php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72870 segfault zend_object_handlers.c:1528 (zend_std_object_get_class)
Submitted: 2016-08-17 19:47 UTC Modified: 2020-01-03 10:58 UTC
From: brian dot carpenter at gmail dot com Assigned: nikic (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.6.28 OS: Debian 8
Private report: No CVE-ID: None
 [2016-08-17 19:47 UTC] brian dot carpenter at gmail dot com
Description:
------------
Fuzzing PHP 5.6.24 (x64) with American Fuzzy Lop, ASAN and libdislocator.so.


Test script:
---------------
 
<?php
print_r(get_loaded_extensions());class SegfaultScenario{private$e;private$t;function __construct(){$this->e=$this;$this->ob0ect=new\stdClass;}public function __destruct(){//
if(!$this->ob0ect)(0);var_dump($this);}}class SomeContainer{public function run(){new SegfaultScenario;}}$container=new SomeContainer();$container->run();gc_collect_cycles();

Expected result:
----------------
No crash.

Actual result:
--------------
geeknik@debian:~/php-tmp/crashers/070816$ ./php segfault_zend_std_object_get_class 
Array
(
    [0] => Core
    [1] => date
    [2] => ereg
    [3] => libxml
    [4] => pcre
    [5] => sqlite3
    [6] => ctype
    [7] => dom
    [8] => fileinfo
    [9] => filter
    [10] => hash
    [11] => iconv
    [12] => json
    [13] => SPL
    [14] => PDO
    [15] => session
    [16] => posix
    [17] => Reflection
    [18] => standard
    [19] => SimpleXML
    [20] => pdo_sqlite
    [21] => Phar
    [22] => tokenizer
    [23] => xml
    [24] => xmlreader
    [25] => xmlwriter
)
object(SegfaultScenario)#2 (3) {
  ["e":"SegfaultScenario":private]=>
  *RECURSION*
  ["t":"SegfaultScenario":private]=>
  NULL
  ["ob0ect"]=>
  ASAN:SIGSEGV
=================================================================
==96937==ERROR: AddressSanitizer: SEGV on unknown address 0x7f7effffffff (pc 0x00000168c99c bp 0x7ffe2bc7d470 sp 0x7ffe2bc7d2f0 T0)
    #0 0x168c99b in zend_std_object_get_class /home/geeknik/php-5.6.24/Zend/zend_object_handlers.c:1528:2
    #1 0x15b4c5d in zend_get_class_entry /home/geeknik/php-5.6.24/Zend/zend_API.c:238:10
    #2 0x167d188 in zend_std_get_debug_info /home/geeknik/php-5.6.24/Zend/zend_object_handlers.c:140:25
    #3 0x12daacf in php_var_dump /home/geeknik/php-5.6.24/ext/standard/var.c:129:10
    #4 0x12dbfae in php_object_property_dump /home/geeknik/php-5.6.24/ext/standard/var.c:82:2
    #5 0x15f6298 in zend_hash_apply_with_arguments /home/geeknik/php-5.6.24/Zend/zend_hash.c:701:12
    #6 0x12db3a4 in php_var_dump /home/geeknik/php-5.6.24/ext/standard/var.c:146:4
    #7 0x12dc290 in zif_var_dump /home/geeknik/php-5.6.24/ext/standard/var.c:183:3
    #8 0x184edb0 in zend_do_fcall_common_helper_SPEC /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:558:5
    #9 0x17311d7 in ZEND_DO_FCALL_SPEC_CONST_HANDLER /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:2602:9
    #10 0x16a332e in execute_ex /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:363:14
    #11 0x16a52da in zend_execute /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:388:2
    #12 0x15624f3 in zend_call_function /home/geeknik/php-5.6.24/Zend/zend_execute_API.c:829:4
    #13 0x16298ce in zend_call_method /home/geeknik/php-5.6.24/Zend/zend_interfaces.c:97:12
    #14 0x167a8c4 in zend_objects_destroy_object /home/geeknik/php-5.6.24/Zend/zend_objects.c:123:3
    #15 0x16595ee in gc_collect_cycles /home/geeknik/php-5.6.24/Zend/zend_gc.c:811:6
    #16 0x161a247 in zif_gc_collect_cycles /home/geeknik/php-5.6.24/Zend/zend_builtin_functions.c:361:2
    #17 0x184edb0 in zend_do_fcall_common_helper_SPEC /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:558:5
    #18 0x17311d7 in ZEND_DO_FCALL_SPEC_CONST_HANDLER /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:2602:9
    #19 0x16a332e in execute_ex /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:363:14
    #20 0x16a52da in zend_execute /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:388:2
    #21 0x15b1cc1 in zend_execute_scripts /home/geeknik/php-5.6.24/Zend/zend.c:1341:4
    #22 0x13be7f1 in php_execute_script /home/geeknik/php-5.6.24/main/main.c:2613:14
    #23 0x1907aaa in do_cli /home/geeknik/php-5.6.24/sapi/cli/php_cli.c:994:5
    #24 0x190474d in main /home/geeknik/php-5.6.24/sapi/cli/php_cli.c:1378:18
    #25 0x7f7ed0130b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287
    #26 0x5095ac in _start (/home/geeknik/php-5.6.24/sapi/cli/php+0x5095ac)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/geeknik/php-5.6.24/Zend/zend_object_handlers.c:1528 zend_std_object_get_class
==96937==ABORTING


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-17 20:08 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-11-21 19:59 UTC] brian dot carpenter at gmail dot com
-PHP Version: 5.6.24 +PHP Version: 5.6.28
 [2016-11-21 19:59 UTC] brian dot carpenter at gmail dot com
Affects 5.6.28:

Array
(
    [0] => Core
    [1] => date
    [2] => ereg
    [3] => libxml
    [4] => pcre
    [5] => sqlite3
    [6] => ctype
    [7] => dom
    [8] => fileinfo
    [9] => filter
    [10] => hash
    [11] => iconv
    [12] => json
    [13] => SPL
    [14] => PDO
    [15] => session
    [16] => posix
    [17] => Reflection
    [18] => standard
    [19] => SimpleXML
    [20] => pdo_sqlite
    [21] => Phar
    [22] => tokenizer
    [23] => xml
    [24] => xmlreader
    [25] => xmlwriter
)
object(SegfaultScenario)#2 (3) {
  ["e":"SegfaultScenario":private]=>
  *RECURSION*
  ["t":"SegfaultScenario":private]=>
  NULL
  ["ob0ect"]=>
  ASAN:SIGSEGV
=================================================================
==28442==ERROR: AddressSanitizer: SEGV on unknown address 0x7f4effffffff (pc 0x000001a7d3a8 sp 0x7fff22da0dd0 bp 0x7fff22da0df0 T0)
    #0 0x1a7d3a7 in zend_std_object_get_class /root/php-5.6.28/Zend/zend_object_handlers.c:1528
    #1 0x1a7d511 in zend_std_get_debug_info /root/php-5.6.28/Zend/zend_object_handlers.c:140
    #2 0x1557d60 in php_var_dump /root/php-5.6.28/ext/standard/var.c:129
    #3 0x1558f3d in php_object_property_dump /root/php-5.6.28/ext/standard/var.c:82
    #4 0x19c67f7 in zend_hash_apply_with_arguments /root/php-5.6.28/Zend/zend_hash.c:701
    #5 0x155819a in php_var_dump /root/php-5.6.28/ext/standard/var.c:146
    #6 0x15596ef in zif_var_dump /root/php-5.6.28/ext/standard/var.c:183
    #7 0x1dbd765 in zend_do_fcall_common_helper_SPEC /root/php-5.6.28/Zend/zend_vm_execute.h:558
    #8 0x1bb6278 in execute_ex /root/php-5.6.28/Zend/zend_vm_execute.h:363
    #9 0x18dca5e in zend_call_function /root/php-5.6.28/Zend/zend_execute_API.c:831
    #10 0x1a12e16 in zend_call_method /root/php-5.6.28/Zend/zend_interfaces.c:97
    #11 0x1a7a4bd in zend_objects_destroy_object /root/php-5.6.28/Zend/zend_objects.c:123
    #12 0x1a4e4ee in gc_collect_cycles /root/php-5.6.28/Zend/zend_gc.c:811
    #13 0x19e37b0 in zif_gc_collect_cycles /root/php-5.6.28/Zend/zend_builtin_functions.c:361
    #14 0x1dbd765 in zend_do_fcall_common_helper_SPEC /root/php-5.6.28/Zend/zend_vm_execute.h:558
    #15 0x1bb6278 in execute_ex /root/php-5.6.28/Zend/zend_vm_execute.h:363
    #16 0x195e048 in zend_execute_scripts /root/php-5.6.28/Zend/zend.c:1341
    #17 0x167b5bf in php_execute_script /root/php-5.6.28/main/main.c:2613
    #18 0x1dc6fe4 in do_cli /root/php-5.6.28/sapi/cli/php_cli.c:998
    #19 0x4516a0 in main /root/php-5.6.28/sapi/cli/php_cli.c:1382
    #20 0x7f4ee9a46b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #21 0x45253e (/root/php-5.6.28/sapi/cli/php+0x45253e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/php-5.6.28/Zend/zend_object_handlers.c:1528 zend_std_object_get_class
==28442==ABORTING
 [2020-01-03 10:58 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2020-01-03 10:58 UTC] nikic@php.net
Can't reproduce this on 7.2 or upwards, so assuming this has already been fixed in the meantime. As this looks like a GC+__destructor issue, it has likely been fixed in PHP 7.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 06:01:29 2024 UTC