php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71834 PharData segfault with possible null ptr deref in spprintf.c
Submitted: 2016-03-15 22:00 UTC Modified: 2017-09-21 01:28 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: brian dot carpenter at gmail dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.0Git-2016-03-15 (Git) OS: Debian 8.2 x64
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: brian dot carpenter at gmail dot com
New email:
PHP Version: OS:

 

 [2016-03-15 22:00 UTC] brian dot carpenter at gmail dot com
Description:
------------
This script, created and minimized by American Fuzzy Lop, triggers a segfault in PHP 7.1.0-dev. Looking at the output from gdb, there might also be a null ptr deref happening in xbuf_format_converter (spprintf.c:818), but please correct me if I'm wrong with that diagnosis.

Test script:
---------------
<?php
$e=new PharData('0.0/000000000000000000000000000000000000000000/0000000000000000000000000@000000000',0);

Expected result:
----------------
No crash. PHP 5.6.17-0+deb8u1 responds with the following:

geeknik@debian:~/php-tmp/out/4/crashes$ php test11
zend_mm_heap corrupted

geeknik@debian:~/php-tmp/out/4/crashes$ USE_ZEND_ALLOC=0 php test11
PHP Fatal error:  Uncaught exception 'UnexpectedValueException' with message 'RecursiveDirectoryIterator::__construct(phar://...@00000): failed to open dir: operation failed' in /home/geeknik/php-tmp/out/4/crashes/test11:2
Stack trace:
#0 [internal function]: RecursiveDirectoryIterator->__construct('phar:///home/ge...', 0)
#1 /home/geeknik/php-tmp/out/4/crashes/test11(2): PharData->__construct('0.0/00000000000...', 0)
#2 {main}
  thrown in /home/geeknik/php-tmp/out/4/crashes/test11 on line 2

Actual result:
--------------
valgrind -q ~/php-src/sapi/cli/php test11
==95687== Invalid read of size 8
==95687==    at 0x1364848: zend_mm_alloc_small (zend_alloc.c:1291)
==95687==    by 0x1364848: zend_mm_alloc_heap (zend_alloc.c:1362)
==95687==    by 0x1364848: zend_mm_realloc_heap (zend_alloc.c:1458)
==95687==    by 0x1364848: _erealloc (zend_alloc.c:2475)
==95687==    by 0x12103D8: xbuf_format_converter (spprintf.c:818)
==95687==    by 0x12120DB: vspprintf (spprintf.c:847)
==95687==    by 0x1212519: spprintf (spprintf.c:871)
==95687==    by 0x43D93E: php_verror (main.c:866)
==95687==    by 0x43EAF9: php_error_docref1 (main.c:921)
==95687==    by 0x12795D3: php_stream_display_wrapper_errors (streams.c:207)
==95687==    by 0x1287021: _php_stream_opendir (streams.c:1994)
==95687==    by 0xECED36: spl_filesystem_dir_open (spl_directory.c:236)
==95687==    by 0xEDC279: spl_filesystem_object_construct (spl_directory.c:724)
==95687==    by 0xEDC279: zim_spl_RecursiveDirectoryIterator___construct (spl_directory.c:1563)
==95687==    by 0x13EA210: zend_call_function (zend_execute_API.c:878)
==95687==    by 0x152B677: zend_call_method (zend_interfaces.c:103)
==95687==  Address 0x7461726574497972 is not stack'd, malloc'd or (recently) free'd
==95687== 
==95687== 
==95687== Process terminating with default action of signal 11 (SIGSEGV)
==95687==  General Protection Fault
==95687==    at 0x1364848: zend_mm_alloc_small (zend_alloc.c:1291)
==95687==    by 0x1364848: zend_mm_alloc_heap (zend_alloc.c:1362)
==95687==    by 0x1364848: zend_mm_realloc_heap (zend_alloc.c:1458)
==95687==    by 0x1364848: _erealloc (zend_alloc.c:2475)
==95687==    by 0x12103D8: xbuf_format_converter (spprintf.c:818)
==95687==    by 0x12120DB: vspprintf (spprintf.c:847)
==95687==    by 0x1212519: spprintf (spprintf.c:871)
==95687==    by 0x43D93E: php_verror (main.c:866)
==95687==    by 0x43EAF9: php_error_docref1 (main.c:921)
==95687==    by 0x12795D3: php_stream_display_wrapper_errors (streams.c:207)
==95687==    by 0x1287021: _php_stream_opendir (streams.c:1994)
==95687==    by 0xECED36: spl_filesystem_dir_open (spl_directory.c:236)
==95687==    by 0xEDC279: spl_filesystem_object_construct (spl_directory.c:724)
==95687==    by 0xEDC279: zim_spl_RecursiveDirectoryIterator___construct (spl_directory.c:1563)
==95687==    by 0x13EA210: zend_call_function (zend_execute_API.c:878)
==95687==    by 0x152B677: zend_call_method (zend_interfaces.c:103)
Segmentation fault


(gdb) r test11
Starting program: /home/geeknik/php-src/sapi/cli/php test11
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
zend_mm_alloc_small (size=<optimized out>, bin_num=8, heap=0x7ffff6000040)
    at /home/geeknik/php-src/Zend/zend_alloc.c:1291
1291			heap->free_slot[bin_num] = p->next_free_slot;
(gdb) bt
#0  zend_mm_alloc_small (size=<optimized out>, bin_num=8, heap=0x7ffff6000040)
    at /home/geeknik/php-src/Zend/zend_alloc.c:1291
#1  zend_mm_alloc_heap (size=<optimized out>, heap=0x7ffff6000040)
    at /home/geeknik/php-src/Zend/zend_alloc.c:1362
#2  zend_mm_realloc_heap (copy_size=<optimized out>, size=<optimized out>, 
    ptr=0x0, heap=0x7ffff6000040)
    at /home/geeknik/php-src/Zend/zend_alloc.c:1458
#3  _erealloc (ptr=0x0, size=<optimized out>)
    at /home/geeknik/php-src/Zend/zend_alloc.c:2475
#4  0x00000000012103d9 in xbuf_format_converter (xbuf=0x7fffffffa140, 
    is_char=8 '\b', is_char@entry=1 '\001', 
    fmt=0x1 <error: Cannot access memory at address 0x1>, ap=0x4)
    at /home/geeknik/php-src/main/spprintf.c:818
#5  0x00000000012120dc in vspprintf (pbuf=0x7fffffffa2a8, max_len=0, 
    format=<optimized out>, ap=<optimized out>)
    at /home/geeknik/php-src/main/spprintf.c:847
#6  0x000000000121251a in spprintf (pbuf=<optimized out>, 
    max_len=<optimized out>, format=<optimized out>)
    at /home/geeknik/php-src/main/spprintf.c:871
#7  0x000000000043d93f in php_verror (
    docref=0x7ffff606a100 "recursivedirectoryiterator.construct", params=0x0, 
    type=30186880, format=0x1cc9d80 <bin_data_size> "\b", args=0x7ffff6000080, 
    args@entry=0x7fffffffa310) at /home/geeknik/php-src/main/main.c:866
#8  0x000000000043eafa in php_error_docref1 (docref=docref@entry=0x0, 
    param1=param1@entry=0x7ffff6085000 "phar://...@00000", type=type@entry=2, 
    format=format@entry=0x1c77a03 "%s: %s")
    at /home/geeknik/php-src/main/main.c:921
#9  0x00000000012795d4 in php_stream_display_wrapper_errors (
    wrapper=wrapper@entry=0x1fecc00 <php_stream_phar_wrapper>, 
    path=path@entry=0x7ffff6077018 "phar:///home/geeknik/php-tmp/out/4/crashes/0.0/", '0' <repeats 42 times>, "/", '0' <repeats 25 times>, "@00000", 
    caption=caption@entry=0x1cbb5af "failed to open dir")
    at /home/geeknik/php-src/main/streams/streams.c:207
#10 0x0000000001287022 in _php_stream_opendir (
    path=path@entry=0x7ffff6077018 "phar:///home/geeknik/php-tmp/out/4/crashes/0.0/", '0' <repeats 42 times>, "/", '0' <repeats 25 times>, "@00000", 
    options=options@entry=8, context=0x0)
    at /home/geeknik/php-src/main/streams/streams.c:1994
#11 0x0000000000eced37 in spl_filesystem_dir_open (
    intern=intern@entry=0x7ffff6078000, 
    path=0x7ffff6077018 "phar:///home/geeknik/php-tmp/out/4/crashes/0.0/", '0' <repeats 42 times>, "/", '0' <repeats 25 times>, "@00000")
    at /home/geeknik/php-src/ext/spl/spl_directory.c:236
#12 0x0000000000edc27a in spl_filesystem_object_construct (ctor_flags=1, 
    return_value=<optimized out>, execute_data=<optimized out>)
    at /home/geeknik/php-src/ext/spl/spl_directory.c:724
#13 zim_spl_RecursiveDirectoryIterator___construct (
    execute_data=<optimized out>, return_value=<optimized out>)
    at /home/geeknik/php-src/ext/spl/spl_directory.c:1563
#14 0x00000000013ea211 in zend_call_function (fci=fci@entry=0x7fffffffa6c0, 
    fci_cache=fci_cache@entry=0x7fffffffa690)
    at /home/geeknik/php-src/Zend/zend_execute_API.c:878
#15 0x000000000152b678 in zend_call_method (object=0x7ffff60130f0, 
    obj_ce=<optimized out>, fn_proxy=<optimized out>, 
    function_name=0x18b3f1d "__construct", function_name_len=<optimized out>, 
    retval_ptr=0x0, param_count=2, arg1=0x7fffffffa7f0, arg2=0x7fffffffa800)
    at /home/geeknik/php-src/Zend/zend_interfaces.c:103
#16 0x0000000000d6d652 in zim_Phar___construct (execute_data=0x5e4a0, 
    return_value=0x8) at /home/geeknik/php-src/ext/phar/phar_object.c:1219
#17 0x00000000017a1f0f in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER ()
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:1027
#18 0x0000000001614533 in execute_ex (ex=<optimized out>)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:423
#19 0x000000000187e655 in zend_execute (
    op_array=op_array@entry=0x7ffff60732a0, 
    return_value=return_value@entry=0x0)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:467
#20 0x00000000014510d8 in zend_execute_scripts (type=type@entry=8, 
    retval=retval@entry=0x0, file_count=-167694288, file_count@entry=3)
    at /home/geeknik/php-src/Zend/zend.c:1427
#21 0x00000000011ffe90 in php_execute_script (primary_file=0x7fffffffcf10)
    at /home/geeknik/php-src/main/main.c:2487
#22 0x00000000018878e1 in do_cli (argc=386208, argv=0x8)
    at /home/geeknik/php-src/sapi/cli/php_cli.c:974
#23 0x00000000004507f1 in main (argc=386208, argv=0x8)
    at /home/geeknik/php-src/sapi/cli/php_cli.c:1345
(gdb) list
1286		} while (0);
1287	#endif
1288	
1289		if (EXPECTED(heap->free_slot[bin_num] != NULL)) {
1290			zend_mm_free_slot *p = heap->free_slot[bin_num];
1291			heap->free_slot[bin_num] = p->next_free_slot;
1292			return (void*)p;
1293		} else {
1294			return zend_mm_alloc_small_slow(heap, bin_num ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
1295		}
(gdb) i r
rax            0x0	0
rbx            0x7ffff6000040	140737320583232
rcx            0x4	4
rdx            0x1cc9d80	30186880
rsi            0x8	8
rdi            0x5e4a0	386208
rbp            0x0	0x0
rsp            0x7fffffff97d0	0x7fffffff97d0
r8             0x7ffff6000080	140737320583296
r9             0x0	0
r10            0x0	0
r11            0x7461726574497972	8386109761208809842
r12            0x58228	361000
r13            0x20	32
r14            0x0	0
r15            0x8	8
rip            0x1364848	0x1364848 <_erealloc+8904>
eflags         0x10206	[ PF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-09-21 01:28 UTC] brian dot carpenter at gmail dot com
-Status: Open +Status: Closed
 [2017-09-21 01:28 UTC] brian dot carpenter at gmail dot com
No longer reproduces.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sun Feb 16 19:01:26 2020 UTC