PHP :: Bug #72873 :: segfault zend_alloc.c:837 (zend_mm_remove_from_free

Bug #72873

segfault zend_alloc.c:837 (zend_mm_remove_from_free_list)

Submitted:

2016-08-17 20:05 UTC

Modified:

2018-08-14 14:49 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

brian dot carpenter at gmail dot com

Assigned:

cmb (profile)

Status:

Duplicate

Package:

Reproducible crash

PHP Version:

5.6.24

OS:

Debian 8

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 11 + 23 = ?
Subscribe to this entry?

[2016-08-17 20:05 UTC] brian dot carpenter at gmail dot com

Description:
------------
Fuzzing PHP 5.6.24 (x64) with American Fuzzy Lop, ASAN and libdislocator.so.


Test script:
---------------
https://dl.dropboxusercontent.com/u/6088006/segfault_zend_mm_remove_from_free_list

Expected result:
----------------
No crash.

Actual result:
--------------
geeknik@debian:~/php-tmp/crashers/100816$ ./php segfault_zend_mm_remove_from_free_list 

Warning: Unexpected character in input:  ' in /home/geeknik/php-tmp/crashers/100816/segfault_zend_mm_remove_from_free_list on line 33
NULL
ASAN:SIGSEGV
=================================================================
==58429==ERROR: AddressSanitizer: SEGV on unknown address 0x000dcfff8023 (pc 0x0000014cedfd bp 0x7f6a828efdb7 sp 0x7ffe8af9d3f0 T0)
    #0 0x14cedfc in zend_mm_remove_from_free_list /home/geeknik/php-5.6.24/Zend/zend_alloc.c:837:7
    #1 0x14c7bf5 in _zend_mm_free_int /home/geeknik/php-5.6.24/Zend/zend_alloc.c:2105:3
    #2 0x14ccb17 in _efree /home/geeknik/php-5.6.24/Zend/zend_alloc.c:2440:2
    #3 0x1679f9a in zend_object_std_dtor /home/geeknik/php-5.6.24/Zend/zend_objects.c:57:3
    #4 0x167ae1a in zend_objects_free_object_storage /home/geeknik/php-5.6.24/Zend/zend_objects.c:137:2
    #5 0x169c115 in zend_objects_store_free_object_storage /home/geeknik/php-5.6.24/Zend/zend_objects_API.c:97:5
    #6 0x155ab23 in shutdown_executor /home/geeknik/php-5.6.24/Zend/zend_execute_API.c:290:3
    #7 0x15b0f83 in zend_deactivate /home/geeknik/php-5.6.24/Zend/zend.c:960:2
    #8 0x13b807e in php_request_shutdown /home/geeknik/php-5.6.24/main/main.c:1899:2
    #9 0x1908b17 in do_cli /home/geeknik/php-5.6.24/sapi/cli/php_cli.c:1177:3
    #10 0x190474d in main /home/geeknik/php-5.6.24/sapi/cli/php_cli.c:1378:18
    #11 0x7f6a80edeb44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287
    #12 0x5095ac in _start (/home/geeknik/php-5.6.24/sapi/cli/php+0x5095ac)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/geeknik/php-5.6.24/Zend/zend_alloc.c:837 zend_mm_remove_from_free_list
==58429==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-08-17 20:07 UTC] stas@php.net

-Status: Open +Status: Feedback

[2016-08-17 20:07 UTC] stas@php.net

I am not able to download the test script from the link.

[2016-08-17 20:10 UTC] brian dot carpenter at gmail dot com

-Status: Feedback +Status: Open

[2016-08-17 20:10 UTC] brian dot carpenter at gmail dot com

Sorry, Dropbox was being a turd. The test script is actually here: https://dl.dropboxusercontent.com/u/6088006/php/segfault_zend_mm_remove_from_free_list

[2016-08-17 21:31 UTC] stas@php.net

The code is:

<?0==
$poc = 'a:4:{i:0;i:1;i:1;a:1:{i:0;O:4:"ryat":2:{s:4:"tyat";R:3;s:4:"c|tg";i:2;}}i:1;i:3;i:2;R:5;G';
$out = unserialize($poc);
'';
	for ($i = 0; $i < 8; $i++) gc_collect_cycles();
$fakezval = ptr2str(1122334455);
$fakezval .= ptr2str(0);
$fakezvrl .= "d00\x00\x00\x00";
$fakezval .= "\x01";
$fakezval .= "\x0";
$fakezvcl .= "\x00\x00";
for ($i = 0; $i <55; $i++) {
	$v[$i] = $fa = unserialize($poc)^
gckezval.$i;
}
var_dump($out[2]);

class ryat
{
	var $ryat;
	var $chtg;
	
	function __destruct()
	{
		$this->chtg = $this;
	}
}

function ptr2str($ptr)
{
	$out = '';
	for ($i = 0; $i < 8; $i++) {
@$out .= chr($ptr & 0xff);
		$ptr >>= 8;
	}
	return $out;
}

[2016-08-17 21:32 UTC] stas@php.net

-Type: Security +Type: Bug

[2016-08-17 22:23 UTC] ryat@php.net

All these bugs are same as https://bugs.php.net/bug.php?id=72530. Plz don't repeat.

[2018-08-14 14:49 UTC] cmb@php.net

-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb

[2018-08-14 14:49 UTC] cmb@php.net

> All these bugs are same as https://bugs.php.net/bug.php?id=72530.

So this is a duplicate of bug #72530.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed Apr 24 09:01:28 2024 UTC