php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76410 SIGV in zend_mm_alloc_small
Submitted: 2018-06-03 11:24 UTC Modified: 2018-06-03 22:47 UTC
From: daniel dot teuchert at rub dot de Assigned: dmitry (profile)
Status: Closed Package: Arrays related
PHP Version: 7.2.6 OS: Linux/Ubuntu
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: daniel dot teuchert at rub dot de
New email:
PHP Version: OS:

 

 [2018-06-03 11:24 UTC] daniel dot teuchert at rub dot de
Description:
------------
When executing the test script PHP crashes.

Test script:
---------------
<?php
$b = timezone_abbreviations_list();
extract($b);
timezone_abbreviations_list();
?>


Actual result:
--------------
Backtrace:
#0  0x0000000001918d3e in zend_mm_alloc_small (size=0, heap=<optimized out>, 
    bin_num=<optimized out>) at Zend/zend_alloc.c:1273
#1  _emalloc_56 () at Zend/zend_alloc.c:2352
#2  0x0000000001a78a0f in _array_init (arg=0x7fffffff99a0, size=0) at Zend/zend_API.c:1090
#3  0x000000000051c220 in zif_timezone_abbreviations_list (execute_data=<optimized out>, 
    return_value=<optimized out>) at ext/date/php_date.c:4830
#4  0x0000000001ea9d23 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=<optimized out>)
    at Zend/zend_vm_execute.h:573
#5  0x0000000001c126d6 in execute_ex (ex=<optimized out>) at Zend/zend_vm_execute.h:59723
#6  0x0000000001c1312f in zend_execute (op_array=<optimized out>, return_value=<optimized out>)
    at Zend/zend_vm_execute.h:63760
#7  0x0000000001a6678e in zend_execute_scripts (type=-3184, retval=0x0, file_count=<optimized out>)
    at Zend/zend.c:1496
#8  0x00000000017e108a in php_execute_script (primary_file=0x7fffffffc560) at main/main.c:2590
#9  0x000000000200dba7 in do_cli (argc=<optimized out>, argv=<optimized out>)
    at sapi/cli/php_cli.c:1011
#10 0x000000000200aa8d in main (argc=<optimized out>, argv=<optimized out>)
    at sapi/cli/php_cli.c:1404

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-03 13:01 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2018-06-03 16:10 UTC] cmb@php.net
-Package: Date/time related +Package: Arrays related -Assigned To: +Assigned To: dmitry
 [2018-06-03 16:10 UTC] cmb@php.net
This does not appear to be particularly related to
timezone_abbreviations_list(), since the following test script
shows the same UAF issues under valgrind:

  <?php
  $b = array_flip(range('a', 'c'));
  debug_zval_dump($b); // just to check the refcount
  extract($b);

Actually it does not matter how the array is created; it just
needs to have the key 'b', and the debug_zval_dump() should show a
refcount of 2.

Apparently, the bad behavior has been intruced with commit
1f7bf2b[1]. Dmitry, could you please take at look at this issue?

[1] <http://git.php.net/?p=php-src.git;a=commit;h=1f7bf2bfd63d94ddf4e28f903c692850232ef798>
 [2018-06-03 22:47 UTC] stas@php.net
-Type: Security +Type: Bug
 [2018-06-05 09:17 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=951e29f66ec61c21588e10ab202f867f302d572e
Log: Fixed bug #76410 (SIGV in zend_mm_alloc_small)
 [2018-06-05 09:17 UTC] laruence@php.net
-Status: Verified +Status: Closed
 [2018-06-05 09:20 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=951e29f66ec61c21588e10ab202f867f302d572e
Log: Fixed bug #76410 (SIGV in zend_mm_alloc_small)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 09 18:01:27 2024 UTC