|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-04-18 00:31 UTC] stas@php.net
-Type: Security
+Type: Bug
[2016-04-18 00:31 UTC] stas@php.net
[2016-04-19 01:45 UTC] fernando at null-life dot com
[2016-04-19 09:46 UTC] dmitry@php.net
[2016-07-14 09:32 UTC] dmitry@php.net
-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: dmitry
[2016-07-14 09:32 UTC] dmitry@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sun Apr 28 16:01:31 2024 UTC |
Description: ------------ 1. compile PHP 5.6.20 with ASAN 2. Run attached script on a while loop, sometimes you will get the ASAN crash. while true; do /home/fmunozs/phpgit/php56/sapi/cli/php -n jet.php ; done if php_request_shutdown is called during the fscanf, ASAN reports a heap-use-after-free in some cases. Test script: --------------- <?php set_time_limit(1); $arr = []; for($i=0;$i<165536; ++$i) { $arr[$i]= "aa"; } $var1=fopen("/dev/zero", "r"); $var2="AAA"; try{fscanf($var1, $var2);}catch(Exception $a) {} Expected result: ---------------- No warning Actual result: -------------- Fatal error: Maximum execution time of 1 second exceeded in /ramdisk/wtf/wtf/jet.php on line 7 ================================================================= ==29856==ERROR: AddressSanitizer: heap-use-after-free on address 0xac533804 at pc 0x0930ffba bp 0xbfdf0358 sp 0xbfdf0348 READ of size 4 at 0xac533804 thread T0 #0 0x930ffb9 in zend_mm_del_segment /home/fmunozs/phpgit/php56/Zend/zend_alloc.c:924 #1 0x930ffb9 in _zend_mm_free_int /home/fmunozs/phpgit/php56/Zend/zend_alloc.c:2115 #2 0x930ffb9 in _efree /home/fmunozs/phpgit/php56/Zend/zend_alloc.c:2440 #3 0x94d1d4f in zend_hash_destroy /home/fmunozs/phpgit/php56/Zend/zend_hash.c:553 #4 0x94612d1 in _zval_dtor_func /home/fmunozs/phpgit/php56/Zend/zend_variables.c:45 #5 0x93d83e8 in _zval_dtor /home/fmunozs/phpgit/php56/Zend/zend_variables.h:35 #6 0x93d83e8 in i_zval_ptr_dtor /home/fmunozs/phpgit/php56/Zend/zend_execute.h:79 #7 0x93d83e8 in _zval_ptr_dtor /home/fmunozs/phpgit/php56/Zend/zend_execute_API.c:424 #8 0x94d3f53 in i_zend_hash_bucket_delete /home/fmunozs/phpgit/php56/Zend/zend_hash.c:182 #9 0x94d3f53 in zend_hash_bucket_delete /home/fmunozs/phpgit/php56/Zend/zend_hash.c:192 #10 0x94d3f53 in zend_hash_graceful_reverse_destroy /home/fmunozs/phpgit/php56/Zend/zend_hash.c:613 #11 0x93daf4d in shutdown_executor /home/fmunozs/phpgit/php56/Zend/zend_execute_API.c:244 #12 0x9467c8b in zend_deactivate /home/fmunozs/phpgit/php56/Zend/zend.c:960 #13 0x91a88d0 in php_request_shutdown /home/fmunozs/phpgit/php56/main/main.c:1899 #14 0x9a83ac3 in do_cli /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:1177 #15 0x808a502 in main /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:1378 #16 0xb6dcd645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645) #17 0x808aaba (/home/fmunozs/phpgit/php56/sapi/cli/php+0x808aaba) 0xac533804 is located 4 bytes inside of 13369344-byte region [0xac533800,0xad1f3800) freed by thread T0 here: #0 0xb727f06c in __interceptor_realloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x9706c) #1 0x92e89cb in zend_mm_mem_malloc_realloc /home/fmunozs/phpgit/php56/Zend/zend_alloc.c:292 previously allocated by thread T0 here: #0 0xb727f06c in __interceptor_realloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x9706c) #1 0x92e89cb in zend_mm_mem_malloc_realloc /home/fmunozs/phpgit/php56/Zend/zend_alloc.c:292 SUMMARY: AddressSanitizer: heap-use-after-free /home/fmunozs/phpgit/php56/Zend/zend_alloc.c:924 zend_mm_del_segment Shadow bytes around the buggy address: 0x358a66b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x358a66c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x358a66d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x358a66e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x358a66f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x358a6700:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x358a6710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x358a6720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x358a6730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x358a6740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x358a6750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==29856==ABORTING