PHP :: Bug #74702 :: segfault in gc_zval_possible

Bug #74702

segfault in gc_zval_possible_root()

Submitted:

2017-06-06 21:03 UTC

Modified:

2017-08-12 19:06 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

brian dot carpenter at gmail dot com

Assigned:

Status:

Wont fix

Package:

Reproducible crash

PHP Version:

5.6.30

OS:

Debian 8 x64

Private report:

CVE-ID:

None

View Developer Edit

[2017-06-06 21:03 UTC] brian dot carpenter at gmail dot com

Description:
------------
The attached script crashes PHP 5.6.30.

Test script:
---------------
<?php
class bad{function t(){$h[]=0;}function __destruct(){global$bar;$bar=$this;}}$foo->f=$foo=$d=new bad;unserialize(serialize($foo));gc_collect_cycles();

Expected result:
----------------
No crash.

Actual result:
--------------
==12586==ERROR: AddressSanitizer: SEGV on unknown address 0x100139182d88 (pc 0x00000198aad7 sp 0x7fffc2f3a1c0 bp 0x7fe67d2d1840 T0)
    #0 0x198aad6 in gc_zval_possible_root /root/php-5.6.30/Zend/zend_gc.c:143
    #1 0x19019d6 in zend_hash_destroy /root/php-5.6.30/Zend/zend_hash.c:548
    #2 0x19b32da in zend_object_std_dtor /root/php-5.6.30/Zend/zend_objects.c:44
    #3 0x19b3650 in zend_objects_free_object_storage /root/php-5.6.30/Zend/zend_objects.c:137
    #4 0x19e201a in zend_objects_store_del_ref_by_handle_ex /root/php-5.6.30/Zend/zend_objects_API.c:226
    #5 0x19e25b5 in zend_objects_store_del_ref /root/php-5.6.30/Zend/zend_objects_API.c:178
    #6 0x18162c7 in _zval_dtor /root/php-5.6.30/Zend/zend_variables.h:35
    #7 0x18162c7 in i_zval_ptr_dtor /root/php-5.6.30/Zend/zend_execute.h:79
    #8 0x18162c7 in _zval_ptr_dtor /root/php-5.6.30/Zend/zend_execute_API.c:424
    #9 0x1906e8e in i_zend_hash_bucket_delete /root/php-5.6.30/Zend/zend_hash.c:182
    #10 0x1906e8e in zend_hash_bucket_delete /root/php-5.6.30/Zend/zend_hash.c:192
    #11 0x1906e8e in zend_hash_reverse_apply /root/php-5.6.30/Zend/zend_hash.c:733
    #12 0x1817940 in shutdown_destructors /root/php-5.6.30/Zend/zend_execute_API.c:214
    #13 0x1898593 in zend_call_destructors /root/php-5.6.30/Zend/zend.c:944
    #14 0x15d2974 in php_request_shutdown /root/php-5.6.30/main/main.c:1840
    #15 0x1e68480 in do_cli /root/php-5.6.30/sapi/cli/php_cli.c:1181
    #16 0x456468 in main /root/php-5.6.30/sapi/cli/php_cli.c:1382
    #17 0x7fe67ae0cb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #18 0x45730e (/root/php-5.6.30/sapi/cli/php+0x45730e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/php-5.6.30/Zend/zend_gc.c:143 gc_zval_possible_root
==12586==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-06-07 10:19 UTC] andrew dot nester dot dev at gmail dot com

Since PHP 5.6+ supports only security fixes and this issue is not reproducible in PHP 7+ I guess this issue should be closed as `won't fix`

[2017-08-12 19:06 UTC] nikic@php.net

-Status: Open +Status: Wont fix

[2017-08-12 19:06 UTC] nikic@php.net

Right. There's one variation of this issue that still exists in PHP 7, but that's tracked in bug #72530.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Mar 31 06:01:30 2025 UTC