php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74084 Out of bound read - zend_mm_alloc_small
Submitted: 2017-02-11 14:08 UTC Modified: 2017-02-12 12:56 UTC
From: baharirad at gmail dot com Assigned: laruence (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.1.1 OS: Ubuntu 16.04
Private report: No CVE-ID: None
 [2017-02-11 14:08 UTC] baharirad at gmail dot com
Description:
------------
Out of bound read in zend_mm_alloc_small, crashes php-cli version 7.1.1 and above. I think it is a security bug and it's severity is low.

$ /home/milad/php-src/sapi/cli/php 1          
[1]    7384 segmentation fault (core dumped)  /home/milad/php-src/sapi/cli/php 1




Test script:
---------------
PoC: https://github.com/miladbr/public-poc/blob/master/php/1

Expected result:
----------------
php-cli should fail gracefully.

Actual result:
--------------
Valgrind output:

==7278== Invalid read of size 8
==7278==    at 0xE2A9C1: zend_mm_alloc_small (zend_alloc.c:1261)
==7278==    by 0xE2A9C1: zend_mm_alloc_heap (zend_alloc.c:1332)
==7278==    by 0xE2A9C1: _emalloc (zend_alloc.c:2417)
==7278==    by 0xD947F4: sapi_send_headers (SAPI.c:867)
==7278==    by 0xC63412: php_header (head.c:76)
==7278==    by 0xDADEC7: php_output_header (output.c:123)
==7278==    by 0xDAE790: php_output_op (output.c:1067)
==7278==    by 0xDAE408: php_output_write (output.c:257)
==7278==    by 0xD72391: php_printf (main.c:726)
==7278==    by 0xD7832E: php_error_cb (main.c:1167)
==7278==    by 0xEBA402: zend_error (zend.c:1253)
==7278==    by 0x10F0293: ZEND_ASSIGN_OBJ_SPEC_VAR_CONST_OP_DATA_CONST_HANDLER (zend_vm_execute.h:18224)
==7278==    by 0xF9EEFD: execute_ex (zend_vm_execute.h:432)
==7278==    by 0xF9F963: zend_execute (zend_vm_execute.h:474)
==7278==  Address 0x925c75800 is not stack'd, malloc'd or (recently) free'd
==7278== 
==7278== 
==7278== Process terminating with default action of signal 11 (SIGSEGV)
==7278==  Access not within mapped region at address 0x925C75800
==7278==    at 0xE2A9C1: zend_mm_alloc_small (zend_alloc.c:1261)
==7278==    by 0xE2A9C1: zend_mm_alloc_heap (zend_alloc.c:1332)
==7278==    by 0xE2A9C1: _emalloc (zend_alloc.c:2417)
==7278==    by 0xD947F4: sapi_send_headers (SAPI.c:867)
==7278==    by 0xC63412: php_header (head.c:76)
==7278==    by 0xDADEC7: php_output_header (output.c:123)
==7278==    by 0xDAE790: php_output_op (output.c:1067)
==7278==    by 0xDAE408: php_output_write (output.c:257)
==7278==    by 0xD72391: php_printf (main.c:726)
==7278==    by 0xD7832E: php_error_cb (main.c:1167)
==7278==    by 0xEBA402: zend_error (zend.c:1253)
==7278==    by 0x10F0293: ZEND_ASSIGN_OBJ_SPEC_VAR_CONST_OP_DATA_CONST_HANDLER (zend_vm_execute.h:18224)
==7278==    by 0xF9EEFD: execute_ex (zend_vm_execute.h:432)
==7278==    by 0xF9F963: zend_execute (zend_vm_execute.h:474)
==7278==  If you believe this happened as a result of a stack
==7278==  overflow in your program's main thread (unlikely but
==7278==  possible), you can try to increase the size of the
==7278==  main thread stack using the --main-stacksize= flag.
==7278==  The main thread stack size used in this run was 8388608.



Backtrace:

#0  zend_mm_alloc_small (size=0x0, heap=<optimized out>, bin_num=<optimized out>) at Zend/zend_alloc.c:1261
#1  zend_mm_alloc_heap (heap=0x7ffff3c00040, size=<optimized out>) at Zend/zend_alloc.c:1332
#2  _emalloc (size=<optimized out>) at Zend/zend_alloc.c:2417
#3  0x0000000000d947f5 in sapi_send_headers () at main/SAPI.c:867
#4  0x0000000000c63413 in php_header () at ext/standard/head.c:76
#5  0x0000000000dadec8 in php_output_header () at main/output.c:123
#6  0x0000000000dae791 in php_output_op (op=<optimized out>, 
    str=0x7ffff3c75380 "\nWarning: Creating default object from empty value in /home/milad/1 on line 1\n", len=0x55) at main/output.c:1067
#7  0x0000000000dae409 in php_output_write (str=0x7ffff3c75380 "\nWarning: Creating default object from empty value in /home/milad/1 on line 1\n", len=0x55)
    at main/output.c:257
#8  0x0000000000d72392 in php_printf (format=0x1a84480 <__afl_area_initial> "") at main/main.c:726
#9  0x0000000000d7832f in php_error_cb (type=0x2, error_filename=<optimized out>, error_lineno=<optimized out>, format=<optimized out>, args=<optimized out>)
    at main/main.c:1167
#10 0x0000000000eba403 in zend_error (type=<optimized out>, format=<optimized out>) at Zend/zend.c:1253
#11 0x00000000010f0294 in ZEND_ASSIGN_OBJ_SPEC_VAR_CONST_OP_DATA_CONST_HANDLER (execute_data=0x7ffff3c13030) at Zend/zend_vm_execute.h:18224
#12 0x0000000000f9eefe in execute_ex (ex=<optimized out>) at Zend/zend_vm_execute.h:432
#13 0x0000000000f9f964 in zend_execute (op_array=<optimized out>, return_value=<optimized out>) at Zend/zend_vm_execute.h:474
#14 0x0000000000ebbf0b in zend_execute_scripts (type=<optimized out>, retval=<optimized out>, file_count=<optimized out>) at Zend/zend.c:1543
#15 0x0000000000d796b8 in php_execute_script (primary_file=<optimized out>) at main/main.c:2551
#16 0x000000000118ef31 in do_cli (argc=<optimized out>, argv=<optimized out>) at sapi/cli/php_cli.c:997
#17 0x000000000118cc72 in main (argc=<optimized out>, argv=<optimized out>, argv@entry=0x7fffffffe498) at sapi/cli/php_cli.c:1390
#18 0x00007ffff68f3830 in __libc_start_main (main=0x118c360 <main>, argc=0x2, argv=0x7fffffffe498, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe488) at ../csu/libc-start.c:291
#19 0x0000000000424209 in _start ()


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-02-12 12:30 UTC] laruence@php.net
-Type: Security +Type: Bug
 [2017-02-12 12:30 UTC] laruence@php.net
This is not a security issue. it requires to run specific php codes.
 [2017-02-12 12:40 UTC] laruence@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Sep 16 03:01:28 2024 UTC