PHP :: Bug #77261 :: Segmentation fault

Bug #77261

Segmentation fault

Submitted:

2018-12-07 13:48 UTC

Modified:

2021-08-08 04:22 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

pascal dot christen at hostpoint dot ch

Assigned:

cmb (profile)

Status:

No Feedback

Package:

*General Issues

PHP Version:

7.3.0

OS:

FreeBSD 11.2

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!

Your email address: MUST BE VALID
Solve the problem: 38 + 50 = ?
Subscribe to this entry?

[2018-12-07 13:48 UTC] pascal dot christen at hostpoint dot ch

Description:
------------
Newest PHP 7.3.0 get Segfault when try to access index.php of a wordpress (4.9.8 - no plugins just a new wordpress site) site. 

Test script:
---------------
(gdb) run
Starting program: /usr/local/php73/bin/php -n -dextension=mysqli.so index.php

Program received signal SIGSEGV, Segmentation fault.
0x0000000000599a66 in php_trim_int (str=0x5abbb0 <php_addslashes_sse42>, what=0x802a1e658 "/", what_len=1, mode=3) at ext/standard/string.c:811
811	ext/standard/string.c: No such file or directory.
(gdb) zbacktrace 
[0x802c20750] trim("\0\0\0\0H\37777777603\37777777675p\37777777777\37777777777\37777777777\0\17\37777777605\26\0\0\0H\37777777613\5wnh\0H\37777777613\0H\37777777611\37777777605x\37777777777\37777777777\37777777777\377777777512\10\0\0H\37777777613\37777777605p\37777777777\37777777777\37777777777H\37777777603\37777777700\30H\37777777611\377777776058\37777777777\37777777777\37777777777H\37777777613\377777776058\37777777777\37777777777\37777777777H\37777777613\37777777615p\37777777777\37777777777\37777777777H\3A\20H\37777777611\377777776050\37777777777\37777777777\37777777777H\37777777613\37777777605p\37777777777\37777777777\37777777777H\37777777603x\20\17\17\37777777606\37777777653\0\0\0H\37777777615\5\37777777734\377777777227\0H\37777777611E\37777777600H\37777777613E\37777777600f\17o\0f\17\177\37777777605`\37777777777\37777777777\37777777777H\37777777613\377777776058\37777777777\37777777777\37777777777H\37777777611E\37777777610H\37777777613E\37777777610\17\20\0\17)\37777777605P\37777777777\37777777777\37777777777\17(\37777777605`\37777777777\37777777777\37777777777\17(\37777777615P\37777777777\37777777777\37777777777\37777777670\4\0\0\0\37777777672\20\0\0\0f\17:`\37777777701\0\17)E\37777777700\17(E\37777777700\17)E\37777777660\37777777613E\37777777660\37777777611\37777777605L\37777777777\37777777777\37777777777\37777777603\37777777675L\37777777777\37777777777\37777777777\0\17\37777777604\5\0\0\0\37777777751\37777777752\0\0\0H\37777777613\377777776058\37777777777\37777777777\37777777777H\37777777603\37777777700\20H\37777777611\377777776058\37777777777\37777777777\37777777777H\37777777613\377777776050\37777777777\37777777777\37777777777H\37777777613\377777776158\37777777777\37777777777\37777777777H)...", "/") [internal function]
[0x802c1f3a0] WP->parse_request("") /home/wordpress/wp-includes/class-wp.php:185 
[0x802c1f2b0] WP->main("") /home/wordpress/wp-includes/class-wp.php:713 
[0x802c1f1e0] wp() /home/wordpress/wp-includes/functions.php:964 
[0x802c1f0c0] (main) /home/wordpress/wp-blog-header.php:16 
[0x802c1f030] (main) /home/wordpress/index.php:17

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-12-08 13:05 UTC] cmb@php.net

php_trim_int() seems to be called with a function pointer instead
of a zend_string pointer, which may hint at an earlier memory
corruption.  Can you please run this with valgrind, i.e.

  USE_ZEND_ALLOC=0 valgrind /usr/local/php73/bin/php -n -dextension=mysqli.so index.php

valgrind may point out additional useful command line options,
which you then should apply.  Finally, please post the valgrind
output either here, or somewhere else and link it.

[2018-12-27 12:50 UTC] pascal dot christen at hostpoint dot ch

USE_ZEND_ALLOC=0 valgrind /usr/local/php73/bin/php -n -dextension=mysqli.so index.php

==79294== Conditional jump or move depends on uninitialised value(s)
==79294==    at 0x5BB586: zend_string_equal_val (in /usr/local/php73/bin/php)
==79294==    by 0x5DC006: ZEND_IS_NOT_EQUAL_SPEC_CV_TMPVAR_HANDLER (in /usr/local/php73/bin/php)
==79294==    by 0x5D4067: execute_ex (in /usr/local/php73/bin/php)
==79294==    by 0x5D4225: zend_execute (in /usr/local/php73/bin/php)
==79294==    by 0x58EE74: zend_execute_scripts (in /usr/local/php73/bin/php)
==79294==    by 0x52A411: php_execute_script (in /usr/local/php73/bin/php)
==79294==    by 0x64F0F8: do_cli (in /usr/local/php73/bin/php)
==79294==    by 0x64E091: main (in /usr/local/php73/bin/php)
==79294== 
==79294== Invalid read of size 1
==79294==    at 0x4D3800: zif_trim (in /usr/local/php73/bin/php)
==79294==    by 0x622C00: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (in /usr/local/php73/bin/php)
==79294==    by 0x5D4067: execute_ex (in /usr/local/php73/bin/php)
==79294==    by 0x5D4225: zend_execute (in /usr/local/php73/bin/php)
==79294==    by 0x58EE74: zend_execute_scripts (in /usr/local/php73/bin/php)
==79294==    by 0x52A411: php_execute_script (in /usr/local/php73/bin/php)
==79294==    by 0x64F0F8: do_cli (in /usr/local/php73/bin/php)
==79294==    by 0x64E091: main (in /usr/local/php73/bin/php)
==79294==  Address 0xfed854dfdd7195f is not stack'd, malloc'd or (recently) free'd
==79294== 
==79294== 
==79294== Process terminating with default action of signal 10 (SIGBUS): dumping core
==79294==  Hardware error at address 0x4042E0385
==79294==    at 0x4D3800: zif_trim (in /usr/local/php73/bin/php)
==79294==    by 0x622C00: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (in /usr/local/php73/bin/php)
==79294==    by 0x5D4067: execute_ex (in /usr/local/php73/bin/php)
==79294==    by 0x5D4225: zend_execute (in /usr/local/php73/bin/php)
==79294==    by 0x58EE74: zend_execute_scripts (in /usr/local/php73/bin/php)
==79294==    by 0x52A411: php_execute_script (in /usr/local/php73/bin/php)
==79294==    by 0x64F0F8: do_cli (in /usr/local/php73/bin/php)
==79294==    by 0x64E091: main (in /usr/local/php73/bin/php)
==79294== 
==79294== HEAP SUMMARY:
==79294==     in use at exit: 19,278,437 bytes in 85,364 blocks
==79294==   total heap usage: 319,896 allocs, 234,532 frees, 88,933,994 bytes allocated
==79294== 
==79294== LEAK SUMMARY:
==79294==    definitely lost: 0 bytes in 0 blocks
==79294==    indirectly lost: 0 bytes in 0 blocks
==79294==      possibly lost: 6,142,571 bytes in 35,101 blocks
==79294==    still reachable: 13,135,866 bytes in 50,263 blocks
==79294==         suppressed: 0 bytes in 0 blocks
==79294== Rerun with --leak-check=full to see details of leaked memory
==79294== 
==79294== For counts of detected and suppressed errors, rerun with: -v
==79294== Use --track-origins=yes to see where uninitialised values come from
==79294== ERROR SUMMARY: 130770 errors from 143 contexts (suppressed: 45 from 8)
Bus error


If you like the "--leak-check=full" output let me know, I'll send it to you by e-mail.

[2019-01-02 11:44 UTC] nikic@php.net

This looks somewhat related to bug #77284. The fact that the pointer is php_addslashes_sse42 in particular makes me think that the ifunc resolver functionality on FreeBSD writes the resolved function to the wrong memory location.

[2021-07-26 13:28 UTC] cmb@php.net

-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb

[2021-07-26 13:28 UTC] cmb@php.net

Is this still an issue with any of the actively supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions.php>

[2021-08-08 04:22 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 03:01:27 2024 UTC