string_alloc (zendlval=0x7fffffffa3a0) at /usr/src/debug/php-7.0.0/Zend/zend_string.h:121
#4  zend_string_init (zendlval=0x7fffffffa3a0) at /usr/src/debug/php-7.0.0/Zend/zend_string.h:157
#5  lex_scan (zendlval=0x7fffffffa3a0) at Zend/zend_language_scanner.l:1310
#6  0x00000000005c0701 in zendlex (elem=0x7ffffffface0) at /usr/src/debug/php-7.0.0/Zend/zend_compile.c:1573
#7  0x00000000005a29ea in zendparse () at /usr/src/debug/php-7.0.0/Zend/zend_language_parser.c:4207
#8  0x00000000005a6f0d in compile_file (file_handle=<value optimized out>, type=<value optimized out>) at Zend/zend_language_scanner.l:591
#9  0x00000000005ce772 in dtrace_compile_file (file_handle=0x7fffffffb0c0, type=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_dtrace.c:50
#10 0x00007fffea6ed72f in phar_compile_file (file_handle=0x7fffffffb0c0, type=2) at /usr/src/debug/php-7.0.0/ext/phar/phar.c:3311
#11 0x00000000005a64ef in compile_filename (type=2, filename=0x7ffff4616930) at Zend/zend_language_scanner.l:647
#12 0x000000000066021a in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER (execute_data=0x7ffff46168d0) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:29114
#13 0x000000000061b740 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:417
#14 0x00000000005ce63e in dtrace_execute_ex (execute_data=0x7ffff46168d0) at /usr/src/debug/php-7.0.0/Zend/zend_dtrace.c:83
#15 0x000000000065317a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7ffff4616820) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:800
#16 0x000000000061b740 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:417
#17 0x00000000005ce63e in dtrace_execute_ex (execute_data=0x7ffff4616820) at /usr/src/debug/php-7.0.0/Zend/zend_dtrace.c:83
#18 0x00000000005d0ce8 in zend_call_function (fci=0x7fffffffb4d0, fci_cache=0x7fffffffb520) at /usr/src/debug/php-7.0.0/Zend/zend_execute_API.c:854
#19 0x00000000005fb0f7 in zend_call_method (object=0x7ffff46a02a8, obj_ce=<value optimized out>, fn_proxy=<value optimized out>,
    function_name=0x7ffff46cbdd8 "composer\\autoload\\classloader::loadclass\001", function_name_len=<value optimized out>, retval_ptr=0x0, param_count=1, arg1=0x7ffff4616810,
    arg2=0x0) at /usr/src/debug/php-7.0.0/Zend/zend_interfaces.c:104
#20 0x00000000004ec700 in zif_spl_autoload_call (execute_data=<value optimized out>, return_value=<value optimized out>) at /usr/src/debug/php-7.0.0/ext/spl/php_spl.c:425
#21 0x00000000005ce4f9 in dtrace_execute_internal (execute_data=<value optimized out>, return_value=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_dtrace.c:107
#22 0x00000000005d1133 in zend_call_function (fci=0x7fffffffb770, fci_cache=0x7fffffffb7c0) at /usr/src/debug/php-7.0.0/Zend/zend_execute_API.c:875
#23 0x00000000005d1410 in zend_lookup_class_ex (name=<value optimized out>, key=0x0, use_autoload=<value optimized out>)
    at /usr/src/debug/php-7.0.0/Zend/zend_execute_API.c:1036
#24 0x00000000005d1791 in zend_fetch_class (class_name=0x7ffff4719090, fetch_type=512) at /usr/src/debug/php-7.0.0/Zend/zend_execute_API.c:1361
#25 0x000000000062ac75 in ZEND_FETCH_CLASS_SPEC_CV_HANDLER (execute_data=0x7ffff46164b0) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:2332
#26 0x000000000061b740 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:417
#27 0x00000000005ce63e in dtrace_execute_ex (execute_data=0x7ffff46164b0) at /usr/src/debug/php-7.0.0/Zend/zend_dtrace.c:83
#28 0x000000000065317a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7ffff4616210) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:800
#29 0x000000000061b740 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:417
#30 0x00000000005ce63e in dtrace_execute_ex (execute_data=0x7ffff4616210) at /usr/src/debug/php-7.0.0/Zend/zend_dtrace.c:83
#31 0x000000000065317a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7ffff4616170) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:800
#32 0x000000000061b740 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:417
#33 0x00000000005ce63e in dtrace_execute_ex (execute_data=0x7ffff4616170) at /usr/src/debug/php-7.0.0/Zend/zend_dtrace.c:83
#34 0x0000000000660a87 in ZEND_INCLUDE_OR_EVAL_SPEC_TMPVAR_HANDLER (execute_data=0x7ffff46160e0) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:40602
#35 0x000000000061b740 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.0/Zend/zend_vm_execute.h:417
---Type <return> to continue, or q <return> to quit---

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-12-06 21:41 UTC] danack@php.net

Please can you provide more information about how to reproduce this issue?

[2015-12-06 22:20 UTC] kak dot serpom dot po dot yaitsam at gmail dot com

I managed to compile a reproduction code, but it discloses some parts of our project so I have to hold it until the decision of my employer. I will talk to him tomorrow. Is it possible to share the code with someone competent in private?

[2015-12-07 01:26 UTC] laruence@php.net

-Status: Open +Status: Feedback -Assigned To: +Assigned To: laruence

[2015-12-07 01:26 UTC] laruence@php.net

You can send it to me via mail, or if it's possible , you can grant me a ssh access to the box which can reproduce this

[2015-12-07 01:30 UTC] kak dot serpom dot po dot yaitsam at gmail dot com

-Status: Feedback +Status: Assigned

[2015-12-07 01:30 UTC] kak dot serpom dot po dot yaitsam at gmail dot com

laruence@php.net, I've just sent you the code. Can you reproduce the bug?

[2015-12-07 03:40 UTC] laruence@php.net

-Package: *General Issues +Package: yaml -Assigned To: laruence +Assigned To:

[2015-12-07 03:40 UTC] laruence@php.net

it turns out it's a yaml issue, valgrind report:

$ USE_ZEND_ALLOC=0 valgrind php7 crash.php
==19581== Memcheck, a memory error detector
==19581== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==19581== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==19581== Command: php7 crash.php
==19581==
==19581== Invalid read of size 2
==19581==    at 0xA04C36: gc_check_possible_root (zend_gc.h:135)
==19581==    by 0xA04CB4: i_zval_ptr_dtor (zend_variables.h:60)
==19581==    by 0xA08B4D: zend_array_destroy (zend_hash.c:1305)
==19581==    by 0x9F04FE: _zval_dtor_func_for_ptr (zend_variables.c:96)
==19581==    by 0x9D97E5: i_zval_ptr_dtor (zend_variables.h:58)
==19581==    by 0x9DB156: _zval_ptr_dtor (zend_execute_API.c:527)
==19581==    by 0xF71A243: handle_document (parse.c:352)
==19581==    by 0xF719E2B: php_yaml_read_partial (parse.c:175)
==19581==    by 0xF718E1C: zif_yaml_parse_file (yaml.c:469)
==19581==    by 0xA509F2: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:714)
==19581==    by 0xA4FE15: execute_ex (zend_vm_execute.h:417)
==19581==    by 0xA4FF3F: zend_execute (zend_vm_execute.h:458)
==19581==  Address 0x14b40966 is 6 bytes inside a block of size 56 free'd
==19581==    at 0x4C27430: free (vg_replace_malloc.c:446)
==19581==    by 0x9C06D1: _efree (zend_alloc.c:2453)
==19581==    by 0xA08C85: zend_array_destroy (zend_hash.c:1327)
==19581==    by 0x9F04FE: _zval_dtor_func_for_ptr (zend_variables.c:96)
==19581==    by 0x9D97E5: i_zval_ptr_dtor (zend_variables.h:58)
==19581==    by 0x9DB156: _zval_ptr_dtor (zend_execute_API.c:527)
==19581==    by 0xF71A757: handle_mapping (parse.c:424)
==19581==    by 0xF71A14B: get_next_element (parse.c:311)
==19581==    by 0xF71A46D: handle_mapping (parse.c:390)
==19581==    by 0xF71A14B: get_next_element (parse.c:311)
==19581==    by 0xF71A46D: handle_mapping (parse.c:390)
==19581==    by 0xF71A14B: get_next_element (parse.c:311)

thanks

[2015-12-07 03:46 UTC] laruence@php.net

please try this quick fix:

diff -u yaml-2.0.0RC5/parse.c yaml-2.0.0RC5-old/parse.c
--- yaml-2.0.0RC5/parse.c	2015-10-18 04:54:05.000000000 +0800
+++ yaml-2.0.0RC5-old/parse.c	2015-12-07 11:45:15.563379173 +0800
@@ -398,21 +398,21 @@
 		}

 		if (Z_ISREF_P(&value)) {
-			value = *Z_REFVAL_P(&value);
+			ZVAL_COPY_VALUE(&value, Z_REFVAL(value));
 		}

 		/* check for '<<' and handle merge */
 		if (key_event.type == YAML_SCALAR_EVENT &&
 				IS_NOT_QUOTED_OR_TAG_IS(key_event, YAML_MERGE_TAG) &&
 				STR_EQ("<<", key_str) &&
-				Z_TYPE_P(&value) == IS_ARRAY) {
+				Z_TYPE(value) == IS_ARRAY) {
 			/* zend_hash_merge */
 			/*
 			 * value is either a single ref or a simple array of refs
 			 */
 			if (YAML_ALIAS_EVENT == state->event.type) {
 				/* single ref */
-				zend_hash_merge(Z_ARRVAL_P(retval), Z_ARRVAL_P(&value), zval_add_ref, 0);
+				zend_hash_merge(Z_ARRVAL_P(retval), Z_ARRVAL(value), zval_add_ref, 0);
 			} else {
 				zval *zvalp;
 				ZEND_HASH_FOREACH_VAL(HASH_OF(&value), zvalp) {
@@ -424,6 +424,7 @@
 			zval_ptr_dtor(&value);
 		} else {
 			/* add key => value to retval */
+			Z_TRY_ADDREF_P(&value);
 			add_assoc_zval(retval, key_str, &value);
 		}
 		efree(key_str);
Only in yaml-2.0.0RC5-old/: parse.lo
Only in yaml-2.0.0RC5-old/: run-tests.php
Common subdirectories: yaml-2.0.0RC5/tests and yaml-2.0.0RC5-old/tests
diff -u yaml-2.0.0RC5/yaml.c yaml-2.0.0RC5-old/yaml.c
--- yaml-2.0.0RC5/yaml.c	2015-10-18 04:54:05.000000000 +0800
+++ yaml-2.0.0RC5-old/yaml.c	2015-12-07 11:33:36.508438745 +0800
@@ -411,7 +411,7 @@
 PHP_FUNCTION(yaml_parse_file)
 {
 	char *filename = { 0 };
-	int filename_len = 0;
+	size_t filename_len = 0;
 	zend_long pos = 0;
 	zval *zndocs = { 0 };
 	zval *zcallbacks = { 0 };



thanks

[2015-12-07 03:48 UTC] laruence@php.net

-Assigned To: +Assigned To: bd808

[2015-12-08 03:59 UTC] sean at siobud dot com

This was already fixed upstream

https://github.com/php/pecl-file_formats-yaml/commit/39642ce370f3bce7f4d4c96dd9cad31653e09a80

Try building the php7 branch, and that should fix your issue.

[2015-12-08 04:28 UTC] bd808@php.net

-Status: Assigned +Status: Closed

[2015-12-08 04:28 UTC] bd808@php.net

Suggested changes not included in Sean's patch added in https://github.com/php/pecl-file_formats-yaml/commit/36d5be6ff42d78ff2d3589750a99c61d283dcd5b

Thanks for the report and the help fixing it everyone.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Apr 20 07:01:29 2024 UTC