php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72873 segfault zend_alloc.c:837 (zend_mm_remove_from_free_list)
Submitted: 2016-08-17 20:05 UTC Modified: 2018-08-14 14:49 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: brian dot carpenter at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: Reproducible crash
PHP Version: 5.6.24 OS: Debian 8
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: brian dot carpenter at gmail dot com
New email:
PHP Version: OS:

 

 [2016-08-17 20:05 UTC] brian dot carpenter at gmail dot com
Description:
------------
Fuzzing PHP 5.6.24 (x64) with American Fuzzy Lop, ASAN and libdislocator.so.


Test script:
---------------
https://dl.dropboxusercontent.com/u/6088006/segfault_zend_mm_remove_from_free_list

Expected result:
----------------
No crash.

Actual result:
--------------
geeknik@debian:~/php-tmp/crashers/100816$ ./php segfault_zend_mm_remove_from_free_list 

Warning: Unexpected character in input:  ' in /home/geeknik/php-tmp/crashers/100816/segfault_zend_mm_remove_from_free_list on line 33
NULL
ASAN:SIGSEGV
=================================================================
==58429==ERROR: AddressSanitizer: SEGV on unknown address 0x000dcfff8023 (pc 0x0000014cedfd bp 0x7f6a828efdb7 sp 0x7ffe8af9d3f0 T0)
    #0 0x14cedfc in zend_mm_remove_from_free_list /home/geeknik/php-5.6.24/Zend/zend_alloc.c:837:7
    #1 0x14c7bf5 in _zend_mm_free_int /home/geeknik/php-5.6.24/Zend/zend_alloc.c:2105:3
    #2 0x14ccb17 in _efree /home/geeknik/php-5.6.24/Zend/zend_alloc.c:2440:2
    #3 0x1679f9a in zend_object_std_dtor /home/geeknik/php-5.6.24/Zend/zend_objects.c:57:3
    #4 0x167ae1a in zend_objects_free_object_storage /home/geeknik/php-5.6.24/Zend/zend_objects.c:137:2
    #5 0x169c115 in zend_objects_store_free_object_storage /home/geeknik/php-5.6.24/Zend/zend_objects_API.c:97:5
    #6 0x155ab23 in shutdown_executor /home/geeknik/php-5.6.24/Zend/zend_execute_API.c:290:3
    #7 0x15b0f83 in zend_deactivate /home/geeknik/php-5.6.24/Zend/zend.c:960:2
    #8 0x13b807e in php_request_shutdown /home/geeknik/php-5.6.24/main/main.c:1899:2
    #9 0x1908b17 in do_cli /home/geeknik/php-5.6.24/sapi/cli/php_cli.c:1177:3
    #10 0x190474d in main /home/geeknik/php-5.6.24/sapi/cli/php_cli.c:1378:18
    #11 0x7f6a80edeb44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287
    #12 0x5095ac in _start (/home/geeknik/php-5.6.24/sapi/cli/php+0x5095ac)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/geeknik/php-5.6.24/Zend/zend_alloc.c:837 zend_mm_remove_from_free_list
==58429==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-17 20:07 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2016-08-17 20:07 UTC] stas@php.net
I am not able to download the test script from the link.
 [2016-08-17 20:10 UTC] brian dot carpenter at gmail dot com
-Status: Feedback +Status: Open
 [2016-08-17 20:10 UTC] brian dot carpenter at gmail dot com
Sorry, Dropbox was being a turd. The test script is actually here: https://dl.dropboxusercontent.com/u/6088006/php/segfault_zend_mm_remove_from_free_list
 [2016-08-17 21:31 UTC] stas@php.net
The code is:

<?0==
$poc = 'a:4:{i:0;i:1;i:1;a:1:{i:0;O:4:"ryat":2:{s:4:"tyat";R:3;s:4:"c|tg";i:2;}}i:1;i:3;i:2;R:5;G';
$out = unserialize($poc);
'';
	for ($i = 0; $i < 8; $i++) gc_collect_cycles();
$fakezval = ptr2str(1122334455);
$fakezval .= ptr2str(0);
$fakezvrl .= "d00\x00\x00\x00";
$fakezval .= "\x01";
$fakezval .= "\x0";
$fakezvcl .= "\x00\x00";
for ($i = 0; $i <55; $i++) {
	$v[$i] = $fa = unserialize($poc)^
gckezval.$i;
}
var_dump($out[2]);

class ryat
{
	var $ryat;
	var $chtg;
	
	function __destruct()
	{
		$this->chtg = $this;
	}
}

function ptr2str($ptr)
{
	$out = '';
	for ($i = 0; $i < 8; $i++) {
@$out .= chr($ptr & 0xff);
		$ptr >>= 8;
	}
	return $out;
}
 [2016-08-17 21:32 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-08-17 22:23 UTC] ryat@php.net
All these bugs are same as https://bugs.php.net/bug.php?id=72530. Plz don't repeat.
 [2018-08-14 14:49 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2018-08-14 14:49 UTC] cmb@php.net
> All these bugs are same as https://bugs.php.net/bug.php?id=72530.

So this is a duplicate of bug #72530.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 05 16:01:30 2024 UTC