PHP :: Bug #74600 :: crash (SIGSEGV) in _zend_hash_add_or_update

Bug #74600	crash (SIGSEGV) in _zend_hash_add_or_update_i
Submitted:	2017-05-16 09:27 UTC	Modified:	2017-05-16 10:59 UTC
From:	stephan dot zeisberg at splone dot com	Assigned:	laruence (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.1.5	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

[2017-05-16 09:27 UTC] stephan dot zeisberg at splone dot com

Description:
------------
PHP crashes when starting with the following malformed php.ini file as input.

Version:
--------
commit 7640e0a5f97ee51ad62580b017ddefb60af5af15
PHP 7.2.0-dev (cli) (built: May 16 2017 11:01:02) ( NTS DEBUG )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.2.0-dev, Copyright (c) 1998-2017 Zend Technologies

Input file (php.ini) hexdump:
------------------------
00000000  5b 50 48 50 5d 0a 3b 0d  73 3d 00 00 3d 0a 3b 0d  |[PHP].;.s=..=.;.|
00000010  5b 50 41 54 48 00 5d 00  fe 20 3d 0a              |[PATH.].. =.|
0000001c

How to reproduce:
-----------------
./sapi/cli/php -c <malformed .ini file>

gdb:
----
(gdb) run -c /tmp/php.ini 
Starting program: /tmp/php/php-src/sapi/cli/php -c /tmp/php.ini
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x000000000098ab63 in _zend_hash_add_or_update_i (ht=0x1410d30, key=0x1410d00, pData=0x7fffffffbd20, 
    flag=1, __zend_filename=0x1085100 "/tmp/php/php-src/main/php_ini.c", __zend_lineno=241)
    at Zend/zend_hash.c:612
612		HT_HASH(ht, nIndex) = HT_IDX_TO_HASH(idx);
(gdb) bt
#0  0x000000000098ab63 in _zend_hash_add_or_update_i (ht=0x1410d30, key=0x1410d00, pData=0x7fffffffbd20, 
    flag=1, __zend_filename=0x1085100 "/tmp/php/php-src/main/php_ini.c", __zend_lineno=241)
    at Zend/zend_hash.c:612
#1  0x000000000098ac0c in _zend_hash_update (ht=0x1410d30, key=0x1410d00, pData=0x7fffffffbd20, 
    __zend_filename=0x1085100 "/tmp/php/php-src/main/php_ini.c", __zend_lineno=241)
    at Zend/zend_hash.c:629
#2  0x00000000008db1b4 in php_ini_parser_cb (arg1=0x7fffffffbd00, arg2=0x7fffffffbd20, arg3=0x0, 
    callback_type=1, target_hash=0x13d5018 <configuration_hash>) at main/php_ini.c:241
#3  0x0000000000926564 in ini_parse () at /tmp/php/php-src/Zend/zend_ini_parser.y:315
#4  0x0000000000925f45 in zend_parse_ini_file (fh=0x7fffffffdf38, unbuffered_errors=1 '\001', 
    scanner_mode=0, ini_parser_cb=0x8dafd0 <php_ini_parser_cb>, arg=0x13d5018 <configuration_hash>)
    at /tmp/php/php-src/Zend/zend_ini_parser.y:229
#5  0x00000000008da78b in php_init_config () at main/php_ini.c:592
#6  0x00000000008cd63e in php_module_startup (sf=0x13bc530 <cli_sapi_module>, additional_modules=0x0, 
    num_additional_modules=0) at main/main.c:2222
#7  0x0000000000a9148b in php_cli_startup (sapi_module=0x13bc530 <cli_sapi_module>)
    at sapi/cli/php_cli.c:431
#8  0x0000000000a8f8b2 in main (argc=3, argv=0x13f1890) at sapi/cli/php_cli.c:1357

valgrind:
---------
==14051== Memcheck, a memory error detector
==14051== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==14051== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==14051== Command: ./sapi/cli/php -c /tmp/php.ini
==14051== 
==14051== Invalid read of size 4
==14051==    at 0x988609: zend_hash_real_init_ex (zend_hash.c:139)
==14051==    by 0x98959A: zend_hash_check_init (zend_hash.c:163)
==14051==    by 0x98A7F8: _zend_hash_add_or_update_i (zend_hash.c:553)
==14051==    by 0x98AC0B: _zend_hash_update (zend_hash.c:629)
==14051==    by 0x8DB1B3: php_ini_parser_cb (php_ini.c:241)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051==  Address 0x92413c0 is 0 bytes after a block of size 32 alloc'd
==14051==    at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14051==    by 0x9342D4: __zend_malloc (zend_alloc.c:2811)
==14051==    by 0x8DC37C: zend_string_alloc (zend_string.h:134)
==14051==    by 0x8DB66E: zend_string_init (zend_string.h:170)
==14051==    by 0x8DC1CA: zend_string_dup (zend_string.h:197)
==14051==    by 0x8DB1C8: php_ini_parser_cb (php_ini.c:242)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051== 
==14051== Invalid read of size 4
==14051==    at 0x98866E: zend_hash_real_init_ex (zend_hash.c:140)
==14051==    by 0x98959A: zend_hash_check_init (zend_hash.c:163)
==14051==    by 0x98A7F8: _zend_hash_add_or_update_i (zend_hash.c:553)
==14051==    by 0x98AC0B: _zend_hash_update (zend_hash.c:629)
==14051==    by 0x8DB1B3: php_ini_parser_cb (php_ini.c:241)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051==  Address 0x92413c0 is 0 bytes after a block of size 32 alloc'd
==14051==    at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14051==    by 0x9342D4: __zend_malloc (zend_alloc.c:2811)
==14051==    by 0x8DC37C: zend_string_alloc (zend_string.h:134)
==14051==    by 0x8DB66E: zend_string_init (zend_string.h:170)
==14051==    by 0x8DC1CA: zend_string_dup (zend_string.h:197)
==14051==    by 0x8DB1C8: php_ini_parser_cb (php_ini.c:242)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051== 
==14051== Invalid read of size 4
==14051==    at 0x98AA38: _zend_hash_add_or_update_i (zend_hash.c:597)
==14051==    by 0x98AC0B: _zend_hash_update (zend_hash.c:629)
==14051==    by 0x8DB1B3: php_ini_parser_cb (php_ini.c:241)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051==  Address 0x92413c4 is 4 bytes after a block of size 32 alloc'd
==14051==    at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14051==    by 0x9342D4: __zend_malloc (zend_alloc.c:2811)
==14051==    by 0x8DC37C: zend_string_alloc (zend_string.h:134)
==14051==    by 0x8DB66E: zend_string_init (zend_string.h:170)
==14051==    by 0x8DC1CA: zend_string_dup (zend_string.h:197)
==14051==    by 0x8DB1C8: php_ini_parser_cb (php_ini.c:242)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051== 
==14051== Use of uninitialised value of size 8
==14051==    at 0x98AA7D: _zend_hash_add_or_update_i (zend_hash.c:602)
==14051==    by 0x98AC0B: _zend_hash_update (zend_hash.c:629)
==14051==    by 0x8DB1B3: php_ini_parser_cb (php_ini.c:241)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051== 
==14051== Use of uninitialised value of size 8
==14051==    at 0x98AAD1: _zend_hash_add_or_update_i (zend_hash.c:608)
==14051==    by 0x98AC0B: _zend_hash_update (zend_hash.c:629)
==14051==    by 0x8DB1B3: php_ini_parser_cb (php_ini.c:241)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051== 
==14051== Use of uninitialised value of size 8
==14051==    at 0x98AB14: _zend_hash_add_or_update_i (zend_hash.c:609)
==14051==    by 0x98AC0B: _zend_hash_update (zend_hash.c:629)
==14051==    by 0x8DB1B3: php_ini_parser_cb (php_ini.c:241)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051== 
==14051== Use of uninitialised value of size 8
==14051==    at 0x98AB21: _zend_hash_add_or_update_i (zend_hash.c:609)
==14051==    by 0x98AC0B: _zend_hash_update (zend_hash.c:629)
==14051==    by 0x8DB1B3: php_ini_parser_cb (php_ini.c:241)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051== 
==14051== Invalid read of size 4
==14051==    at 0x98AB4A: _zend_hash_add_or_update_i (zend_hash.c:611)
==14051==    by 0x98AC0B: _zend_hash_update (zend_hash.c:629)
==14051==    by 0x8DB1B3: php_ini_parser_cb (php_ini.c:241)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051==  Address 0xae5d90c is not stack'd, malloc'd or (recently) free'd
==14051== 
==14051== 
==14051== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==14051==  Access not within mapped region at address 0xAE5D90C
==14051==    at 0x98AB4A: _zend_hash_add_or_update_i (zend_hash.c:611)
==14051==    by 0x98AC0B: _zend_hash_update (zend_hash.c:629)
==14051==    by 0x8DB1B3: php_ini_parser_cb (php_ini.c:241)
==14051==    by 0x926563: ini_parse (zend_ini_parser.y:315)
==14051==    by 0x925F44: zend_parse_ini_file (zend_ini_parser.y:229)
==14051==    by 0x8DA78A: php_init_config (php_ini.c:592)
==14051==    by 0x8CD63D: php_module_startup (main.c:2222)
==14051==    by 0xA9148A: php_cli_startup (php_cli.c:431)
==14051==    by 0xA8F8B1: main (php_cli.c:1357)
==14051==  If you believe this happened as a result of a stack
==14051==  overflow in your program's main thread (unlikely but
==14051==  possible), you can try to increase the size of the
==14051==  main thread stack using the --main-stacksize= flag.
==14051==  The main thread stack size used in this run was 8388608.
==14051== 
==14051== HEAP SUMMARY:
==14051==     in use at exit: 115,915 bytes in 672 blocks
==14051==   total heap usage: 758 allocs, 86 frees, 201,039 bytes allocated
==14051== 
==14051== LEAK SUMMARY:
==14051==    definitely lost: 0 bytes in 0 blocks
==14051==    indirectly lost: 0 bytes in 0 blocks
==14051==      possibly lost: 98,536 bytes in 316 blocks
==14051==    still reachable: 17,379 bytes in 356 blocks
==14051==         suppressed: 0 bytes in 0 blocks
==14051== Rerun with --leak-check=full to see details of leaked memory
==14051== 
==14051== For counts of detected and suppressed errors, rerun with: -v
==14051== Use --track-origins=yes to see where uninitialised values come from
==14051== ERROR SUMMARY: 8 errors from 8 contexts (suppressed: 0 from 0)
[1]    14051 segmentation fault  valgrind ./sapi/cli/php -c /tmp/php.ini

The crash has been found with afl-fuzz.

Best Regards,
Stephan Zeisberg

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-05-16 09:34 UTC] stephan dot zeisberg at splone dot com

-PHP Version: Next Major Version +PHP Version: 7.1.5

[2017-05-16 09:34 UTC] stephan dot zeisberg at splone dot com

Also affects PHP 7.1.5 (cli) (built: May  9 2017 16:55:02) ( NTS )

[2017-05-16 09:53 UTC] requinix@php.net

-Status: Open +Status: Verified -Package: *General Issues +Package: Reproducible crash

[2017-05-16 09:53 UTC] requinix@php.net

Doesn't seem to affect parse_ini_file/string.

[2017-05-16 10:36 UTC] laruence@php.net

could you please paste the original text out? I dont' know how to get it from the output of hexdump :<

[2017-05-16 10:43 UTC] requinix@php.net

"[PHP]\n;\rs=\000\000=\n;\r[PATH\000]\000\376 =\n"

$hex = "5b5048505d0a3b0d733d00003d0a3b0d5b50415448005d00fe203d0a";
echo addcslashes(hex2bin($hex), "\x00..\x1f\x7e..\xff");

[2017-05-16 10:59 UTC] laruence@php.net

-Assigned To: +Assigned To: laruence

[2017-05-16 10:59 UTC] laruence@php.net

thanks,  I've figure it out

[2017-05-16 11:33 UTC] laruence@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9f49ebb5baf1e52ce3184ea34977274040f835e9
Log: Fixed bug #74600 (crash (SIGSEGV) in _zend_hash_add_or_update_i)

[2017-05-16 11:33 UTC] laruence@php.net

-Status: Verified +Status: Closed

[2017-06-12 09:22 UTC] laruence@php.net

Automatic comment on behalf of manuel@mausz.at
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ee0e6963f39cc8f30bbd5675a0c4880a18b63b00
Log: Fixed bug #74600

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC