|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74310 segfault in i_zval_ptr_dtor()
Submitted: 2017-03-24 22:59 UTC Modified: 2021-06-09 15:30 UTC
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: brian dot carpenter at gmail dot com Assigned: pollita (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.1Git-2017-03-24 (Git) OS: Debian 8 x64
Private report: No CVE-ID: None
 [2017-03-24 22:59 UTC] brian dot carpenter at gmail dot com
Segfault found in PHP 7.2.0-dev (git 37da80b) on Debian 8.x x64, built with afl-gcc.

Test script:


Expected result:
No crash.

Actual result:
==387==ERROR: AddressSanitizer: SEGV on unknown address 0x7f9b69800000 (pc 0x000001b8c308 sp 0x7ffd5005a7b0 bp 0x7f9b6a25f248 T0)
    #0 0x1b8c307 in i_zval_ptr_dtor /root/php-git/Zend/zend_variables.h:48
    #1 0x1b8c307 in zend_unclean_zval_ptr_dtor /root/php-git/Zend/zend_execute_API.c:212
    #2 0x1cc4b3a in _zend_hash_del_el_ex /root/php-git/Zend/zend_hash.c:997
    #3 0x1cc4b3a in _zend_hash_del_el /root/php-git/Zend/zend_hash.c:1020
    #4 0x1cc4b3a in zend_hash_graceful_reverse_destroy /root/php-git/Zend/zend_hash.c:1476
    #5 0x1b8f83c in shutdown_executor /root/php-git/Zend/zend_execute_API.c:281
    #6 0x1c1e1d4 in zend_deactivate /root/php-git/Zend/zend.c:1060
    #7 0x192f468 in php_request_shutdown /root/php-git/main/main.c:1879
    #8 0x238b5a9 in do_cli /root/php-git/sapi/cli/php_cli.c:1164
    #9 0x47253b in main /root/php-git/sapi/cli/php_cli.c:1390
    #10 0x7f9b6d3b9b44 in __libc_start_main (/lib/x86_64-linux-gnu/
    #11 0x47318e (/root/php-git/sapi/cli/php+0x47318e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/php-git/Zend/zend_variables.h:48 i_zval_ptr_dtor


bug_74310_decrement_after_alloc (last revision 2017-03-26 17:08 UTC by

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-03-25 22:29 UTC]
-Status: Open +Status: Verified
 [2017-03-25 22:29 UTC]
I've been able to reduce the repro script to the following.  When I gdb, it still crashes, apparently while trying to clean up the global symbol table at request end.


Interestingly, shortening the keys (while keeping them unique) *does* avoid the crash.

(gdb) bt
#0  0x00000000009a006c in i_zval_ptr_dtor (zval_ptr=0x7fffef01e090, 
    __zend_filename=0x10d7148 "/home/sgolemon/dev/php/php-src/Zend/zend_execute_API.c", 
    __zend_lineno=212) at /home/sgolemon/dev/php/php-src/Zend/zend_variables.h:48
#1  0x00000000009a0c5c in zend_unclean_zval_ptr_dtor (zv=0x7fffef01e090)
    at /home/sgolemon/dev/php/php-src/Zend/zend_execute_API.c:212
#2  0x00000000009d2893 in _zend_hash_del_el_ex (ht=0x1452d90 <executor_globals+304>, idx=8, 
    p=0x7fffef063200, prev=0x0) at /home/sgolemon/dev/php/php-src/Zend/zend_hash.c:997
#3  0x00000000009d2973 in _zend_hash_del_el (ht=0x1452d90 <executor_globals+304>, idx=8, 
    p=0x7fffef063200) at /home/sgolemon/dev/php/php-src/Zend/zend_hash.c:1020
#4  0x00000000009d3ef8 in zend_hash_graceful_reverse_destroy (
    ht=0x1452d90 <executor_globals+304>) at /home/sgolemon/dev/php/php-src/Zend/zend_hash.c:1476
#5  0x00000000009a0f86 in shutdown_executor ()
    at /home/sgolemon/dev/php/php-src/Zend/zend_execute_API.c:281
#6  0x00000000009bbc73 in zend_deactivate () at /home/sgolemon/dev/php/php-src/Zend/zend.c:1060
#7  0x0000000000921857 in php_request_shutdown (dummy=0x0)
    at /home/sgolemon/dev/php/php-src/main/main.c:1879
#8  0x0000000000aa848b in do_cli (argc=2, argv=0x1457d20)
    at /home/sgolemon/dev/php/php-src/sapi/cli/php_cli.c:1164
#9  0x0000000000aa8cf9 in main (argc=2, argv=0x1457d20)
    at /home/sgolemon/dev/php/php-src/sapi/cli/php_cli.c:1390
 [2017-03-26 17:08 UTC]
The following patch has been added/updated:

Patch Name: bug_74310_decrement_after_alloc
Revision:   1490548119
 [2017-03-26 17:09 UTC]
-Status: Verified +Status: Analyzed
 [2017-03-26 17:09 UTC]
This happens as the refcount is decremented, but the assignment to the new value never happening, thus leaving us with a zend_string with two references but rc=1.

A trivial fix would be:

But I'm not sure whether that's the ideal fix though.
 [2017-03-27 22:10 UTC]
-Assigned To: +Assigned To: pollita
 [2017-03-27 22:10 UTC]
Sort of...

It's happening because a zval referencing a free'd string is being dtor'd (in the middle of a bailout).

I've got a fix for the problem and will push it when I finish testing edge cases.
 [2017-10-24 05:16 UTC]
-Status: Analyzed +Status: Assigned
 [2018-03-13 17:10 UTC] contacto at agora-security dot com

This bug hasn't been patch, correct?

Also, I think the CVE should be CVE-2017-9119.

 [2021-06-09 14:57 UTC]
> Also, I think the CVE should be CVE-2017-9119.

 [2021-06-09 15:30 UTC]
-Status: Assigned +Status: Closed
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Mon Oct 02 17:01:25 2023 UTC