PHP :: Bug #72939 :: null ptr deref, segfault _zend_hash_index_update_or_next

Bug #72939	null ptr deref, segfault _zend_hash_index_update_or_next_insert
Submitted:	2016-08-25 09:23 UTC	Modified:	2016-11-21 20:09 UTC
From:	brian dot carpenter at gmail dot com	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.6.25	OS:	Debian 8.5 x64
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	brian dot carpenter at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2016-08-25 09:23 UTC] brian dot carpenter at gmail dot com

Description:
------------
Fuzzing PHP 5.6.25 x64 w/ American Fuzzy Lop and ASAN.

Test script:
---------------
<?php class foo{function __wakeup(){$this->__0=0/error_log('');}function _(){(y());}}var_dump(unserialize('a:2:{i:0;O:3:"foo":1:0s:3:"__0";R:1;}'));

Expected result:
----------------
No crash.

Actual result:
--------------
ASAN:SIGSEGV
=================================================================
==2814==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000018edcab sp 0x7ffde9624850 bp 0x7fea62c2ed20 T0)
    #0 0x18edcaa in _zend_hash_index_update_or_next_insert /root/php-5.6.25/Zend/zend_hash.c:401
    #1 0x44306d in process_nested_data /root/php-5.6.25/ext/standard/var_unserializer.c:336
    #2 0x15203d4 in php_var_unserialize /root/php-5.6.25/ext/standard/var_unserializer.c:841
    #3 0x14c9656 in zif_unserialize /root/php-5.6.25/ext/standard/var.c:964
    #4 0x1e551b4 in zend_do_fcall_common_helper_SPEC /root/php-5.6.25/Zend/zend_vm_execute.h:558
    #5 0x1a2c75b in execute_ex /root/php-5.6.25/Zend/zend_vm_execute.h:363
    #6 0x1897c68 in zend_execute_scripts /root/php-5.6.25/Zend/zend.c:1341
    #7 0x15d04ef in php_execute_script /root/php-5.6.25/main/main.c:2613
    #8 0x1e5ede7 in do_cli /root/php-5.6.25/sapi/cli/php_cli.c:994
    #9 0x4565d0 in main /root/php-5.6.25/sapi/cli/php_cli.c:1378
    #10 0x7fea60753b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #11 0x45741e (/root/php-5.6.25/sapi/cli/php+0x45741e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/php-5.6.25/Zend/zend_hash.c:401 _zend_hash_index_update_or_next_insert
==2814==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-08-25 21:09 UTC] stas@php.net

-Type: Security +Type: Bug

[2016-11-21 20:09 UTC] brian dot carpenter at gmail dot com

-Status: Open +Status: Closed

[2016-11-21 20:09 UTC] brian dot carpenter at gmail dot com

Doesn't affect 5.6.28, returns this error:

/root/php-5.6.28/Zend/zend_hash.c(938) : ht=0x7fbca2d81128 is inconsistent

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 13:01:30 2024 UTC