php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72944 Null pointer deref in zval_delref_p
Submitted: 2016-08-26 09:04 UTC Modified: 2016-08-26 11:02 UTC
From: hanno at hboeck dot de Assigned: dmitry
Status: Closed Package: Reproducible crash
PHP Version: 7.0.10 OS: Linux
Private report: No CVE-ID:
 [2016-08-26 09:04 UTC] hanno at hboeck dot de
Description:
------------
Attached file crashes when run with USE_ZEND_ALLOC=0 on an address sanitizer build.
This does not happen on a non-asan-build, I don't know why.

Script to reproduce:
https://crashes.fuzzing-project.org/nullptr.php

Asan error message / stack trace:
==5235==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000d74c90 sp 0x7ffef1db4a90 bp 0x7fe86bdec8f0 T0)
    #0 0xd74c8f in zval_delref_p /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/cli/Zend/zend_types.h:827
    #1 0xd74c8f in _zval_ptr_dtor_nogc /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/cli/Zend/zend_variables.h:49
    #2 0xd74c8f in ZEND_BW_AND_SPEC_TMPVAR_TMPVAR_HANDLER /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/cli/Zend/zend_vm_execute.h:45077
    #3 0xcf748d in execute_ex /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/cli/Zend/zend_vm_execute.h:414
    #4 0xe5c7bd in zend_execute /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/cli/Zend/zend_vm_execute.h:458
    #5 0xc1d5ba in zend_execute_scripts /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/cli/Zend/zend.c:1427
    #6 0xb068bf in php_execute_script /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/cli/main/main.c:2494
    #7 0xe60b1f in do_cli /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/cli/sapi/cli/php_cli.c:974
    #8 0x48428b in main /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/cli/sapi/cli/php_cli.c:1344
    #9 0x7fe8710f978f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #10 0x484a18 in _start (/usr/lib64/php7.0/bin/php+0x484a18)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/cli/Zend/zend_types.h:827 zval_delref_p
==5235==ABORTING




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-26 10:34 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2016-08-26 10:34 UTC] ab@php.net
An empty page is shown in the posted link. Please post the PHP code.

Thanks.
 [2016-08-26 10:37 UTC] hanno at hboeck dot de
-Status: Feedback +Status: Open
 [2016-08-26 10:37 UTC] hanno at hboeck dot de
Uh? I can download it without problems.
It contains nonstandard characters, therefore not sure if pasting will work, but I'll try anyway:
<?php ÿ==e&$€=$€?0:0?:0;

In case this didn't work, base64:
PD9waHAg/z09ZSYkgD0kgD8wOjA/OjA7Cg==
 [2016-08-26 11:02 UTC] laruence@php.net
-Assigned To: +Assigned To: dmitry
 [2016-08-26 11:02 UTC] laruence@php.net
the problem is in ZEND_IS_EQUAL handler:

ZEND_VM_SMART_BRANCH(result, 0) 
ZVAL_BOOL(EX_VAR(opline->result.var), result);

only checks wether next opline is JMP, but doesn't check if the operand is ZEND_IS_EQUAL's result.

so, for you example:
<?php "a"== e & $A = $A? 0 : 0 ?:0;

will generate following opcodes :

FETCH_CONSTANT                               "e"                  
IS_EQUAL                "a"                  ~0                   ~1 (IS_EQUAL result)
JMPZ                    $A                   J5

....
....
....
AND                        ~1 (IS_EQUAL result)


then in ZEND_VM_SMART_BRANCH, it found next op is ZEND_JMPZ, then it do smart jmp, without setting result to EX_VAR(opline->result.var) which is ~1

then later in AND opcode,  ~1 is IS_UNDEF.



thanks
 [2016-08-29 09:15 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b66039db333f730be60c6f6e1925eeb01220e4eb
Log: Fixed bug #72944 (Null pointer deref in zval_delref_p).
 [2016-08-29 09:15 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2016-10-17 10:09 UTC] bwoebi@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b66039db333f730be60c6f6e1925eeb01220e4eb
Log: Fixed bug #72944 (Null pointer deref in zval_delref_p).
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC