php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76989 Null pointer deference
Submitted: 2018-10-10 08:12 UTC Modified: 2018-10-10 08:18 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: 790358237 at qq dot com Assigned:
Status: Open Package: Readline related
PHP Version: 7.0.32 OS: ubuntu 16.04
Private report: No CVE-ID: None
 [2018-10-10 08:12 UTC] 790358237 at qq dot com
Description:
------------
php crash.php
Segmentation fault (core dumped)

php -v
PHP 7.0.32-0ubuntu0.16.04.1 (cli) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.0.32-0ubuntu0.16.04.1, Copyright (c) 1999-2017, by Zend Technologies


gdb info:
```
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x0 
RCX: 0x4 
RDX: 0x1 
RSI: 0x1 
RDI: 0x7fffffffa001 --> 0x7fffffffa0 
RBP: 0x7ffff3813100 --> 0x0 
RSP: 0x7fffffffa1f0 --> 0x0 
RIP: 0x7ffff0e24001 (<prompt_print+49>:	mov    esi,DWORD PTR [rbx])
R8 : 0x0 
R9 : 0x0 
R10: 0x1 
R11: 0x7ffff10468b9 --> 0x0 
R12: 0x555555ca1a58 --> 0x7ffff0e2fb20 (mov    rax,QWORD PTR [rip+0x2163f9]        # 0x7ffff1045f20)
R13: 0x555555ca1730 --> 0x555555cc1ab0 --> 0x7fff00000000 
R14: 0x555555ca1730 --> 0x555555cc1ab0 --> 0x7fff00000000 
R15: 0x7ffff3872180 --> 0x5555557fecd0 (push   r13)
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff0e23ff8 <prompt_print+40>:	je     0x7ffff0e24078 <prompt_print+168>
   0x7ffff0e23ffa <prompt_print+42>:	call   QWORD PTR [r12]
   0x7ffff0e23ffe <prompt_print+46>:	mov    rbx,rax
=> 0x7ffff0e24001 <prompt_print+49>:	mov    esi,DWORD PTR [rbx]
   0x7ffff0e24003 <prompt_print+51>:	xor    ebp,ebp
   0x7ffff0e24005 <prompt_print+53>:	test   esi,esi
   0x7ffff0e24007 <prompt_print+55>:	jne    0x7ffff0e24027 <prompt_print+87>
   0x7ffff0e24009 <prompt_print+57>:	jmp    0x7ffff0e24049 <prompt_print+121>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa1f0 --> 0x0 
0008| 0x7fffffffa1f8 --> 0x555555bbaad0 ('\"' <repeats 200 times>...)
0016| 0x7fffffffa200 --> 0x7ffff3813100 --> 0x0 
0024| 0x7fffffffa208 --> 0x7fffffffa2b0 --> 0x0 
0032| 0x7fffffffa210 --> 0x0 
0040| 0x7fffffffa218 --> 0x7ffff0e2523f (<re_refresh+143>:	mov    rbx,QWORD PTR [r14+0x58])
0048| 0x7fffffffa220 --> 0x0 
0056| 0x7fffffffa228 --> 0xffff000000000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff0e24001 in prompt_print () from /usr/lib/x86_64-linux-gnu/libedit.so.2
gdb-peda$ bt
#0  0x00007ffff0e24001 in prompt_print () from /usr/lib/x86_64-linux-gnu/libedit.so.2
#1  0x00007ffff0e2523f in re_refresh () from /usr/lib/x86_64-linux-gnu/libedit.so.2
#2  0x00007ffff0e24689 in read_prepare () from /usr/lib/x86_64-linux-gnu/libedit.so.2
#3  0x00007ffff0e24a1d in el_wgets () from /usr/lib/x86_64-linux-gnu/libedit.so.2
#4  0x00007ffff0e33bc9 in el_gets () from /usr/lib/x86_64-linux-gnu/libedit.so.2
#5  0x00007ffff0e30610 in readline () from /usr/lib/x86_64-linux-gnu/libedit.so.2
#6  0x00007ffff104d9de in zif_readline () from /usr/lib/php/20151012/readline.so
#7  0x00005555557fed1d in ?? ()
#8  0x00005555557effcb in execute_ex ()
#9  0x00005555558445f7 in zend_execute ()
#10 0x00005555557af5b3 in zend_execute_scripts ()
#11 0x000055555574e4b0 in php_execute_script ()
#12 0x00005555558462b7 in ?? ()
#13 0x00005555556309d4 in main ()
#14 0x00007ffff6413830 in __libc_start_main (main=0x555555630560 <main>, argc=0x2, argv=0x7fffffffde68, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffde58)
    at ../csu/libc-start.c:291
#15 0x0000555555630b19 in _start ()

```

Test script:
---------------
crash.php : https://github.com/xcainiao/poc/blob/master/php-crash.php


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-10-10 08:16 UTC] stas@php.net
-Type: Security +Type: Bug
 [2018-10-10 08:16 UTC] stas@php.net
Seems to be an issue in libedit, judging from the prompt.
 [2018-10-10 08:18 UTC] stas@php.net
I mean judging from the backtrace. May need to be reported there.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Oct 12 23:01:27 2024 UTC