php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #72872 segfault zend_alloc.c:1910 (_zend_mm_alloc_int)
Submitted: 2016-08-17 19:55 UTC Modified: 2016-11-21 20:07 UTC
From: brian dot carpenter at gmail dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.6.24 OS: Debian 8
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2016-08-17 19:55 UTC] brian dot carpenter at gmail dot com 
Description:
------------
Fuzzing PHP 5.6.24 (x64) with American Fuzzy Lop, ASAN and libdislocator.so.

Possibly related to Sec Bug #72869.

Test script:
---------------
<?php
$poc='a:4:{i:0;i:0;i:0;a:1:{i:0;O:4:"ryat":2:0s:4:"ryat";R:3;s:4:"chtg";i:0;}}i:0;i:0;i:0;R:5;}';$t=unserialize($poc)^gc_collect_cycles()/$fa0ezval=ptr2str();$f="";$fa0ezval="";for(;;){$v[]=0;}([]);class ryat{var$t;var$g;function __destruct(){$this->chtg=$this->ryat;}}function ptr2str($r){for(;$i;){}}

Expected result:
----------------
No crash.

Actual result:
--------------
geeknik@debian:~/php-tmp/crashers/100816$ ./php segfault__zend_mm_alloc_int 

Warning: Missing argument 1 for ptr2str(), called in /home/geeknik/php-tmp/crashers/100816/segfault__zend_mm_alloc_int on line 2 and defined in /home/geeknik/php-tmp/crashers/100816/segfault__zend_mm_alloc_int on line 2

Warning: Division by zero in /home/geeknik/php-tmp/crashers/100816/segfault__zend_mm_alloc_int on line 2
ASAN:SIGSEGV
=================================================================
==1607==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000014c33e1 bp 0x61d00001ea80 sp 0x7fff67da3f20 T0)
    #0 0x14c33e0 in _zend_mm_alloc_int /home/geeknik/php-5.6.24/Zend/zend_alloc.c:1910:4
    #1 0x14cc9c7 in _emalloc /home/geeknik/php-5.6.24/Zend/zend_alloc.c:2429:9
    #2 0x18bea72 in zend_assign_const_to_variable /home/geeknik/php-5.6.24/Zend/zend_execute.c:882:3
    #3 0x181a72a in ZEND_ASSIGN_DIM_SPEC_CV_UNUSED_HANDLER /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:39128:14
    #4 0x16a332e in execute_ex /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:363:14
    #5 0x16a52da in zend_execute /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:388:2
    #6 0x15b1cc1 in zend_execute_scripts /home/geeknik/php-5.6.24/Zend/zend.c:1341:4
    #7 0x13be7f1 in php_execute_script /home/geeknik/php-5.6.24/main/main.c:2613:14
    #8 0x1907aaa in do_cli /home/geeknik/php-5.6.24/sapi/cli/php_cli.c:994:5
    #9 0x190474d in main /home/geeknik/php-5.6.24/sapi/cli/php_cli.c:1378:18
    #10 0x7f3335bb0b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287
    #11 0x5095ac in _start (/home/geeknik/php-5.6.24/sapi/cli/php+0x5095ac)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/geeknik/php-5.6.24/Zend/zend_alloc.c:1910 _zend_mm_alloc_int
==1607==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-17 20:06 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-11-21 20:07 UTC] brian dot carpenter at gmail dot com
-Status: Open +Status: Closed
 [2016-11-21 20:07 UTC] brian dot carpenter at gmail dot com 
Does not affect 5.6.28, returns this error:

Warning: Missing argument 1 for ptr2str(), called in /root/tmp/1.php on line 2 and defined in /root/tmp/1.php on line 2

Warning: Division by zero in /root/tmp/1.php on line 2

Fatal error: Allowed memory size of 134217728 bytes exhausted at /root/php-5.6.28/Zend/zend_execute.c:880 (tried to allocate 32 bytes) in /root/tmp/1.php on line 2
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon Apr 29 08:01:29 2024 UTC