php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76667 Segfault with divide-assign op and __get + __set
Submitted: 2018-07-26 09:52 UTC Modified: 2018-07-26 16:02 UTC
From: leigh@php.net Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.3.0alpha4 OS: Linux
Private report: No CVE-ID: None
 [2018-07-26 09:52 UTC] leigh@php.net
Description:
------------
Found while fuzzing typed properties but reproducible on master (7a41e4c0d0ddb2cfb91e31b210d7bceb158d2ab4)

PHP was compiled with: --disable-all

In the test case the undefined variable in __get and assign op in __set seem to be the core of this crash. Defining the var or changing the assign op to a different one prevent it.



Test script:
---------------
<?php

class T {
    public function __get($k)
    {
        return $undefined->$k;
    }

    public function __set($k, $v)
    {
        return $this->$v /= 0;
    }
};

$x = new T;
$x->x = 1;

Expected result:
----------------
No segfault

Actual result:
--------------
(lldb) r /home/leigh/php-src/crash.php
Process 4852 launched: '/home/leigh/php-src/sapi/cli/php' (x86_64)

Warning: Division by zero in /home/leigh/php-src/crash.php on line 11

Warning: Division by zero in /home/leigh/php-src/crash.php on line 11
Process 4852 stopped
* thread #1, name = 'php', stop reason = signal SIGSEGV: invalid address (fault address: 0x0)
frame #0: 0x00005555558f04b5 php`zend_mm_alloc_small(heap=0x00007ffff6c00040, size=256, bin_num=15, __zend_filename="/home/leigh/php-src/Zend/zend_smart_str.c", __zend_lineno=155, __zend_orig_filename=0x0000000000000000, __zend_orig_lineno=0) at zend_alloc.c:1283
1280
1281		if (EXPECTED(heap->free_slot[bin_num] != NULL)) {
1282			zend_mm_free_slot *p = heap->free_slot[bin_num];
-> 1283			heap->free_slot[bin_num] = p->next_free_slot;
1284			return (void*)p;
1285		} else {
1286			return zend_mm_alloc_small_slow(heap, bin_num ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
(lldb) bt
* thread #1, name = 'php', stop reason = signal SIGSEGV: invalid address (fault address: 0x0)
* frame #0: 0x00005555558f04b5 php`zend_mm_alloc_small(heap=0x00007ffff6c00040, size=256, bin_num=15, __zend_filename="/home/leigh/php-src/Zend/zend_smart_str.c", __zend_lineno=155, __zend_orig_filename=0x0000000000000000, __zend_orig_lineno=0) at zend_alloc.c:1283
frame #1: 0x00005555558f0760 php`zend_mm_alloc_heap(heap=0x00007ffff6c00040, size=256, __zend_filename="/home/leigh/php-src/Zend/zend_smart_str.c", __zend_lineno=155, __zend_orig_filename=0x0000000000000000, __zend_orig_lineno=0) at zend_alloc.c:1354
frame #2: 0x00005555558f3409 php`_emalloc(size=224, __zend_filename="/home/leigh/php-src/Zend/zend_smart_str.c", __zend_lineno=155, __zend_orig_filename=0x0000000000000000, __zend_orig_lineno=0) at zend_alloc.c:2494
frame #3: 0x00005555559855f1 php`_smart_string_alloc(str=0x00007fffffff8800, len=1) at zend_smart_str.c:155
frame #4: 0x000055555589b337 php`smart_string_alloc(str=0x00007fffffff8800, len=1, persistent='\0') at zend_smart_string.h:61
frame #5: 0x000055555589b375 php`smart_string_appendc_ex(dest=0x00007fffffff8800, ch='U', persistent='\0') at zend_smart_string.h:82
frame #6: 0x000055555589b4be php`xbuf_format_converter(xbuf=0x00007fffffff8800, is_char='\x01', fmt="Undefined variable: %s", ap=0x00007fffffff8a00) at spprintf.c:239
frame #7: 0x000055555589d846 php`php_printf_to_smart_string(buf=0x00007fffffff8800, format="Undefined variable: %s", ap=0x00007fffffff8a00) at spprintf.c:830
frame #8: 0x0000555555927181 php`zend_vspprintf(pbuf=0x00007fffffff8868, max_len=1024, format="Undefined variable: %s", ap=0x00007fffffff8a00) at zend.c:184
frame #9: 0x000055555589490e php`php_error_cb(type=8, error_filename="/home/leigh/php-src/crash.php", error_lineno=6, format="Undefined variable: %s", args=0x00007fffffff8a00) at main.c:1199
frame #10: 0x00005555559290a2 php`zend_error(type=8, format="Undefined variable: %s") at zend.c:1289
frame #11: 0x00005555559878e4 php`zval_undefined_cv(var=96) at zend_execute.c:259
frame #12: 0x000055555598796f php`_get_zval_cv_lookup_BP_VAR_R(ptr=0x00007ffff6c202c0, var=96) at zend_execute.c:285
frame #13: 0x00005555559f8d05 php`ZEND_FETCH_OBJ_R_SPEC_CV_CV_HANDLER at zend_vm_execute.h:48800
frame #14: 0x0000555555a01ea4 php`execute_ex(ex=0x00007ffff6c20260) at zend_vm_execute.h:60188
frame #15: 0x0000555555912969 php`zend_call_function(fci=0x00007fffffff8ee0, fci_cache=0x00007fffffff8ec0) at zend_execute_API.c:756
frame #16: 0x00005555559783b1 php`zend_std_call_getter(zobj=0x00007ffff6c64ae0, member=0x00007fffffff8fd0, retval=0x00007fffffff9090) at zend_object_handlers.c:203
frame #17: 0x0000555555979999 php`zend_std_read_property(object=0x00007fffffff90a0, member=0x00007fffffff8fd0, type=0, cache_slot=0x0000000000000000, rv=0x00007fffffff9090) at zend_object_handlers.c:706
frame #18: 0x000055555598aebb php`zend_assign_op_overloaded_property(object=0x00007ffff6c20200, property=0x00007ffff6c20240, cache_slot=0x0000000000000000, value=0x00007ffff6c854c0, binary_op=(php`div_function at zend_operators.c:1236)) at zend_execute.c:1525
frame #19: 0x00005555559da114 php`zend_binary_assign_op_obj_helper_SPEC_UNUSED_CV(binary_op=(php`div_function at zend_operators.c:1236)) at zend_vm_execute.h:34715
frame #20: 0x00005555559da168 php`zend_binary_assign_op_helper_SPEC_UNUSED_CV_OBJ(binary_op=(php`div_function at zend_operators.c:1236)) at zend_vm_execute.h:34745
frame #21: 0x00005555559da1c0 php`ZEND_ASSIGN_DIV_SPEC_UNUSED_CV_OBJ_HANDLER at zend_vm_execute.h:34766
frame #22: 0x0000555555a003a4 php`execute_ex(ex=0x00007ffff6c201e0) at zend_vm_execute.h:58546
frame #23: 0x0000555555912969 php`zend_call_function(fci=0x00007fffffff94b0, fci_cache=0x00007fffffff9490) at zend_execute_API.c:756
frame #24: 0x000055555597856a php`zend_std_call_setter(zobj=0x00007ffff6c64ae0, member=0x00007fffffff95a0, value=0x00007fffffff9670) at zend_object_handlers.c:240
frame #25: 0x0000555555979df3 php`zend_std_write_property(object=0x00007fffffff9660, member=0x00007fffffff95a0, value=0x00007fffffff9670, cache_slot=0x0000000000000000) at zend_object_handlers.c:791
frame #26: 0x000055555598b002 php`zend_assign_op_overloaded_property(object=0x00007ffff6c20180, property=0x00007ffff6c201c0, cache_slot=0x0000000000000000, value=0x00007ffff6c854c0, binary_op=(php`div_function at zend_operators.c:1236)) at zend_execute.c:1543
frame #27: 0x00005555559da114 php`zend_binary_assign_op_obj_helper_SPEC_UNUSED_CV(binary_op=(php`div_function at zend_operators.c:1236)) at zend_vm_execute.h:34715
frame #28: 0x00005555559da168 php`zend_binary_assign_op_helper_SPEC_UNUSED_CV_OBJ(binary_op=(php`div_function at zend_operators.c:1236)) at zend_vm_execute.h:34745
frame #29: 0x00005555559da1c0 php`ZEND_ASSIGN_DIV_SPEC_UNUSED_CV_OBJ_HANDLER at zend_vm_execute.h:34766
frame #30: 0x0000555555a003a4 php`execute_ex(ex=0x00007ffff6c20160) at zend_vm_execute.h:58546
frame #31: 0x0000555555912969 php`zend_call_function(fci=0x00007fffffff9a70, fci_cache=0x00007fffffff9a50) at zend_execute_API.c:756
frame #32: 0x000055555597856a php`zend_std_call_setter(zobj=0x00007ffff6c64ae0, member=0x00007fffffff9b60, value=0x00007fffffff9c30) at zend_object_handlers.c:240
frame #33: 0x0000555555979df3 php`zend_std_write_property(object=0x00007fffffff9c20, member=0x00007fffffff9b60, value=0x00007fffffff9c30, cache_slot=0x0000000000000000) at zend_object_handlers.c:791
frame #34: 0x000055555598b002 php`zend_assign_op_overloaded_property(object=0x00007ffff6c20100, property=0x00007ffff6c20140, cache_slot=0x0000000000000000, value=0x00007ffff6c854c0, binary_op=(php`div_function at zend_operators.c:1236)) at zend_execute.c:1543
frame #35: 0x00005555559da114 php`zend_binary_assign_op_obj_helper_SPEC_UNUSED_CV(binary_op=(php`div_function at zend_operators.c:1236)) at zend_vm_execute.h:34715
frame #36: 0x00005555559da168 php`zend_binary_assign_op_helper_SPEC_UNUSED_CV_OBJ(binary_op=(php`div_function at zend_operators.c:1236)) at zend_vm_execute.h:34745
frame #37: 0x00005555559da1c0 php`ZEND_ASSIGN_DIV_SPEC_UNUSED_CV_OBJ_HANDLER at zend_vm_execute.h:34766
frame #38: 0x0000555555a003a4 php`execute_ex(ex=0x00007ffff6c200e0) at zend_vm_execute.h:58546
frame #39: 0x0000555555912969 php`zend_call_function(fci=0x00007fffffffa030, fci_cache=0x00007fffffffa010) at zend_execute_API.c:756
frame #40: 0x000055555597856a php`zend_std_call_setter(zobj=0x00007ffff6c64ae0, member=0x00007ffff6c6e700, value=0x00007ffff6c6e710) at zend_object_handlers.c:240
frame #41: 0x0000555555979df3 php`zend_std_write_property(object=0x00007ffff6c20080, member=0x00007ffff6c6e700, value=0x00007ffff6c6e710, cache_slot=0x00007ffff6c01120) at zend_object_handlers.c:791
frame #42: 0x00005555559e4c70 php`ZEND_ASSIGN_OBJ_SPEC_CV_CONST_OP_DATA_CONST_HANDLER at zend_vm_execute.h:39861
frame #43: 0x0000555555a00f24 php`execute_ex(ex=0x00007ffff6c20030) at zend_vm_execute.h:59196
frame #44: 0x0000555555a0214f php`zend_execute(op_array=0x00007ffff6c85300, return_value=0x0000000000000000) at zend_vm_execute.h:60344
frame #45: 0x000055555592a00d php`zend_execute_scripts(type=8, retval=0x0000000000000000, file_count=3) at zend.c:1562
frame #46: 0x00005555558976ce php`php_execute_script(primary_file=0x00007fffffffc9e0) at main.c:2630
frame #47: 0x0000555555a04dd0 php`do_cli(argc=2, argv=0x0000555555e85990) at php_cli.c:1000
frame #48: 0x0000555555a05e87 php`main(argc=2, argv=0x0000555555e85990) at php_cli.c:1393
frame #49: 0x00007ffff7040b97 libc.so.6`__libc_start_main(main=(php`main at php_cli.c:1191), argc=2, argv=0x00007fffffffdd68, init=<unavailable>, fini=<unavailable>, rtld_fini=<unavailable>, stack_end=0x00007fffffffdd58) at libc-start.c:310
            frame #50: 0x000055555565408a php`_start + 42

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-07-26 16:02 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2018-07-26 16:02 UTC] cmb@php.net
Confirmed.  PHP-7.2 is not affected.
 [2018-07-27 05:03 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a7746d10a546537d566e5eac037e80227d4645f7
Log: Fixed bug #76667 (Segfault with divide-assign op and __get + __set)
 [2018-07-27 05:03 UTC] laruence@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Thu Dec 13 23:01:24 2018 UTC