php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78114 segfault when calling sodium_* functions from eval
Submitted: 2019-06-05 18:22 UTC Modified: 2019-06-06 08:00 UTC
From: alex at buayacorp dot com Assigned: cmb (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.3.6 OS: Debian Stretch
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: alex at buayacorp dot com
New email:
PHP Version: OS:

 

 [2019-06-05 18:22 UTC] alex at buayacorp dot com
Description:
------------
When calling sodium_* functions that throw exceptions in an `eval` statement, a script running in PHP 7.3 segfaults.

See https://3v4l.org/4BGMP

Test script:
---------------
<?php

eval('sodium_bin2hex();');

Expected result:
----------------
A PHP fatal error

Actual result:
--------------
$ php -r "eval('sodium_bin2hex();');";echo $?
Segmentation fault
139

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-06-05 19:30 UTC] alex at buayacorp dot com
Here's the backtrace with a PHP 7.3 cli compiled with `./configure --disable-all --enable-debug --with-sodium`


alex@atoq-builder:~$ gdb php-src/sapi/cli/php
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
...
Reading symbols from php-src/sapi/cli/php...done.
(gdb) run -r "eval('sodium_bin2hex();');"
Starting program: /home/alex/php-src/sapi/cli/php -r "eval('sodium_bin2hex();');"
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00005555558fc892 in i_zval_ptr_dtor (zval_ptr=0x0, __zend_filename=0x555555afc128 "/home/alex/php-src/Zend/zend_variables.c", __zend_lineno=111) at /home/alex/php-src/Zend/zend_variables.h:41
41		if (Z_REFCOUNTED_P(zval_ptr)) {
(gdb) bt
#0  0x00005555558fc892 in i_zval_ptr_dtor (zval_ptr=0x0, __zend_filename=0x555555afc128 "/home/alex/php-src/Zend/zend_variables.c", __zend_lineno=111) at /home/alex/php-src/Zend/zend_variables.h:41
#1  0x00005555558fcb2b in zval_ptr_dtor (zval_ptr=0x0) at /home/alex/php-src/Zend/zend_variables.c:111
#2  0x0000555555743397 in sodium_remove_param_values_from_backtrace (obj=0x7ffff667c000) at /home/alex/php-src/ext/sodium/libsodium.c:390
#3  0x0000555555748b86 in zif_sodium_bin2hex (execute_data=0x7ffff661e0f0, return_value=0x7fffffffcc60) at /home/alex/php-src/ext/sodium/libsodium.c:2678
#4  0x00005555559624b9 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at /home/alex/php-src/Zend/zend_vm_execute.h:645
#5  0x00005555559c9803 in execute_ex (ex=0x7ffff661e030) at /home/alex/php-src/Zend/zend_vm_execute.h:55461
#6  0x00005555559cee1e in zend_execute (op_array=0x7ffff6678300, return_value=0x7fffffffcf60) at /home/alex/php-src/Zend/zend_vm_execute.h:60881
#7  0x00005555558ea432 in zend_eval_stringl (str=0x555555e58ae0 "eval('sodium_bin2hex();');", str_len=26, retval_ptr=0x0, string_name=0x555555b09bfc "Command line code") at /home/alex/php-src/Zend/zend_execute_API.c:1018
#8  0x00005555558ea5cd in zend_eval_stringl_ex (str=0x555555e58ae0 "eval('sodium_bin2hex();');", str_len=26, retval_ptr=0x0, string_name=0x555555b09bfc "Command line code", handle_exceptions=1) at /home/alex/php-src/Zend/zend_execute_API.c:1059
#9  0x00005555558ea645 in zend_eval_string_ex (str=0x555555e58ae0 "eval('sodium_bin2hex();');", retval_ptr=0x0, string_name=0x555555b09bfc "Command line code", handle_exceptions=1) at /home/alex/php-src/Zend/zend_execute_API.c:1070
#10 0x00005555559d1908 in do_cli (argc=3, argv=0x555555e58a60) at /home/alex/php-src/sapi/cli/php_cli.c:1028
#11 0x00005555559d26c8 in main (argc=3, argv=0x555555e58a60) at /home/alex/php-src/sapi/cli/php_cli.c:1389
 [2019-06-06 07:33 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2019-06-06 07:33 UTC] cmb@php.net
Thanks for reporting!
 [2019-06-06 07:33 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #78114: segfault when calling sodium_* functions from eval
On GitHub:  https://github.com/php/php-src/pull/4230
Patch:      https://github.com/php/php-src/pull/4230.patch
 [2019-06-06 08:00 UTC] cmb@php.net
-Summary: Segmentation fault when calling sodium_* functions from eval +Summary: segfault when calling sodium_* functions from eval -Assigned To: +Assigned To: cmb
 [2019-06-06 08:02 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=22a3fa0b2e31e33665765bde630bc6c6f0dd475b
Log: Fix #78114: segfault when calling sodium_* functions from eval
 [2019-06-06 08:02 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 02 21:01:28 2024 UTC