php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77261 Segmentation fault
Submitted: 2018-12-07 13:48 UTC Modified: 2019-01-02 11:44 UTC
From: pascal dot christen at hostpoint dot ch Assigned:
Status: Open Package: *General Issues
PHP Version: 7.3.0 OS: FreeBSD 11.2
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: pascal dot christen at hostpoint dot ch
New email:
PHP Version: OS:

 

 [2018-12-07 13:48 UTC] pascal dot christen at hostpoint dot ch
Description:
------------
Newest PHP 7.3.0 get Segfault when try to access index.php of a wordpress (4.9.8 - no plugins just a new wordpress site) site. 

Test script:
---------------
(gdb) run
Starting program: /usr/local/php73/bin/php -n -dextension=mysqli.so index.php

Program received signal SIGSEGV, Segmentation fault.
0x0000000000599a66 in php_trim_int (str=0x5abbb0 <php_addslashes_sse42>, what=0x802a1e658 "/", what_len=1, mode=3) at ext/standard/string.c:811
811	ext/standard/string.c: No such file or directory.
(gdb) zbacktrace 
[0x802c20750] trim("\0\0\0\0H\37777777603\37777777675p\37777777777\37777777777\37777777777\0\17\37777777605\26\0\0\0H\37777777613\5wnh\0H\37777777613\0H\37777777611\37777777605x\37777777777\37777777777\37777777777\377777777512\10\0\0H\37777777613\37777777605p\37777777777\37777777777\37777777777H\37777777603\37777777700\30H\37777777611\377777776058\37777777777\37777777777\37777777777H\37777777613\377777776058\37777777777\37777777777\37777777777H\37777777613\37777777615p\37777777777\37777777777\37777777777H\3A\20H\37777777611\377777776050\37777777777\37777777777\37777777777H\37777777613\37777777605p\37777777777\37777777777\37777777777H\37777777603x\20\17\17\37777777606\37777777653\0\0\0H\37777777615\5\37777777734\377777777227\0H\37777777611E\37777777600H\37777777613E\37777777600f\17o\0f\17\177\37777777605`\37777777777\37777777777\37777777777H\37777777613\377777776058\37777777777\37777777777\37777777777H\37777777611E\37777777610H\37777777613E\37777777610\17\20\0\17)\37777777605P\37777777777\37777777777\37777777777\17(\37777777605`\37777777777\37777777777\37777777777\17(\37777777615P\37777777777\37777777777\37777777777\37777777670\4\0\0\0\37777777672\20\0\0\0f\17:`\37777777701\0\17)E\37777777700\17(E\37777777700\17)E\37777777660\37777777613E\37777777660\37777777611\37777777605L\37777777777\37777777777\37777777777\37777777603\37777777675L\37777777777\37777777777\37777777777\0\17\37777777604\5\0\0\0\37777777751\37777777752\0\0\0H\37777777613\377777776058\37777777777\37777777777\37777777777H\37777777603\37777777700\20H\37777777611\377777776058\37777777777\37777777777\37777777777H\37777777613\377777776050\37777777777\37777777777\37777777777H\37777777613\377777776158\37777777777\37777777777\37777777777H)...", "/") [internal function]
[0x802c1f3a0] WP->parse_request("") /home/wordpress/wp-includes/class-wp.php:185 
[0x802c1f2b0] WP->main("") /home/wordpress/wp-includes/class-wp.php:713 
[0x802c1f1e0] wp() /home/wordpress/wp-includes/functions.php:964 
[0x802c1f0c0] (main) /home/wordpress/wp-blog-header.php:16 
[0x802c1f030] (main) /home/wordpress/index.php:17 



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-08 13:05 UTC] cmb@php.net
php_trim_int() seems to be called with a function pointer instead
of a zend_string pointer, which may hint at an earlier memory
corruption.  Can you please run this with valgrind, i.e.

  USE_ZEND_ALLOC=0 valgrind /usr/local/php73/bin/php -n -dextension=mysqli.so index.php

valgrind may point out additional useful command line options,
which you then should apply.  Finally, please post the valgrind
output either here, or somewhere else and link it.
 [2018-12-27 12:50 UTC] pascal dot christen at hostpoint dot ch
USE_ZEND_ALLOC=0 valgrind /usr/local/php73/bin/php -n -dextension=mysqli.so index.php

==79294== Conditional jump or move depends on uninitialised value(s)
==79294==    at 0x5BB586: zend_string_equal_val (in /usr/local/php73/bin/php)
==79294==    by 0x5DC006: ZEND_IS_NOT_EQUAL_SPEC_CV_TMPVAR_HANDLER (in /usr/local/php73/bin/php)
==79294==    by 0x5D4067: execute_ex (in /usr/local/php73/bin/php)
==79294==    by 0x5D4225: zend_execute (in /usr/local/php73/bin/php)
==79294==    by 0x58EE74: zend_execute_scripts (in /usr/local/php73/bin/php)
==79294==    by 0x52A411: php_execute_script (in /usr/local/php73/bin/php)
==79294==    by 0x64F0F8: do_cli (in /usr/local/php73/bin/php)
==79294==    by 0x64E091: main (in /usr/local/php73/bin/php)
==79294== 
==79294== Invalid read of size 1
==79294==    at 0x4D3800: zif_trim (in /usr/local/php73/bin/php)
==79294==    by 0x622C00: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (in /usr/local/php73/bin/php)
==79294==    by 0x5D4067: execute_ex (in /usr/local/php73/bin/php)
==79294==    by 0x5D4225: zend_execute (in /usr/local/php73/bin/php)
==79294==    by 0x58EE74: zend_execute_scripts (in /usr/local/php73/bin/php)
==79294==    by 0x52A411: php_execute_script (in /usr/local/php73/bin/php)
==79294==    by 0x64F0F8: do_cli (in /usr/local/php73/bin/php)
==79294==    by 0x64E091: main (in /usr/local/php73/bin/php)
==79294==  Address 0xfed854dfdd7195f is not stack'd, malloc'd or (recently) free'd
==79294== 
==79294== 
==79294== Process terminating with default action of signal 10 (SIGBUS): dumping core
==79294==  Hardware error at address 0x4042E0385
==79294==    at 0x4D3800: zif_trim (in /usr/local/php73/bin/php)
==79294==    by 0x622C00: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (in /usr/local/php73/bin/php)
==79294==    by 0x5D4067: execute_ex (in /usr/local/php73/bin/php)
==79294==    by 0x5D4225: zend_execute (in /usr/local/php73/bin/php)
==79294==    by 0x58EE74: zend_execute_scripts (in /usr/local/php73/bin/php)
==79294==    by 0x52A411: php_execute_script (in /usr/local/php73/bin/php)
==79294==    by 0x64F0F8: do_cli (in /usr/local/php73/bin/php)
==79294==    by 0x64E091: main (in /usr/local/php73/bin/php)
==79294== 
==79294== HEAP SUMMARY:
==79294==     in use at exit: 19,278,437 bytes in 85,364 blocks
==79294==   total heap usage: 319,896 allocs, 234,532 frees, 88,933,994 bytes allocated
==79294== 
==79294== LEAK SUMMARY:
==79294==    definitely lost: 0 bytes in 0 blocks
==79294==    indirectly lost: 0 bytes in 0 blocks
==79294==      possibly lost: 6,142,571 bytes in 35,101 blocks
==79294==    still reachable: 13,135,866 bytes in 50,263 blocks
==79294==         suppressed: 0 bytes in 0 blocks
==79294== Rerun with --leak-check=full to see details of leaked memory
==79294== 
==79294== For counts of detected and suppressed errors, rerun with: -v
==79294== Use --track-origins=yes to see where uninitialised values come from
==79294== ERROR SUMMARY: 130770 errors from 143 contexts (suppressed: 45 from 8)
Bus error


If you like the "--leak-check=full" output let me know, I'll send it to you by e-mail.
 [2019-01-02 11:44 UTC] nikic@php.net
This looks somewhat related to bug #77284. The fact that the pointer is php_addslashes_sse42 in particular makes me think that the ifunc resolver functionality on FreeBSD writes the resolved function to the wrong memory location.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Apr 20 04:01:25 2019 UTC