php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78644 SEGFAULT in ZEND_UNSET_OBJ_SPEC_VAR_CONST_HANDLER
Submitted: 2019-10-08 12:07 UTC Modified: 2019-10-08 12:22 UTC
From: leigh@php.net Assigned: nikic (profile)
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2019-10-08 (Git) OS: Linux
Private report: No CVE-ID: None
 [2019-10-08 12:07 UTC] leigh@php.net
Description:
------------
Present in PHP-7.4 / master branches but not PHP-7.3 branch. Compiled with `--disable-all`. Found using AFL.

I'm not sure what is going on here, removing the unused property or the body of the insert() method in the test script cause execution to pass successfully.

Test script:
---------------
<?php

class Node {
	public $t;
	
	function insert() {
		$p = $this;
	}
	
	function __destruct() {
		unset($this->a->b->c);
	}
}

$a = new Node;
$b = new Node;
$a->insert();
unset($a);
unset($b);


Expected result:
----------------
Exit code 0

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
ZEND_UNSET_OBJ_SPEC_VAR_CONST_HANDLER () at /home/leigh/php-src/Zend/zend_vm_execute.h:23985
23985                   Z_OBJ_HT_P(container)->unset_property(Z_OBJ_P(container), name, ((IS_CONST == IS_CONST) ? CACHE_ADDR(opline->extended_value) : NULL));                               
(gdb) bt
#0  ZEND_UNSET_OBJ_SPEC_VAR_CONST_HANDLER () at /home/leigh/php-src/Zend/zend_vm_execute.h:23985
#1  0x0000555555b30c55 in execute_ex (ex=0x7ffff7a14100) at /home/leigh/php-src/Zend/zend_vm_execute.h:56166                                                                                 
#2  0x0000555555a49e36 in zend_call_function (fci=0x7fffffffa2c0, fci_cache=0x7fffffffa2a0) at /home/leigh/php-src/Zend/zend_execute_API.c:784                                               
#3  0x0000555555aac838 in zend_objects_destroy_object (object=0x7ffff7a588a0) at /home/leigh/php-src/Zend/zend_objects.c:179                                                                 
#4  0x0000555555ab3902 in zend_objects_store_del (object=0x7ffff7a588a0) at /home/leigh/php-src/Zend/zend_objects_API.c:178                                                                  
#5  0x0000555555a5bddf in rc_dtor_func (p=0x7ffff7a588a0) at /home/leigh/php-src/Zend/zend_variables.c:57                                                                                    
#6  0x0000555555b26913 in ZEND_UNSET_CV_SPEC_CV_UNUSED_HANDLER () at /home/leigh/php-src/Zend/zend_vm_execute.h:46565                                                                        
#7  0x0000555555b324bc in execute_ex (ex=0x7ffff7a14020) at /home/leigh/php-src/Zend/zend_vm_execute.h:57691                                                                                 
#8  0x0000555555b329e1 in zend_execute (op_array=0x7ffff7a84300, return_value=0x0) at /home/leigh/php-src/Zend/zend_vm_execute.h:58019                                                       
#9  0x0000555555a5ffb5 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/leigh/php-src/Zend/zend.c:1643                                                                    
#10 0x00005555559cce5b in php_execute_script (primary_file=0x7fffffffcaf0) at /home/leigh/php-src/main/main.c:2585                                                                           
#11 0x0000555555b352a0 in do_cli (argc=2, argv=0x555556175860) at /home/leigh/php-src/sapi/cli/php_cli.c:959                                                                                 
#12 0x0000555555b3634c in main (argc=2, argv=0x555556175860) at /home/leigh/php-src/sapi/cli/php_cli.c:1350 

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-08 12:16 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2019-10-08 12:16 UTC] nikic@php.net
Asan:

==23853==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600001e980 at pc 0x5592a7d0f0da bp 0x7ffd6c27de30 sp 0x7ffd6c27de20
READ of size 4 at 0x60600001e980 thread T0
    #0 0x5592a7d0f0d9 in zend_gc_delref /home/nikic/php-7.4/Zend/zend_types.h:1035
    #1 0x5592a7d1024d in zend_objects_store_del /home/nikic/php-7.4/Zend/zend_objects_API.c:179
    #2 0x5592a7c34cff in rc_dtor_func /home/nikic/php-7.4/Zend/zend_variables.c:57
    #3 0x5592a7e68bc8 in ZEND_UNSET_CV_SPEC_CV_UNUSED_HANDLER /home/nikic/php-7.4/Zend/zend_vm_execute.h:46242
    #4 0x5592a7e893e9 in execute_ex /home/nikic/php-7.4/Zend/zend_vm_execute.h:57309
    #5 0x5592a7e8a321 in zend_execute /home/nikic/php-7.4/Zend/zend_vm_execute.h:57637
    #6 0x5592a7c3ec62 in zend_execute_scripts /home/nikic/php-7.4/Zend/zend.c:1663
    #7 0x5592a7ae8b34 in php_execute_script /home/nikic/php-7.4/main/main.c:2619
    #8 0x5592a7e9085d in do_cli /home/nikic/php-7.4/sapi/cli/php_cli.c:961
    #9 0x5592a7e92947 in main /home/nikic/php-7.4/sapi/cli/php_cli.c:1352
    #10 0x7fe3939a7b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #11 0x5592a6d2e709 in _start (/home/nikic/php-7.4/sapi/cli/php+0x546709)

0x60600001e980 is located 0 bytes inside of 56-byte region [0x60600001e980,0x60600001e9b8)
freed by thread T0 here:
    #0 0x7fe398f09b40 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb40)
    #1 0x5592a7bae66e in _efree_custom /home/nikic/php-7.4/Zend/zend_alloc.c:2425
    #2 0x5592a7bae88a in _efree /home/nikic/php-7.4/Zend/zend_alloc.c:2545
    #3 0x5592a7d105e1 in zend_objects_store_del /home/nikic/php-7.4/Zend/zend_objects_API.c:197
    #4 0x5592a7cfb8f8 in zend_object_release /home/nikic/php-7.4/Zend/zend_objects_API.h:75
    #5 0x5592a7cfcc07 in zend_objects_destroy_object /home/nikic/php-7.4/Zend/zend_objects.c:189
    #6 0x5592a7d10241 in zend_objects_store_del /home/nikic/php-7.4/Zend/zend_objects_API.c:178
    #7 0x5592a7c34cff in rc_dtor_func /home/nikic/php-7.4/Zend/zend_variables.c:57
    #8 0x5592a7e68bc8 in ZEND_UNSET_CV_SPEC_CV_UNUSED_HANDLER /home/nikic/php-7.4/Zend/zend_vm_execute.h:46242
    #9 0x5592a7e893e9 in execute_ex /home/nikic/php-7.4/Zend/zend_vm_execute.h:57309
    #10 0x5592a7e8a321 in zend_execute /home/nikic/php-7.4/Zend/zend_vm_execute.h:57637
    #11 0x5592a7c3ec62 in zend_execute_scripts /home/nikic/php-7.4/Zend/zend.c:1663
    #12 0x5592a7ae8b34 in php_execute_script /home/nikic/php-7.4/main/main.c:2619
    #13 0x5592a7e9085d in do_cli /home/nikic/php-7.4/sapi/cli/php_cli.c:961
    #14 0x5592a7e92947 in main /home/nikic/php-7.4/sapi/cli/php_cli.c:1352
    #15 0x7fe3939a7b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

previously allocated by thread T0 here:
    #0 0x7fe398f09f00 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf00)
    #1 0x5592a7bb079d in __zend_malloc /home/nikic/php-7.4/Zend/zend_alloc.c:2975
    #2 0x5592a7bae58e in _malloc_custom /home/nikic/php-7.4/Zend/zend_alloc.c:2416
    #3 0x5592a7bae7df in _emalloc /home/nikic/php-7.4/Zend/zend_alloc.c:2535
    #4 0x5592a7cfcd21 in zend_objects_new /home/nikic/php-7.4/Zend/zend_objects.c:196
    #5 0x5592a7c4ed9d in _object_and_properties_init /home/nikic/php-7.4/Zend/zend_API.c:1397
    #6 0x5592a7c4ef52 in object_init_ex /home/nikic/php-7.4/Zend/zend_API.c:1420
    #7 0x5592a7d81aeb in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER /home/nikic/php-7.4/Zend/zend_vm_execute.h:9211
    #8 0x5592a7e80456 in execute_ex /home/nikic/php-7.4/Zend/zend_vm_execute.h:54307
    #9 0x5592a7e8a321 in zend_execute /home/nikic/php-7.4/Zend/zend_vm_execute.h:57637
    #10 0x5592a7c3ec62 in zend_execute_scripts /home/nikic/php-7.4/Zend/zend.c:1663
    #11 0x5592a7ae8b34 in php_execute_script /home/nikic/php-7.4/main/main.c:2619
    #12 0x5592a7e9085d in do_cli /home/nikic/php-7.4/sapi/cli/php_cli.c:961
    #13 0x5592a7e92947 in main /home/nikic/php-7.4/sapi/cli/php_cli.c:1352
    #14 0x7fe3939a7b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
 [2019-10-08 12:22 UTC] nikic@php.net
-Status: Verified +Status: Assigned -Assigned To: +Assigned To: nikic
 [2019-10-08 12:22 UTC] nikic@php.net
Reduced test case under asan:

<?php
$a = new stdClass; 
unset($a->b->c->d);

==24779==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5616c8a3fc89 bp 0x7fffa8ce7aa0 sp 0x7fffa8ce7a90 T0)
==24779==The signal is caused by a READ memory access.
==24779==Hint: address points to the zero page.
    #0 0x5616c8a3fc88 in zend_gc_delref /home/nikic/php-7.4/Zend/zend_types.h:1035
    #1 0x5616c8a3ffda in zval_delref_p /home/nikic/php-7.4/Zend/zend_types.h:1071
    #2 0x5616c8a40e88 in zval_ptr_dtor_nogc /home/nikic/php-7.4/Zend/zend_variables.h:34
    #3 0x5616c8b024da in ZEND_UNSET_OBJ_SPEC_VAR_CONST_HANDLER /home/nikic/php-7.4/Zend/zend_vm_execute.h:24097
    #4 0x5616c8b9bab0 in execute_ex /home/nikic/php-7.4/Zend/zend_vm_execute.h:55783
    #5 0x5616c8ba1321 in zend_execute /home/nikic/php-7.4/Zend/zend_vm_execute.h:57637
    #6 0x5616c8955c62 in zend_execute_scripts /home/nikic/php-7.4/Zend/zend.c:1663
    #7 0x5616c87ffb34 in php_execute_script /home/nikic/php-7.4/main/main.c:2619
    #8 0x5616c8ba785d in do_cli /home/nikic/php-7.4/sapi/cli/php_cli.c:961
    #9 0x5616c8ba9947 in main /home/nikic/php-7.4/sapi/cli/php_cli.c:1352
    #10 0x7f2b8a9dfb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #11 0x5616c7a45709 in _start (/home/nikic/php-7.4/sapi/cli/php+0x546709)
 [2019-10-08 12:33 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ad3ddf46f9f5c97c43f04612bb448fcd109e2926
Log: Fixed bug #78644
 [2019-10-08 12:33 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Dec 09 04:01:25 2019 UTC