|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-08-17 20:08 UTC] stas@php.net
-Type: Security
+Type: Bug
[2016-11-21 20:06 UTC] brian dot carpenter at gmail dot com
[2016-11-21 20:06 UTC] brian dot carpenter at gmail dot com
-Status: Open
+Status: Closed
[2016-11-21 20:06 UTC] brian dot carpenter at gmail dot com
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Mon Apr 29 15:01:31 2024 UTC |
Description: ------------ Fuzzing PHP 5.6.24 (x64) with American Fuzzy Lop, ASAN and libdislocator.so. Test script: --------------- <?php $poc='a:4:{i:0;i:0;i:1;a:1:{i:0;O:4:"ryat":2:0s:4:"ryat";R:3;s:4:"chtg";i:0;}}i:1;i:0;i:2;R:5;}';$t=unserialize($poc);gc_collect_cycles();$fa0ezval=0;$fa0ezval=ptr2str(0);l.unserialize($poc);$a="";for($i=0;0;);class ryat{var$t;var$g;function __destruct(){$this->chtg=$this->ryat;}}function ptr2str(){for(;$i<8;$i++){o.chr(0);}} Expected result: ---------------- No crash. Actual result: -------------- geeknik@debian:~/php-tmp/crashers/070816$ ./php segfault_gc_zval_possible_root ASAN:SIGSEGV ================================================================= ==496==ERROR: AddressSanitizer: SEGV on unknown address 0x7f262ce7ec69 (pc 0x0000016569ef bp 0x000002367b48 sp 0x7ffc86167c30 T0) #0 0x16569ee in gc_zval_possible_root /home/geeknik/php-5.6.24/Zend/zend_gc.c:143:3 #1 0x15599d2 in gc_zval_check_possible_root /home/geeknik/php-5.6.24/Zend/zend_gc.h:183:3 #2 0x15599d2 in i_zval_ptr_dtor /home/geeknik/php-5.6.24/Zend/zend_execute.h:86 #3 0x15599d2 in _zval_ptr_dtor /home/geeknik/php-5.6.24/Zend/zend_execute_API.c:424 #4 0x15f4075 in zend_hash_destroy /home/geeknik/php-5.6.24/Zend/zend_hash.c:548:4 #5 0x15a6c71 in _zval_dtor_func /home/geeknik/php-5.6.24/Zend/zend_variables.c:45:6 #6 0x155991a in _zval_dtor /home/geeknik/php-5.6.24/Zend/zend_variables.h:35:2 #7 0x155991a in i_zval_ptr_dtor /home/geeknik/php-5.6.24/Zend/zend_execute.h:79 #8 0x155991a in _zval_ptr_dtor /home/geeknik/php-5.6.24/Zend/zend_execute_API.c:424 #9 0x15f4075 in zend_hash_destroy /home/geeknik/php-5.6.24/Zend/zend_hash.c:548:4 #10 0x15a6c71 in _zval_dtor_func /home/geeknik/php-5.6.24/Zend/zend_variables.c:45:6 #11 0x155991a in _zval_dtor /home/geeknik/php-5.6.24/Zend/zend_variables.h:35:2 #12 0x155991a in i_zval_ptr_dtor /home/geeknik/php-5.6.24/Zend/zend_execute.h:79 #13 0x155991a in _zval_ptr_dtor /home/geeknik/php-5.6.24/Zend/zend_execute_API.c:424 #14 0x15f5185 in i_zend_hash_bucket_delete /home/geeknik/php-5.6.24/Zend/zend_hash.c:182:3 #15 0x15f5185 in zend_hash_bucket_delete /home/geeknik/php-5.6.24/Zend/zend_hash.c:192 #16 0x15f5581 in zend_hash_graceful_reverse_destroy /home/geeknik/php-5.6.24/Zend/zend_hash.c:613:3 #17 0x155a230 in shutdown_executor /home/geeknik/php-5.6.24/Zend/zend_execute_API.c:244:3 #18 0x15b0f83 in zend_deactivate /home/geeknik/php-5.6.24/Zend/zend.c:960:2 #19 0x13b807e in php_request_shutdown /home/geeknik/php-5.6.24/main/main.c:1899:2 #20 0x1908b17 in do_cli /home/geeknik/php-5.6.24/sapi/cli/php_cli.c:1177:3 #21 0x190474d in main /home/geeknik/php-5.6.24/sapi/cli/php_cli.c:1378:18 #22 0x7f0c6576bb44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287 #23 0x5095ac in _start (/home/geeknik/php-5.6.24/sapi/cli/php+0x5095ac) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/geeknik/php-5.6.24/Zend/zend_gc.c:143 gc_zval_possible_root ==496==ABORTING