php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78182 Segmentation fault during by-reference property assignment
Submitted: 2019-06-19 14:01 UTC Modified: 2019-06-19 14:34 UTC
From: nguyenmanhdung1710 at gmail dot com Assigned:
Status: Closed Package: Testing related
PHP Version: 7.4.0alpha1 OS: Ubuntu 16.04 x64
Private report: No CVE-ID: None
 [2019-06-19 14:01 UTC] nguyenmanhdung1710 at gmail dot com
Description:
------------
Our fuzzer found a crash (a potential false positive) on php version 3.1.6 (commit b1bdae7621) due to a malformed input.

PoC: https://github.com/strongcourage/PoCs/blob/master/php_v3.1.6_b1bdae7621/PoC

Command: php $POC

Valgrind says:
==25180== Invalid read of size 1
==25180==    at 0x12A5359: zend_object_fetch_property_type_info (zend_execute.c:2572)
==25180==    by 0x12A5359: ZEND_ASSIGN_OBJ_REF_SPEC_VAR_TMPVAR_OP_DATA_VAR_HANDLER (zend_vm_execute.h:26956)
==25180==    by 0x12D6428: execute_ex (zend_vm_execute.h:62493)
==25180==    by 0x130F8DB: zend_execute (zend_vm_execute.h:65287)
==25180==    by 0xF374A2: zend_execute_scripts (zend.c:1625)
==25180==    by 0xD08147: php_execute_script (main.c:2650)
==25180==    by 0x131A67C: do_cli (php_cli.c:985)
==25180==    by 0x26F6FC: main (php_cli.c:1375)
==25180==  Address 0x125 is not stack'd, malloc'd or (recently) free'd

ASAN says:
ASAN:DEADLYSIGNAL
=================================================================
==11961==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000124 (pc 0x5654a71320f8 bp 0x7ffc1c9e4470 sp 0x7ffc1c9e4460 T0)
==11961==The signal is caused by a READ memory access.
==11961==Hint: address points to the zero page.
    #0 0x5654a71320f7 in zend_object_fetch_property_type_info /home/dungnm/fuzzing/php-7.3.6/Zend/zend_execute.c:2572
    #1 0x5654a7293da3 in ZEND_ASSIGN_OBJ_REF_SPEC_VAR_TMPVAR_OP_DATA_VAR_HANDLER /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:26956
    #2 0x5654a741388d in execute_ex /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:62493
    #3 0x5654a742a6f5 in zend_execute /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:65287
    #4 0x5654a6fab1e2 in zend_execute_scripts /home/dungnm/fuzzing/php-7.3.6/Zend/zend.c:1625
    #5 0x5654a6e04ee1 in php_execute_script /home/dungnm/fuzzing/php-7.3.6/main/main.c:2650
    #6 0x5654a7433157 in do_cli /home/dungnm/fuzzing/php-7.3.6/sapi/cli/php_cli.c:985
    #7 0x5654a74358aa in main /home/dungnm/fuzzing/php-7.3.6/sapi/cli/php_cli.c:1375
    #8 0x7f4efe1a9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #9 0x5654a6513369 in _start (/home/dungnm/fuzzing/php-7.3.6/obj-asan/sapi/cli/php+0x341369)

Thanks,
Manh Dung



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-06-19 14:12 UTC] danack@php.net
"php version 3.1.6"

That version of PHP is 'slightly' out of date. Can you confirm you really meant 7.3.6?
 [2019-06-19 14:17 UTC] nikic@php.net
-Status: Open +Status: Verified -PHP Version: 7.3.6 +PHP Version: 7.4.0alpha1
 [2019-06-19 14:17 UTC] nikic@php.net
Based on the trace this has to be on 7.4 or master. I can confirm the segfault on 7.4.
 [2019-06-19 14:22 UTC] nikic@php.net
Cleaned up repro:

<?php
$varName = 'var';
$propName = 'prop'; 
$$varName->$propName =& $$varName;
 [2019-06-19 14:34 UTC] nikic@php.net
-Summary: Segmentation Fault in zend_execute.c:2572 +Summary: Segmentation fault during by-reference property assignment
 [2019-06-19 14:36 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=268b5fec8e42e82dce398b86a4970ad8875978d3
Log: Fixed bug #78182
 [2019-06-19 14:36 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Dec 09 05:01:26 2019 UTC