php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77261 Segmentation fault
Submitted: 2018-12-07 13:48 UTC Modified: 2021-08-08 04:22 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: pascal dot christen at hostpoint dot ch Assigned: cmb (profile)
Status: No Feedback Package: *General Issues
PHP Version: 7.3.0 OS: FreeBSD 11.2
Private report: No CVE-ID: None
 [2018-12-07 13:48 UTC] pascal dot christen at hostpoint dot ch
Description:
------------
Newest PHP 7.3.0 get Segfault when try to access index.php of a wordpress (4.9.8 - no plugins just a new wordpress site) site. 

Test script:
---------------
(gdb) run
Starting program: /usr/local/php73/bin/php -n -dextension=mysqli.so index.php

Program received signal SIGSEGV, Segmentation fault.
0x0000000000599a66 in php_trim_int (str=0x5abbb0 <php_addslashes_sse42>, what=0x802a1e658 "/", what_len=1, mode=3) at ext/standard/string.c:811
811	ext/standard/string.c: No such file or directory.
(gdb) zbacktrace 
[0x802c20750] trim("\0\0\0\0H\37777777603\37777777675p\37777777777\37777777777\37777777777\0\17\37777777605\26\0\0\0H\37777777613\5wnh\0H\37777777613\0H\37777777611\37777777605x\37777777777\37777777777\37777777777\377777777512\10\0\0H\37777777613\37777777605p\37777777777\37777777777\37777777777H\37777777603\37777777700\30H\37777777611\377777776058\37777777777\37777777777\37777777777H\37777777613\377777776058\37777777777\37777777777\37777777777H\37777777613\37777777615p\37777777777\37777777777\37777777777H\3A\20H\37777777611\377777776050\37777777777\37777777777\37777777777H\37777777613\37777777605p\37777777777\37777777777\37777777777H\37777777603x\20\17\17\37777777606\37777777653\0\0\0H\37777777615\5\37777777734\377777777227\0H\37777777611E\37777777600H\37777777613E\37777777600f\17o\0f\17\177\37777777605`\37777777777\37777777777\37777777777H\37777777613\377777776058\37777777777\37777777777\37777777777H\37777777611E\37777777610H\37777777613E\37777777610\17\20\0\17)\37777777605P\37777777777\37777777777\37777777777\17(\37777777605`\37777777777\37777777777\37777777777\17(\37777777615P\37777777777\37777777777\37777777777\37777777670\4\0\0\0\37777777672\20\0\0\0f\17:`\37777777701\0\17)E\37777777700\17(E\37777777700\17)E\37777777660\37777777613E\37777777660\37777777611\37777777605L\37777777777\37777777777\37777777777\37777777603\37777777675L\37777777777\37777777777\37777777777\0\17\37777777604\5\0\0\0\37777777751\37777777752\0\0\0H\37777777613\377777776058\37777777777\37777777777\37777777777H\37777777603\37777777700\20H\37777777611\377777776058\37777777777\37777777777\37777777777H\37777777613\377777776050\37777777777\37777777777\37777777777H\37777777613\377777776158\37777777777\37777777777\37777777777H)...", "/") [internal function]
[0x802c1f3a0] WP->parse_request("") /home/wordpress/wp-includes/class-wp.php:185 
[0x802c1f2b0] WP->main("") /home/wordpress/wp-includes/class-wp.php:713 
[0x802c1f1e0] wp() /home/wordpress/wp-includes/functions.php:964 
[0x802c1f0c0] (main) /home/wordpress/wp-blog-header.php:16 
[0x802c1f030] (main) /home/wordpress/index.php:17 



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-08 13:05 UTC] cmb@php.net
php_trim_int() seems to be called with a function pointer instead
of a zend_string pointer, which may hint at an earlier memory
corruption.  Can you please run this with valgrind, i.e.

  USE_ZEND_ALLOC=0 valgrind /usr/local/php73/bin/php -n -dextension=mysqli.so index.php

valgrind may point out additional useful command line options,
which you then should apply.  Finally, please post the valgrind
output either here, or somewhere else and link it.
 [2018-12-27 12:50 UTC] pascal dot christen at hostpoint dot ch
USE_ZEND_ALLOC=0 valgrind /usr/local/php73/bin/php -n -dextension=mysqli.so index.php

==79294== Conditional jump or move depends on uninitialised value(s)
==79294==    at 0x5BB586: zend_string_equal_val (in /usr/local/php73/bin/php)
==79294==    by 0x5DC006: ZEND_IS_NOT_EQUAL_SPEC_CV_TMPVAR_HANDLER (in /usr/local/php73/bin/php)
==79294==    by 0x5D4067: execute_ex (in /usr/local/php73/bin/php)
==79294==    by 0x5D4225: zend_execute (in /usr/local/php73/bin/php)
==79294==    by 0x58EE74: zend_execute_scripts (in /usr/local/php73/bin/php)
==79294==    by 0x52A411: php_execute_script (in /usr/local/php73/bin/php)
==79294==    by 0x64F0F8: do_cli (in /usr/local/php73/bin/php)
==79294==    by 0x64E091: main (in /usr/local/php73/bin/php)
==79294== 
==79294== Invalid read of size 1
==79294==    at 0x4D3800: zif_trim (in /usr/local/php73/bin/php)
==79294==    by 0x622C00: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (in /usr/local/php73/bin/php)
==79294==    by 0x5D4067: execute_ex (in /usr/local/php73/bin/php)
==79294==    by 0x5D4225: zend_execute (in /usr/local/php73/bin/php)
==79294==    by 0x58EE74: zend_execute_scripts (in /usr/local/php73/bin/php)
==79294==    by 0x52A411: php_execute_script (in /usr/local/php73/bin/php)
==79294==    by 0x64F0F8: do_cli (in /usr/local/php73/bin/php)
==79294==    by 0x64E091: main (in /usr/local/php73/bin/php)
==79294==  Address 0xfed854dfdd7195f is not stack'd, malloc'd or (recently) free'd
==79294== 
==79294== 
==79294== Process terminating with default action of signal 10 (SIGBUS): dumping core
==79294==  Hardware error at address 0x4042E0385
==79294==    at 0x4D3800: zif_trim (in /usr/local/php73/bin/php)
==79294==    by 0x622C00: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (in /usr/local/php73/bin/php)
==79294==    by 0x5D4067: execute_ex (in /usr/local/php73/bin/php)
==79294==    by 0x5D4225: zend_execute (in /usr/local/php73/bin/php)
==79294==    by 0x58EE74: zend_execute_scripts (in /usr/local/php73/bin/php)
==79294==    by 0x52A411: php_execute_script (in /usr/local/php73/bin/php)
==79294==    by 0x64F0F8: do_cli (in /usr/local/php73/bin/php)
==79294==    by 0x64E091: main (in /usr/local/php73/bin/php)
==79294== 
==79294== HEAP SUMMARY:
==79294==     in use at exit: 19,278,437 bytes in 85,364 blocks
==79294==   total heap usage: 319,896 allocs, 234,532 frees, 88,933,994 bytes allocated
==79294== 
==79294== LEAK SUMMARY:
==79294==    definitely lost: 0 bytes in 0 blocks
==79294==    indirectly lost: 0 bytes in 0 blocks
==79294==      possibly lost: 6,142,571 bytes in 35,101 blocks
==79294==    still reachable: 13,135,866 bytes in 50,263 blocks
==79294==         suppressed: 0 bytes in 0 blocks
==79294== Rerun with --leak-check=full to see details of leaked memory
==79294== 
==79294== For counts of detected and suppressed errors, rerun with: -v
==79294== Use --track-origins=yes to see where uninitialised values come from
==79294== ERROR SUMMARY: 130770 errors from 143 contexts (suppressed: 45 from 8)
Bus error


If you like the "--leak-check=full" output let me know, I'll send it to you by e-mail.
 [2019-01-02 11:44 UTC] nikic@php.net
This looks somewhat related to bug #77284. The fact that the pointer is php_addslashes_sse42 in particular makes me think that the ifunc resolver functionality on FreeBSD writes the resolved function to the wrong memory location.
 [2021-07-26 13:28 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-07-26 13:28 UTC] cmb@php.net
Is this still an issue with any of the actively supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions.php>
 [2021-08-08 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Nov 24 03:01:32 2024 UTC