php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78646 SEGFAULT in zend_hash_find_bucket
Submitted: 2019-10-08 12:17 UTC Modified: 2019-10-08 12:36 UTC
From: leigh@php.net Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: master-Git-2019-10-08 (Git) OS: Linux
Private report: No CVE-ID: None
 [2019-10-08 12:17 UTC] leigh@php.net
Description:
------------
Present in PHP-7.4 / master branches but not PHP-7.3 branch. Compiled with `--disable-all`. Found using AFL.

This one triggers the assertion: ht=0x5058780 is already destroyed

Not sure if that indicates a potential UAF or not, raising as secbug just in case.

Test script:
---------------
<?php

class T {
	public $v = [];

	function __get($var) {
		if(isset($this->v[$var])) return $t->v[$var];
	}

	function __unset($var) {
		unset($d->v[$var]);
	}
}

$o = new T;

$o->v['v'] = 1;
$o->r;
unset($o->r);
$o->{'VirtY^l'.(3)};


Expected result:
----------------
Exit code 0

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
zend_hash_find_bucket (known_hash=0 '\000', key=0x7ffff7a02870, ht=0x7ffff7a02870) at /home/leigh/php-src/Zend/zend_hash.c:637
637             if (EXPECTED(p->key == key)) { /* check for the same interned string */
(gdb) bt
#0  zend_hash_find_bucket (known_hash=0 '\000', key=0x7ffff7a02870, ht=0x7ffff7a02870) at /home/leigh/php-src/Zend/zend_hash.c:637
#1  zend_hash_find (ht=ht@entry=0x7ffff7a55380, key=key@entry=0x7ffff7a02870) at /home/leigh/php-src/Zend/zend_hash.c:2220
#2  0x000055555599fdd1 in zend_hash_find_ex (known_hash=0 '\000', key=0x7ffff7a02870, ht=0x7ffff7a55380) at /home/leigh/php-src/Zend/zend_hash.h:373
#3  zend_hash_find_ex_ind (known_hash=0 '\000', key=0x7ffff7a02870, ht=0x7ffff7a55380) at /home/leigh/php-src/Zend/zend_hash.h:373
#4  ZEND_ISSET_ISEMPTY_DIM_OBJ_SPEC_TMPVAR_CV_HANDLER () at /home/leigh/php-src/Zend/zend_vm_execute.h:17555
#5  0x00005555559bdc33 in execute_ex (ex=0x7ffff7a55380) at /home/leigh/php-src/Zend/zend_vm_execute.h:55576
#6  0x00005555559361f9 in zend_call_function (fci=fci@entry=0x7fffffffa3c0, fci_cache=0x7ffff7a5bb80, fci_cache@entry=0x7fffffffa3a0) at /home/leigh/php-src/Zend/zend_execute_API.c:784
#7  0x00005555559735db in zend_std_call_getter (zobj=zobj@entry=0x7ffff7a78050, prop_name=prop_name@entry=0x7ffff7a02870, retval=retval@entry=0x7ffff7a130e0)
    at /home/leigh/php-src/Zend/zend_object_handlers.c:208
#8  0x0000555555974cdb in zend_std_read_property (zobj=0x7ffff7a78050, name=0x7ffff7a02870, type=0, cache_slot=<optimised out>, rv=<optimised out>)
    at /home/leigh/php-src/Zend/zend_object_handlers.c:744
#9  0x00005555559c145a in ZEND_FETCH_OBJ_R_SPEC_CV_CONST_INLINE_HANDLER () at /home/leigh/php-src/Zend/zend_vm_execute.h:39586
#10 execute_ex (ex=0x7ffff7a55380) at /home/leigh/php-src/Zend/zend_vm_execute.h:57255
#11 0x00005555559c4f4d in zend_execute (op_array=0x7ffff7a802a0, return_value=<optimised out>) at /home/leigh/php-src/Zend/zend_vm_execute.h:58019
#12 0x00005555559437b1 in zend_execute_scripts (type=type@entry=8, retval=0x7ffff7a6d120, retval@entry=0x0, file_count=file_count@entry=3) at /home/leigh/php-src/Zend/zend.c:1643
#13 0x00005555558e5780 in php_execute_script (primary_file=<optimised out>) at /home/leigh/php-src/main/main.c:2585
#14 0x00005555559c6f6c in do_cli (argc=2, argv=0x555556172860) at /home/leigh/php-src/sapi/cli/php_cli.c:959
#15 0x000055555577e78d in main (argc=2, argv=0x555556172860) at /home/leigh/php-src/sapi/cli/php_cli.c:1350

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-08 12:25 UTC] cmb@php.net
-Type: Security +Type: Bug
 [2019-10-08 12:25 UTC] cmb@php.net
> but not PHP-7.3 branch

So no sec issue. :)
 [2019-10-08 12:36 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2019-10-08 12:36 UTC] nikic@php.net
This has the same root cause as bug #78644, which is now fixed.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Oct 04 07:01:26 2024 UTC