PHP :: Bug #72869 :: segfault zend_alloc.c:2104 (_zend_mm_free

Bug #72869	segfault zend_alloc.c:2104 (_zend_mm_free_int)
Submitted:	2016-08-17 19:45 UTC	Modified:	2016-11-21 20:03 UTC
From:	brian dot carpenter at gmail dot com	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.6.24	OS:	Debian 8
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2016-08-17 19:45 UTC] brian dot carpenter at gmail dot com

Description:
------------
Fuzzing PHP 5.6.24 (x64) with American Fuzzy Lop, ASAN and libdislocator.so.


Test script:
---------------
<?php
$poc='a:4:{i:0;i:0;i:1;a:1:{i:0;O:4:"ryat":2:0s:4:"ryat";R:3;s:4:"chtg";i:0;}}i:1;i:0;i:0;R:5;}';$t=unserialize($poc);gc_collect_cycles();$l=ptr2str(0);$a=ptr2str();$f="";$f="";class ryat{var$t;var$g;function __destruct(){$this->chtg=$this->ryat;}}function ptr2str($ptr){$u='';for(;$i<8;$i++){$t=chr(0);$ptr=0;}return$t;}

Expected result:
----------------
No crash.

Actual result:
--------------
geeknik@debian:~/php-tmp/crashers/070816$ ./php segfault__zend_mm_free_int

Warning: Missing argument 1 for ptr2str(), called in /home/geeknik/php-tmp/crashers/070816/segfault__zend_mm_free_int on line 2 and defined in /home/geeknik/php-tmp/crashers/070816/segfault__zend_mm_free_int on line 2
ASAN:SIGSEGV
=================================================================
==44044==ERROR: AddressSanitizer: SEGV on unknown address 0x7f05ce8ee640 (pc 0x0000014c7bb8 bp 0x7f05ce8ee640 sp 0x7fff6acb3230 T0)
    #0 0x14c7bb7 in _zend_mm_free_int /home/geeknik/php-5.6.24/Zend/zend_alloc.c:2104:6
    #1 0x14ccb17 in _efree /home/geeknik/php-5.6.24/Zend/zend_alloc.c:2440:2
    #2 0x15a6bc1 in _zval_dtor_func /home/geeknik/php-5.6.24/Zend/zend_variables.c:37:4
    #3 0x155991a in _zval_dtor /home/geeknik/php-5.6.24/Zend/zend_variables.h:35:2
    #4 0x155991a in i_zval_ptr_dtor /home/geeknik/php-5.6.24/Zend/zend_execute.h:79
    #5 0x155991a in _zval_ptr_dtor /home/geeknik/php-5.6.24/Zend/zend_execute_API.c:424
    #6 0x15f4075 in zend_hash_destroy /home/geeknik/php-5.6.24/Zend/zend_hash.c:548:4
    #7 0x15a6c71 in _zval_dtor_func /home/geeknik/php-5.6.24/Zend/zend_variables.c:45:6
    #8 0x155991a in _zval_dtor /home/geeknik/php-5.6.24/Zend/zend_variables.h:35:2
    #9 0x155991a in i_zval_ptr_dtor /home/geeknik/php-5.6.24/Zend/zend_execute.h:79
    #10 0x155991a in _zval_ptr_dtor /home/geeknik/php-5.6.24/Zend/zend_execute_API.c:424
    #11 0x15f4075 in zend_hash_destroy /home/geeknik/php-5.6.24/Zend/zend_hash.c:548:4
    #12 0x15a6c71 in _zval_dtor_func /home/geeknik/php-5.6.24/Zend/zend_variables.c:45:6
    #13 0x155991a in _zval_dtor /home/geeknik/php-5.6.24/Zend/zend_variables.h:35:2
    #14 0x155991a in i_zval_ptr_dtor /home/geeknik/php-5.6.24/Zend/zend_execute.h:79
    #15 0x155991a in _zval_ptr_dtor /home/geeknik/php-5.6.24/Zend/zend_execute_API.c:424
    #16 0x15f5185 in i_zend_hash_bucket_delete /home/geeknik/php-5.6.24/Zend/zend_hash.c:182:3
    #17 0x15f5185 in zend_hash_bucket_delete /home/geeknik/php-5.6.24/Zend/zend_hash.c:192
    #18 0x15f5581 in zend_hash_graceful_reverse_destroy /home/geeknik/php-5.6.24/Zend/zend_hash.c:613:3
    #19 0x155a230 in shutdown_executor /home/geeknik/php-5.6.24/Zend/zend_execute_API.c:244:3
    #20 0x15b0f83 in zend_deactivate /home/geeknik/php-5.6.24/Zend/zend.c:960:2
    #21 0x13b807e in php_request_shutdown /home/geeknik/php-5.6.24/main/main.c:1899:2
    #22 0x1908b17 in do_cli /home/geeknik/php-5.6.24/sapi/cli/php_cli.c:1177:3
    #23 0x190474d in main /home/geeknik/php-5.6.24/sapi/cli/php_cli.c:1378:18
    #24 0x7effccee5b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287
    #25 0x5095ac in _start (/home/geeknik/php-5.6.24/sapi/cli/php+0x5095ac)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/geeknik/php-5.6.24/Zend/zend_alloc.c:2104 _zend_mm_free_int
==44044==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-08-17 20:08 UTC] stas@php.net

-Type: Security +Type: Bug

[2016-11-21 20:03 UTC] brian dot carpenter at gmail dot com

-Status: Open +Status: Closed

[2016-11-21 20:03 UTC] brian dot carpenter at gmail dot com

Does not affect PHP 5.6.28, returns this error:

Warning: Missing argument 1 for ptr2str(), called in /root/tmp/1.php on line 2 and defined in /root/tmp/1.php on line 2

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Mon Apr 29 10:01:30 2024 UTC