php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71859 zend_objects_store_call_destructors operates on realloced memory, crashing.
Submitted: 2016-03-19 15:01 UTC Modified: -
From: jasper dot mattsson at gmail dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.0.4 OS:
Private report: No CVE-ID: None
 [2016-03-19 15:01 UTC] jasper dot mattsson at gmail dot com
Description:
------------
If a destructor instantiates new objects, objects->object_buckets might be reallocated in zend_objects_store_put, making obj_ptr dangle and sometimes crashing PHP. 

Test script:
---------------
<?php
class constructs_in_destructor {
  public function __destruct() {
    //We are now in zend_objects_store_call_destructors
    //This causes a realloc in zend_objects_store_put
    for ($i = 0; $i < 10000; ++$i) {
      $GLOBALS["a$i"] = new stdClass;
    }
    //Returns to zend_objects_store_call_destructors, to access freed memory.
  }
}

gc_disable();
$a = new constructs_in_destructor;
//Create cycle so destructors are ran only in zend_objects_store_call_destructors
$a->a = $a;

// Create some objects so zend_objects_store_call_destructors has something
// to do after constructs_in_destructor is destroyed.
for ($i = 0; $i < 200; ++$i) {
  $GLOBALS["b$i"] = new stdClass;
}


Expected result:
----------------
No crash

Actual result:
--------------
#0  0x00000000008528ef in zend_objects_store_call_destructors (objects=0x1145ff0 <executor_globals+816>) at /var/lib/yaourt/yaourt-tmp-jasu/abs-php/src/php-7.0.4/Zend/zend_objects_API.c:54
#1  0x00000000007e9a57 in shutdown_destructors () at /var/lib/yaourt/yaourt-tmp-jasu/abs-php/src/php-7.0.4/Zend/zend_execute_API.c:242
#2  0x00000000008028c1 in zend_call_destructors () at /var/lib/yaourt/yaourt-tmp-jasu/abs-php/src/php-7.0.4/Zend/zend.c:952
#3  0x000000000076b5fe in php_request_shutdown (dummy=0x0) at /var/lib/yaourt/yaourt-tmp-jasu/abs-php/src/php-7.0.4/main/main.c:1774
#4  0x00000000008cc813 in do_cli (argc=2, argv=0x114b9f0) at /var/lib/yaourt/yaourt-tmp-jasu/abs-php/src/php-7.0.4/sapi/cli/php_cli.c:1142
#5  0x00000000008cd099 in main (argc=2, argv=0x114b9f0) at /var/lib/yaourt/yaourt-tmp-jasu/abs-php/src/php-7.0.4/sapi/cli/php_cli.c:1345


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-03-19 19:31 UTC] vvvaagn at gmail dot com
root@TZDG001:/tmp/data2# valgrind -q ../php-7.0.4/sapi/cli/php test.php ret/crash13
==20538== Invalid read of size 8
==20538==    at 0xC70678: zend_mm_alloc_small (zend_alloc.c:1291)
==20538==    by 0xC70678: zend_mm_alloc_heap (zend_alloc.c:1358)
==20538==    by 0xC70678: _emalloc (zend_alloc.c:2442)
==20538==    by 0xC7696F: _estrndup (zend_alloc.c:2565)
==20538==    by 0x76BD95: phar_split_fname (phar.c:2229)
==20538==    by 0x732F19: phar_parse_url (stream.c:74)
==20538==    by 0x747A26: phar_wrapper_open_dir (dirstream.c:315)
==20538==    by 0xBA6BB7: _php_stream_opendir (streams.c:1982)
==20538==    by 0x85DDB2: spl_filesystem_dir_open (spl_directory.c:236)
==20538==    by 0x869E39: spl_filesystem_object_construct (spl_directory.c:724)
==20538==    by 0x869E39: zim_spl_RecursiveDirectoryIterator___construct (spl_directory.c:1563)
==20538==    by 0xCE6370: zend_call_function (zend_execute_API.c:879)
==20538==    by 0xE0662A: zend_call_method (zend_interfaces.c:104)
==20538==    by 0x779BC1: zim_Phar___construct (phar_object.c:1233)
==20538==    by 0x101447C: ZEND_DO_FCALL_SPEC_HANDLER (zend_vm_execute.h:842)
==20538==  Address 0x73752f2e20656c75 is not stack'd, malloc'd or (recently) free'd
==20538== 
==20538== 
==20538== Process terminating with default action of signal 11 (SIGSEGV)
==20538==  General Protection Fault
==20538==    at 0xC70678: zend_mm_alloc_small (zend_alloc.c:1291)
==20538==    by 0xC70678: zend_mm_alloc_heap (zend_alloc.c:1358)
==20538==    by 0xC70678: _emalloc (zend_alloc.c:2442)
==20538==    by 0xC7696F: _estrndup (zend_alloc.c:2565)
==20538==    by 0x76BD95: phar_split_fname (phar.c:2229)
==20538==    by 0x732F19: phar_parse_url (stream.c:74)
==20538==    by 0x747A26: phar_wrapper_open_dir (dirstream.c:315)
==20538==    by 0xBA6BB7: _php_stream_opendir (streams.c:1982)
==20538==    by 0x85DDB2: spl_filesystem_dir_open (spl_directory.c:236)
==20538==    by 0x869E39: spl_filesystem_object_construct (spl_directory.c:724)
==20538==    by 0x869E39: zim_spl_RecursiveDirectoryIterator___construct (spl_directory.c:1563)
==20538==    by 0xCE6370: zend_call_function (zend_execute_API.c:879)
==20538==    by 0xE0662A: zend_call_method (zend_interfaces.c:104)
==20538==    by 0x779BC1: zim_Phar___construct (phar_object.c:1233)
==20538==    by 0x101447C: ZEND_DO_FCALL_SPEC_HANDLER (zend_vm_execute.h:842)
 [2016-03-20 11:56 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9564998e490092fdefa6630944e38692c75e30de
Log: Fixed Bug #71859 (zend_objects_store_call_destructors operates on realloced memory, crashing)
 [2016-03-20 11:56 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-07-20 11:32 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9564998e490092fdefa6630944e38692c75e30de
Log: Fixed Bug #71859 (zend_objects_store_call_destructors operates on realloced memory, crashing)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC