php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72907 null pointer deref, segfault in gc_remove_zval_from_buffer (zend_gc.c:260)
Submitted: 2016-08-20 19:14 UTC Modified: 2016-08-21 09:34 UTC
From: brian dot carpenter at gmail dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.6.25 OS: Debian 8.5 x64
Private report: No CVE-ID:
 [2016-08-20 19:14 UTC] brian dot carpenter at gmail dot com
Description:
------------
Fuzzing PHP 5.6.25 x64 w/ American Fuzzy Lop and ASAN.

Test script:
---------------
https://dl.dropboxusercontent.com/u/6088006/php/segfault_gc_remove_zval_from_buffer

Expected result:
----------------
No crash.



Actual result:
--------------
ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-3.5/bin/llvm-symbolizer ASAN_OPTIONS=symbolizer=1 ./php test00

Warning: Attempt to modify property of non-object in /root/php-tmp/out/crashes/test00 on line 1

Warning: Attempt to modify property of non-object in /root/php-tmp/out/crashes/test00 on line 1

Warning: Creating default object from empty value in /root/php-tmp/out/crashes/test00 on line 1
ASAN:SIGSEGV
=================================================================
==28119==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000009 (pc 0x00000197cd3f sp 0x7ffe8a728df0 bp 0x7ffbeb6c8d78 T0)
    #0 0x197cd3e in gc_remove_from_buffer /root/php-5.6.25/Zend/zend_gc.h:190
    #1 0x197cd3e in gc_remove_zval_from_buffer /root/php-5.6.25/Zend/zend_gc.c:260
    #2 0x1b2c41f in i_zval_ptr_dtor_nogc /root/php-5.6.25/Zend/zend_execute.h:94
    #3 0x1b2c41f in ZEND_BW_XOR_SPEC_VAR_VAR_HANDLER /root/php-5.6.25/Zend/zend_vm_execute.h:19132
    #4 0x1a2d076 in execute_ex /root/php-5.6.25/Zend/zend_vm_execute.h:363
    #5 0x1898248 in zend_execute_scripts /root/php-5.6.25/Zend/zend.c:1341
    #6 0x15cd9af in php_execute_script /root/php-5.6.25/main/main.c:2613
    #7 0x1e5cf19 in do_cli /root/php-5.6.25/sapi/cli/php_cli.c:994
    #8 0x4565ec in main /root/php-5.6.25/sapi/cli/php_cli.c:1378
    #9 0x7ffbe91f0b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #10 0x45761e (/root/php-5.6.25/sapi/cli/php+0x45761e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/php-5.6.25/Zend/zend_gc.h:190 gc_remove_from_buffer
==28119==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-21 04:26 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-08-21 09:41 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b740bb3987ba4f181dfda91ce3bd9fe663155574
Log: Fixed bug #72907 (null pointer deref, segfault in gc_remove_zval_from_buffer (zend_gc.c:260))
 [2016-08-21 09:41 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-10-17 10:09 UTC] bwoebi@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b740bb3987ba4f181dfda91ce3bd9fe663155574
Log: Fixed bug #72907 (null pointer deref, segfault in gc_remove_zval_from_buffer (zend_gc.c:260))
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC