php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #75128 Invalid write in zval_delref_p()
Submitted: 2017-08-28 08:52 UTC Modified: 2021-07-02 10:22 UTC
From: fumfi dot 255 at gmail dot com Assigned: nikic (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.1.8 OS: Ubuntu 16.04 x64
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
46 - 13 = ?
Subscribe to this entry?

 
 [2017-08-28 08:52 UTC] fumfi dot 255 at gmail dot com 
Description:
------------
After some fuzz testing I found a crashing test case.

Version: 7.18

Command: php php_iw_zval_delref_p.php

Faulting PHP script: https://frankowicz.me/storage/crashes/php_iw_zval_delref_p.txt

ASAN:

==32358==ERROR: AddressSanitizer: SEGV on unknown address 0x7ff1ff400000 (pc 0x0000017678cf bp 0x7ffc9544dc90 sp 0x7ffc9544daf0 T0)
==32358==The signal is caused by a WRITE memory access.
    #0 0x17678ce in zval_delref_p XYZ/php-7.1.8/Zend/zend_types.h:838:9
    #1 0x17678ce in i_zval_ptr_dtor XYZ/php-7.1.8/Zend/zend_variables.h:47
    #2 0x17678ce in zend_unclean_zval_ptr_dtor XYZ/php-7.1.8/Zend/zend_execute_API.c:210
    #3 0x1851027 in _zend_hash_del_el_ex XYZ/php-7.1.8/Zend/zend_hash.c:997:3
    #4 0x1851027 in _zend_hash_del_el XYZ/php-7.1.8/Zend/zend_hash.c:1020
    #5 0x1851027 in zend_hash_graceful_reverse_destroy XYZ/php-7.1.8/Zend/zend_hash.c:1476
    #6 0x1767f89 in shutdown_executor XYZ/php-7.1.8/Zend/zend_execute_API.c:279:3
    #7 0x17ce8ca in zend_deactivate XYZ/php-7.1.8/Zend/zend.c:999:2
    #8 0x1564144 in php_request_shutdown XYZ/php-7.1.8/main/main.c:1877:2
    #9 0x1c4215c in do_cli XYZ/php-7.1.8/sapi/cli/php_cli.c:1160:3
    #10 0x1c418e5 in main XYZ/php-7.1.8/sapi/cli/php_cli.c:1381:18
    #11 0x7ff20a65982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x43ac28 in _start (/usr/local/bin/php+0x43ac28)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/php-7.1.8/Zend/zend_types.h:838:9 in zval_delref_p
==32358==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-08-29 14:05 UTC] kalle@php.net
-Package: *General Issues +Package: Reproducible crash
 [2017-09-02 03:56 UTC] laruence@php.net 
this is an knew issue..... just don't have a good way to fix it yet
 [2021-07-02 10:22 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2021-07-02 10:22 UTC] nikic@php.net 
This no longer reproduces, even after fixing the undefined constant issue.

Looking at the reproducer and the stack trace, this looks like an issue we had with hitting the memory limit during a string reallocation, in which case refcount was not managed correctly. This issue has since been fixed.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 23:01:28 2024 UTC