php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76275 Assertion failure in file cache when unserializing empty try_catch_array
Submitted: 2018-04-27 08:21 UTC Modified: 2018-04-27 09:55 UTC
From: mate at sla dot hu Assigned:
Status: Closed Package: opcache
PHP Version: 7.2.5 OS: ubuntu 16
Private report: No CVE-ID: None
 [2018-04-27 08:21 UTC] mate at sla dot hu
Description:
------------
code below stripped from paragonie/random_compat/lib/random.php

this my first compilation on 16.04 gcc toolchain, and i dont know my toolchain has a problem, or this is a bug, becaouse the original downloaded binary version works without problem on this file, but my compilation fails

$_main: ; (lines=1, args=0, vars=0, tmps=0)
    ; (after optimizer)
    ; /home/sla/workspace/its3/test6.php:1-22
L0 (4):     RETURN null

random_bytes: ; (lines=6, args=1, vars=1, tmps=1)
    ; (after optimizer)
    ; /home/sla/workspace/its3/test6.php:12-19
L0 (12):    CV0($length) = RECV 1
L1 (14):    UNSET_CV CV0($length)
L2 (15):    V1 = NEW 1 string("Exception")
L3 (16):    SEND_VAL_EX string("There is no suitable CSPRNG installed on your system") 1
L4 (16):    DO_FCALL
L5 (16):    THROW V1
php: /home/mate/php-7.2.5/ext/opcache/zend_file_cache.c:506: zend_file_cache_serialize_op_array: Assertion `(((char*)(op_array->try_catch_array) >= (char*)script->mem && (char*)(op_array->try_catch_array) < (char*)script->mem + script->size) || ((char*)(op_array->try_catch_array) >= (accel_shared_globals->interned_strings_start) && (char*)(op_array->try_catch_array) < (accel_shared_globals->interned_strings_end)))' failed.
Aborted (core dumped)



Test script:
---------------
<?php

if (PHP_VERSION_ID >= 70000) {
    return;
}

if (!is_callable('random_bytes')) {
            try {
            } catch (com_exception $e) {
            }

        function random_bytes($length)
        {
            unset($length); // Suppress "variable not used" warnings.
            throw new Exception(
                'There is no suitable CSPRNG installed on your system'
            );
            return '';
        }
}




Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-04-27 09:14 UTC] nikic@php.net
-Status: Open +Status: Analyzed
 [2018-04-27 09:14 UTC] nikic@php.net
The issue is that the try_catch_array allocation is empty and points at the very end of the script memory. In serialized form, that means ptr == script->size. However, IS_SERIALIZED requires ptr < script->size.

I think we should do two things here:
 a) Allow ptr <= script->size to allow empty allocations. Theoretically this could clash with a new allocation starting at memory address script->size, but that seems rather unlikely to me.
 b) Prevent this particular empty allocation from occurring.

As an alternative to a) we could also assert in the opcache allocator that empty allocations are not allowed, thus catching this earlier.
 [2018-04-27 09:55 UTC] nikic@php.net
-Summary: assert +Summary: Assertion failure in file cache when unserializing empty try_catch_array
 [2018-04-27 15:09 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=279ba58edbd0454d7e534e223e3538a2b0b5ff9b
Log: Fixed bug #76275
 [2018-04-27 15:09 UTC] nikic@php.net
-Status: Analyzed +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 17:01:29 2024 UTC