php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78114 segfault when calling sodium_* functions from eval
Submitted: 2019-06-05 18:22 UTC Modified: 2019-06-06 08:00 UTC
From: alex at buayacorp dot com Assigned: cmb (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.3.6 OS: Debian Stretch
Private report: No CVE-ID: None
 [2019-06-05 18:22 UTC] alex at buayacorp dot com
Description:
------------
When calling sodium_* functions that throw exceptions in an `eval` statement, a script running in PHP 7.3 segfaults.

See https://3v4l.org/4BGMP

Test script:
---------------
<?php

eval('sodium_bin2hex();');

Expected result:
----------------
A PHP fatal error

Actual result:
--------------
$ php -r "eval('sodium_bin2hex();');";echo $?
Segmentation fault
139

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-06-05 19:30 UTC] alex at buayacorp dot com
Here's the backtrace with a PHP 7.3 cli compiled with `./configure --disable-all --enable-debug --with-sodium`


alex@atoq-builder:~$ gdb php-src/sapi/cli/php
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
...
Reading symbols from php-src/sapi/cli/php...done.
(gdb) run -r "eval('sodium_bin2hex();');"
Starting program: /home/alex/php-src/sapi/cli/php -r "eval('sodium_bin2hex();');"
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00005555558fc892 in i_zval_ptr_dtor (zval_ptr=0x0, __zend_filename=0x555555afc128 "/home/alex/php-src/Zend/zend_variables.c", __zend_lineno=111) at /home/alex/php-src/Zend/zend_variables.h:41
41		if (Z_REFCOUNTED_P(zval_ptr)) {
(gdb) bt
#0  0x00005555558fc892 in i_zval_ptr_dtor (zval_ptr=0x0, __zend_filename=0x555555afc128 "/home/alex/php-src/Zend/zend_variables.c", __zend_lineno=111) at /home/alex/php-src/Zend/zend_variables.h:41
#1  0x00005555558fcb2b in zval_ptr_dtor (zval_ptr=0x0) at /home/alex/php-src/Zend/zend_variables.c:111
#2  0x0000555555743397 in sodium_remove_param_values_from_backtrace (obj=0x7ffff667c000) at /home/alex/php-src/ext/sodium/libsodium.c:390
#3  0x0000555555748b86 in zif_sodium_bin2hex (execute_data=0x7ffff661e0f0, return_value=0x7fffffffcc60) at /home/alex/php-src/ext/sodium/libsodium.c:2678
#4  0x00005555559624b9 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at /home/alex/php-src/Zend/zend_vm_execute.h:645
#5  0x00005555559c9803 in execute_ex (ex=0x7ffff661e030) at /home/alex/php-src/Zend/zend_vm_execute.h:55461
#6  0x00005555559cee1e in zend_execute (op_array=0x7ffff6678300, return_value=0x7fffffffcf60) at /home/alex/php-src/Zend/zend_vm_execute.h:60881
#7  0x00005555558ea432 in zend_eval_stringl (str=0x555555e58ae0 "eval('sodium_bin2hex();');", str_len=26, retval_ptr=0x0, string_name=0x555555b09bfc "Command line code") at /home/alex/php-src/Zend/zend_execute_API.c:1018
#8  0x00005555558ea5cd in zend_eval_stringl_ex (str=0x555555e58ae0 "eval('sodium_bin2hex();');", str_len=26, retval_ptr=0x0, string_name=0x555555b09bfc "Command line code", handle_exceptions=1) at /home/alex/php-src/Zend/zend_execute_API.c:1059
#9  0x00005555558ea645 in zend_eval_string_ex (str=0x555555e58ae0 "eval('sodium_bin2hex();');", retval_ptr=0x0, string_name=0x555555b09bfc "Command line code", handle_exceptions=1) at /home/alex/php-src/Zend/zend_execute_API.c:1070
#10 0x00005555559d1908 in do_cli (argc=3, argv=0x555555e58a60) at /home/alex/php-src/sapi/cli/php_cli.c:1028
#11 0x00005555559d26c8 in main (argc=3, argv=0x555555e58a60) at /home/alex/php-src/sapi/cli/php_cli.c:1389
 [2019-06-06 07:33 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2019-06-06 07:33 UTC] cmb@php.net
Thanks for reporting!
 [2019-06-06 07:33 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #78114: segfault when calling sodium_* functions from eval
On GitHub:  https://github.com/php/php-src/pull/4230
Patch:      https://github.com/php/php-src/pull/4230.patch
 [2019-06-06 08:00 UTC] cmb@php.net
-Summary: Segmentation fault when calling sodium_* functions from eval +Summary: segfault when calling sodium_* functions from eval -Assigned To: +Assigned To: cmb
 [2019-06-06 08:02 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=22a3fa0b2e31e33665765bde630bc6c6f0dd475b
Log: Fix #78114: segfault when calling sodium_* functions from eval
 [2019-06-06 08:02 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Oct 14 08:01:26 2019 UTC