php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76410 SIGV in zend_mm_alloc_small
Submitted: 2018-06-03 11:24 UTC Modified: 2018-06-03 22:47 UTC
From: daniel dot teuchert at rub dot de Assigned: dmitry (profile)
Status: Closed Package: Arrays related
PHP Version: 7.2.6 OS: Linux/Ubuntu
Private report: No CVE-ID: None
 [2018-06-03 11:24 UTC] daniel dot teuchert at rub dot de
Description:
------------
When executing the test script PHP crashes.

Test script:
---------------
<?php
$b = timezone_abbreviations_list();
extract($b);
timezone_abbreviations_list();
?>


Actual result:
--------------
Backtrace:
#0  0x0000000001918d3e in zend_mm_alloc_small (size=0, heap=<optimized out>, 
    bin_num=<optimized out>) at Zend/zend_alloc.c:1273
#1  _emalloc_56 () at Zend/zend_alloc.c:2352
#2  0x0000000001a78a0f in _array_init (arg=0x7fffffff99a0, size=0) at Zend/zend_API.c:1090
#3  0x000000000051c220 in zif_timezone_abbreviations_list (execute_data=<optimized out>, 
    return_value=<optimized out>) at ext/date/php_date.c:4830
#4  0x0000000001ea9d23 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=<optimized out>)
    at Zend/zend_vm_execute.h:573
#5  0x0000000001c126d6 in execute_ex (ex=<optimized out>) at Zend/zend_vm_execute.h:59723
#6  0x0000000001c1312f in zend_execute (op_array=<optimized out>, return_value=<optimized out>)
    at Zend/zend_vm_execute.h:63760
#7  0x0000000001a6678e in zend_execute_scripts (type=-3184, retval=0x0, file_count=<optimized out>)
    at Zend/zend.c:1496
#8  0x00000000017e108a in php_execute_script (primary_file=0x7fffffffc560) at main/main.c:2590
#9  0x000000000200dba7 in do_cli (argc=<optimized out>, argv=<optimized out>)
    at sapi/cli/php_cli.c:1011
#10 0x000000000200aa8d in main (argc=<optimized out>, argv=<optimized out>)
    at sapi/cli/php_cli.c:1404

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-03 13:01 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2018-06-03 16:10 UTC] cmb@php.net
-Package: Date/time related +Package: Arrays related -Assigned To: +Assigned To: dmitry
 [2018-06-03 16:10 UTC] cmb@php.net
This does not appear to be particularly related to
timezone_abbreviations_list(), since the following test script
shows the same UAF issues under valgrind:

  <?php
  $b = array_flip(range('a', 'c'));
  debug_zval_dump($b); // just to check the refcount
  extract($b);

Actually it does not matter how the array is created; it just
needs to have the key 'b', and the debug_zval_dump() should show a
refcount of 2.

Apparently, the bad behavior has been intruced with commit
1f7bf2b[1]. Dmitry, could you please take at look at this issue?

[1] <http://git.php.net/?p=php-src.git;a=commit;h=1f7bf2bfd63d94ddf4e28f903c692850232ef798>
 [2018-06-03 22:47 UTC] stas@php.net
-Type: Security +Type: Bug
 [2018-06-05 09:17 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=951e29f66ec61c21588e10ab202f867f302d572e
Log: Fixed bug #76410 (SIGV in zend_mm_alloc_small)
 [2018-06-05 09:17 UTC] laruence@php.net
-Status: Verified +Status: Closed
 [2018-06-05 09:20 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=951e29f66ec61c21588e10ab202f867f302d572e
Log: Fixed bug #76410 (SIGV in zend_mm_alloc_small)
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Mon Oct 15 08:01:25 2018 UTC