php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #74310 segfault in i_zval_ptr_dtor()
Submitted: 2017-03-24 22:59 UTC Modified: 2021-06-09 15:30 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: brian dot carpenter at gmail dot com Assigned: pollita (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.1Git-2017-03-24 (Git) OS: Debian 8 x64
Private report: No CVE-ID: None
View Developer Edit
 [2017-03-24 22:59 UTC] brian dot carpenter at gmail dot com 
Description:
------------
Segfault found in PHP 7.2.0-dev (git 37da80b) on Debian 8.x x64, built with afl-gcc.

Test script:
---------------
<?${$o{8}=8}{$o{8}.=0}?><?${$o{8}.=0}<${$o{8}.=0}=0?><?0==${$o{8}.=0}<${$o{8}.=0}.Q?><?$$o{$o{8}.=0}=${$o{8}.=0}=$$o=Q?><?${${0}}=$$o{$o{8}.=0}=$$$o=0?>

or

https://drive.google.com/file/d/0B3Tl4QiWJUt8V2hiQ2FDYmlRZ1U/view?usp=sharing

Expected result:
----------------
No crash.

Actual result:
--------------
==387==ERROR: AddressSanitizer: SEGV on unknown address 0x7f9b69800000 (pc 0x000001b8c308 sp 0x7ffd5005a7b0 bp 0x7f9b6a25f248 T0)
    #0 0x1b8c307 in i_zval_ptr_dtor /root/php-git/Zend/zend_variables.h:48
    #1 0x1b8c307 in zend_unclean_zval_ptr_dtor /root/php-git/Zend/zend_execute_API.c:212
    #2 0x1cc4b3a in _zend_hash_del_el_ex /root/php-git/Zend/zend_hash.c:997
    #3 0x1cc4b3a in _zend_hash_del_el /root/php-git/Zend/zend_hash.c:1020
    #4 0x1cc4b3a in zend_hash_graceful_reverse_destroy /root/php-git/Zend/zend_hash.c:1476
    #5 0x1b8f83c in shutdown_executor /root/php-git/Zend/zend_execute_API.c:281
    #6 0x1c1e1d4 in zend_deactivate /root/php-git/Zend/zend.c:1060
    #7 0x192f468 in php_request_shutdown /root/php-git/main/main.c:1879
    #8 0x238b5a9 in do_cli /root/php-git/sapi/cli/php_cli.c:1164
    #9 0x47253b in main /root/php-git/sapi/cli/php_cli.c:1390
    #10 0x7f9b6d3b9b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #11 0x47318e (/root/php-git/sapi/cli/php+0x47318e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/php-git/Zend/zend_variables.h:48 i_zval_ptr_dtor

Patches

bug_74310_decrement_after_alloc (last revision 2017-03-26 17:08 UTC by bwoebi@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-03-25 22:29 UTC] pollita@php.net
-Status: Open +Status: Verified
 [2017-03-25 22:29 UTC] pollita@php.net 
I've been able to reduce the repro script to the following.  When I gdb, it still crashes, apparently while trying to clean up the global symbol table at request end.

<?
$o{8}='800000000';
$$o{'8000000'}=$Array='Q';
$$o{'800000000'}=$$Array=0;

Interestingly, shortening the keys (while keeping them unique) *does* avoid the crash.

(gdb) bt
#0  0x00000000009a006c in i_zval_ptr_dtor (zval_ptr=0x7fffef01e090, 
    __zend_filename=0x10d7148 "/home/sgolemon/dev/php/php-src/Zend/zend_execute_API.c", 
    __zend_lineno=212) at /home/sgolemon/dev/php/php-src/Zend/zend_variables.h:48
#1  0x00000000009a0c5c in zend_unclean_zval_ptr_dtor (zv=0x7fffef01e090)
    at /home/sgolemon/dev/php/php-src/Zend/zend_execute_API.c:212
#2  0x00000000009d2893 in _zend_hash_del_el_ex (ht=0x1452d90 <executor_globals+304>, idx=8, 
    p=0x7fffef063200, prev=0x0) at /home/sgolemon/dev/php/php-src/Zend/zend_hash.c:997
#3  0x00000000009d2973 in _zend_hash_del_el (ht=0x1452d90 <executor_globals+304>, idx=8, 
    p=0x7fffef063200) at /home/sgolemon/dev/php/php-src/Zend/zend_hash.c:1020
#4  0x00000000009d3ef8 in zend_hash_graceful_reverse_destroy (
    ht=0x1452d90 <executor_globals+304>) at /home/sgolemon/dev/php/php-src/Zend/zend_hash.c:1476
#5  0x00000000009a0f86 in shutdown_executor ()
    at /home/sgolemon/dev/php/php-src/Zend/zend_execute_API.c:281
#6  0x00000000009bbc73 in zend_deactivate () at /home/sgolemon/dev/php/php-src/Zend/zend.c:1060
#7  0x0000000000921857 in php_request_shutdown (dummy=0x0)
    at /home/sgolemon/dev/php/php-src/main/main.c:1879
#8  0x0000000000aa848b in do_cli (argc=2, argv=0x1457d20)
    at /home/sgolemon/dev/php/php-src/sapi/cli/php_cli.c:1164
#9  0x0000000000aa8cf9 in main (argc=2, argv=0x1457d20)
    at /home/sgolemon/dev/php/php-src/sapi/cli/php_cli.c:1390
 [2017-03-26 17:08 UTC] bwoebi@php.net 
The following patch has been added/updated:

Patch Name: bug_74310_decrement_after_alloc
Revision:   1490548119
URL:        https://bugs.php.net/patch-display.php?bug=74310&patch=bug_74310_decrement_after_alloc&revision=1490548119
 [2017-03-26 17:09 UTC] bwoebi@php.net
-Status: Verified +Status: Analyzed
 [2017-03-26 17:09 UTC] bwoebi@php.net 
This happens as the refcount is decremented, but the assignment to the new value never happening, thus leaving us with a zend_string with two references but rc=1.

A trivial fix would be:
https://bugs.php.net/patch-display.php?bug_id=74310&patch=bug_74310_decrement_after_alloc&revision=latest

But I'm not sure whether that's the ideal fix though.
 [2017-03-27 22:10 UTC] pollita@php.net
-Assigned To: +Assigned To: pollita
 [2017-03-27 22:10 UTC] pollita@php.net 
Sort of...

It's happening because a zval referencing a free'd string is being dtor'd (in the middle of a bailout).

I've got a fix for the problem and will push it when I finish testing edge cases.
 [2017-09-10 21:34 UTC] cmb@php.net 
Related To: Bug #74593
 [2017-10-24 05:16 UTC] kalle@php.net
-Status: Analyzed +Status: Assigned
 [2018-03-13 17:10 UTC] contacto at agora-security dot com 
Hello,

This bug hasn't been patch, correct?

Also, I think the CVE should be CVE-2017-9119.

Cheers!
 [2021-06-09 14:57 UTC] cmb@php.net 
> Also, I think the CVE should be CVE-2017-9119.

*facepalm*
 [2021-06-09 15:30 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 [2021-06-09 15:30 UTC] nikic@php.net 
It looks like I fixed this issue in https://github.com/php/php-src/commit/573ad182d21df2457a0a2f6fd3c075e1f0bfca44.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri May 09 10:01:28 2025 UTC