php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76813 Access_violation_near_NULL_on_source_operand
Submitted: 2018-08-30 07:19 UTC Modified: 2021-01-11 16:25 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: songmingxuan at cert dot org dot cn Assigned:
Status: Re-Opened Package: Reproducible crash
PHP Version: 7.2.9 OS: ubuntu/windows
Private report: No CVE-ID: None
 [2018-08-30 07:19 UTC] songmingxuan at cert dot org dot cn
Description:
------------
First, run phpdbg.
And input string  "#!==)===\377\377\276\242="

for example:
-------------
prompt> "#!==)===\377\377\276\242="
[PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to al
locate 4257214139 bytes) in Unknown on line 0]
[Could not find information about included file...]
prompt>
------------
Input program crash again

Test script:
---------------
input string  "#!==)===\377\377\276\242="  in phpdbg.

Expected result:
----------------
I hope the program runs as usual. Same as CMD. Not crumble.


Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-08-30 07:44 UTC] songmingxuan at cert dot org dot cn
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2018-08-30 07:44 UTC] songmingxuan at cert dot org dot cn
It could be safety.
 [2018-08-30 09:34 UTC] cmb@php.net
If this issue affects phpdbg only, it wouldn't be a security issue.
 [2018-08-30 09:53 UTC] songmingxuan at cert dot org dot cn
Well! Thank you for your reply. Your confirmation is authoritative. I changed it to bug. But it is indeed a problem. I still hope that you can rectify it. Thank you very much.
 [2018-08-30 10:05 UTC] songmingxuan at cert dot org dot cn
I can't change the title to a bug here. No privileges. I hope you can change the Sec Bug to Bug.Thank!
 [2018-08-30 10:22 UTC] songmingxuan at cert dot org dot cn
I just GDB down. The display information is:
----------
#0  __memcpy_sse2_unaligned () at ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S:578
#1  0x08ed3f23 in memcpy (__len=0x485fdf7a, __src=0xb7a02080, __dest=<optimized out>) at /usr/include/i386-linux-gnu/bits/string3.h:53
#2  _estrndup (s=0xb7a02080 "#!==)===377377376242=\\242=\"\n", length=length@entry=0x485fdf7a)
    at /home/s/Desktop/php-7.2.8/Zend/zend_alloc.c:2538
#3  0x093c5c9b in phpdbg_lex (yylval=0xbfff9760) at sapi/phpdbg/phpdbg_lexer.l:163
#4  0x093c17f5 in phpdbg_parse () at sapi/phpdbg/phpdbg_parser.c:1392
#5  0x093c2251 in phpdbg_do_parse (stack=0xbfffbca0, input=0xb7a02080 "#!==)===377377376242=\\242=\"\n") at sapi/phpdbg/phpdbg_parser.y:204
#6  0x093db78a in phpdbg_interactive (allow_async_unsafe=0x1, input=0x0) at /home/s/Desktop/php-7.2.8/sapi/phpdbg/phpdbg_prompt.c:1622
#7  0x093b9684 in php_sapi_phpdbg_log_message (
    message=0xb7a6a000 "PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 1214242715 bytes) in Unknown on line 0", syslog_type_int=0x3) at /home/s/Desktop/php-7.2.8/sapi/phpdbg/phpdbg.c:887
#8  0x0807315e in php_log_err_with_severity (
    log_message=0xb7a6a000 "PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 1214242715 bytes) in Unknown on line 0", syslog_type_int=0x3) at /home/s/Desktop/php-7.2.8/main/main.c:726
#9  0x08074101 in php_error_cb (type=0x1, error_filename=0x9468fa0 "Unknown", error_lineno=0x0, 
    format=0x9a93730 "Allowed memory size of %zu bytes exhausted (tried to allocate %zu bytes)", args=0xbfffbea8 "")
    at /home/s/Desktop/php-7.2.8/main/main.c:1163
#10 0x0807b443 in zend_error (type=0x1, format=0x9a93730 "Allowed memory size of %zu bytes exhausted (tried to allocate %zu bytes)")
    at /home/s/Desktop/php-7.2.8/Zend/zend.c:1230
#11 0x08079c2e in zend_mm_safe_error (
    format=format@entry=0x9a93730 "Allowed memory size of %zu bytes exhausted (tried to allocate %zu bytes)", limit=0x8000000, 
    size=0x485fdf9b, heap=0xb7a00040) at /home/s/Desktop/php-7.2.8/Zend/zend_alloc.c:380
#12 0x08ec1086 in zend_mm_alloc_huge (size=0x485fdf9b, heap=0xb7a00040) at /home/s/Desktop/php-7.2.8/Zend/zend_alloc.c:1738
#13 zend_mm_alloc_heap (size=0x485fdf9b, heap=0xb7a00040) at /home/s/Desktop/php-7.2.8/Zend/zend_alloc.c:1369
#14 _zend_mm_alloc (heap=0xb7a00040, size=0x485fdf9b) at /home/s/Desktop/php-7.2.8/Zend/zend_alloc.c:2270
#15 0x08ed3f82 in _emalloc (size=0x485fdf9b) at /home/s/Desktop/php-7.2.8/Zend/zend_alloc.c:2429
#16 _estrndup (s=0xb7a02060 "#!==)===377377376242=\\242=\"\n", length=length@entry=0x485fdf9a)
    at /home/s/Desktop/php-7.2.8/Zend/zend_alloc.c:2537
#17 0x093c5c9b in phpdbg_lex (yylval=0xbfffc070) at sapi/phpdbg/phpdbg_lexer.l:163
#18 0x093c17f5 in phpdbg_parse () at sapi/phpdbg/phpdbg_parser.c:1392
#19 0x093c2251 in phpdbg_do_parse (stack=0xbfffe5b0, input=0xb7a02060 "#!==)===377377376242=\\242=\"\n") at sapi/phpdbg/phpdbg_parser.y:204
#20 0x093db78a in phpdbg_interactive (allow_async_unsafe=0x1, input=0x0) at /home/s/Desktop/php-7.2.8/sapi/phpdbg/phpdbg_prompt.c:1622
#21 0x0808951a in main (argc=0x1, argv=0xbfffeff4) at /home/s/Desktop/php-7.2.8/sapi/phpdbg/phpdbg.c:2001
#22 0xb7c40637 in __libc_start_main (main=0x8084ba0 <main>, argc=0x1, argv=0xbfffeff4, init=0x9468640 <__libc_csu_init>, 
    fini=0x94686a0 <__libc_csu_fini>, rtld_fini=0xb7fea880 <_dl_fini>, stack_end=0xbfffefec) at ../csu/libc-start.c:291
#23 0x0808a857 in _start ()
---------
Please check it over there. ;)
 [2018-08-30 11:25 UTC] remi@php.net
-Type: Security +Type: Bug
 [2018-09-06 14:42 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2018-09-06 14:42 UTC] cmb@php.net
The problem is that the lexer doesn't properly recognize the end
of the input, and calculates yyleng based on YYCURSOR[1], which
may be zero.  It seems to me that this also may result in a memory
corruption, since entering the string on the prompt again, leads
to a crash (tested on Windows).

[1] <https://github.com/php/php-src/blob/php-7.3.0beta3/sapi/phpdbg/phpdbg_lexer.l#L87>
 [2018-09-06 15:02 UTC] songmingxuan at cert dot org dot cn
This problem. It may be a Integer Overflow problem. It seems to affect phpdbg only. I suggest you repair it.
 [2020-11-27 15:04 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2020-11-27 15:05 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #76813: Access_violation_near_NULL_on_source_operand
On GitHub:  https://github.com/php/php-src/pull/6464
Patch:      https://github.com/php/php-src/pull/6464.patch
 [2020-11-30 11:34 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5e15c9c41f8318a8392c2e2c78544f218736549c
Log: Fix #76813: Access violation near NULL on source operand
 [2020-11-30 11:34 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2020-12-15 16:00 UTC] derick@php.net
Automatic comment on behalf of github@derickrethans.nl
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a668ce82de2987502268a10c2b867b66d24d0708
Log: Revert &quot;Fix #76813: Access violation near NULL on source operand&quot;
 [2020-12-15 16:26 UTC] cmb@php.net
-Status: Closed +Status: Re-Opened
 [2020-12-15 16:26 UTC] cmb@php.net
The fix has been reverted from PHP-7.4 for now, because it is
incompatible with re2c 0.13.5.
 [2021-01-04 10:12 UTC] cmb@php.net
-Status: Re-Opened +Status: Closed
 [2021-01-04 10:12 UTC] cmb@php.net
After further consideration, I see no point in working around
missing support for default rules in very old re2c versions.
After all, the segfault only occurs for erroneous input, so
shouldn't be a real issue in practice anyway, what is confirmed by
the age of this ticket with no further input.

So, for the record, this is fixed as of PHP 8.0.0.
 [2021-01-11 12:23 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=25103c37aa6d7b2da506e35e675177993c200268
Log: Revert &quot;Fix #76813: Access violation near NULL on source operand&quot;
 [2021-01-11 16:25 UTC] cmb@php.net
-Status: Closed +Status: Re-Opened -Assigned To: cmb +Assigned To:
 [2021-01-11 16:25 UTC] cmb@php.net
The bugfix had to be reverted from all branches, because we cannot
yet require re2c 0.13.7 even for PHP 8.0 due to re2c 0.13.5 being
the default on CentOS 7.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 07 08:01:28 2024 UTC