php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78703 Refreshable PHP crash
Submitted: 2019-10-21 05:21 UTC Modified: 2019-10-21 07:59 UTC
From: songmingxuan at cert dot org dot cn Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 7.3.10 OS: #31~18.04.1-Ubuntu
Private report: No CVE-ID: None
 [2019-10-21 05:21 UTC] songmingxuan at cert dot org dot cn
Description:
------------
#php test.php

crash.

Test script:
---------------
test.php

<?php
spl_autoload_register(function ($name) {
  echo "IN:  autoload($name)\n";

  static $i = 0;
  if ($i++ > 10) {
      echo "-> Recursion detected - as expected.\n";
   ;
  }

  class_exists('UndefinedClass' . $i);

  echo "OUT: autoload($name)\n";
});

var_dump(class_exists('UndefinedClass0'));
?>


Expected result:
----------------
no crash.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x7ffff7fd4878 --> 0x555557804650 --> 0x55555799f6c0 --> 0x5555578046a0 --> 0x0 
RBX: 0x0 
RCX: 0x555557808600 --> 0x0 
RDX: 0x55555799f6c0 --> 0x5555578046a0 --> 0x0 
RSI: 0x555557804650 --> 0x55555799f6c0 --> 0x5555578046a0 --> 0x0 
RDI: 0x7fffff7ff180 --> 0x38 ('8')
RBP: 0x7fffff7ff180 --> 0x38 ('8')
RSP: 0x7fffff7fefc8 
RIP: 0x555556dc9e7c (<zend_call_function+172>:	mov    QWORD PTR [rsp],rdx)
R8 : 0x55555785a7b0 --> 0x10000000001 
R9 : 0x48 ('H')
R10: 0x555557808600 --> 0x0 
R11: 0x555557808600 --> 0x0 
R12: 0x7fffff7ff160 --> 0x55555785a7b0 --> 0x10000000001 
R13: 0x5555577f02c8 --> 0x9 ('\t')
R14: 0x7fffff7ff1c0 --> 0x7ffff1d23000 --> 0x600000002 
R15: 0x5555577f02c8 --> 0x9 ('\t')
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555556dc9e67 <zend_call_function+151>:	cmp    BYTE PTR [rcx+0x3e0],0x0
   0x555556dc9e6e <zend_call_function+158>:	je     0x555556dca92c <zend_call_function+2908>
   0x555556dc9e74 <zend_call_function+164>:	lea    rsp,[rsp-0x98]
=> 0x555556dc9e7c <zend_call_function+172>:	mov    QWORD PTR [rsp],rdx
   0x555556dc9e80 <zend_call_function+176>:	mov    QWORD PTR [rsp+0x8],rcx
   0x555556dc9e85 <zend_call_function+181>:	mov    QWORD PTR [rsp+0x10],rax
   0x555556dc9e8a <zend_call_function+186>:	mov    rcx,0xd8ba
   0x555556dc9e91 <zend_call_function+193>:	call   0x555556dd77b8 <__afl_maybe_log>
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fefc8
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555556dc9e7c in zend_call_function (fci=0x7fffff7ff180, fci_cache=0x7fffff7ff160)
    at /home/fuzz/Desktop/fuzz_php/php-7.3.10/Zend/zend_execute_API.c:611
611		if (!EG(active)) {
gdb-peda$ 


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-21 07:58 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2019-10-21 07:58 UTC] nikic@php.net
This is essentially the same test case as bug #78703, which has the same root cause as #64196.
 [2019-10-21 07:59 UTC] nikic@php.net
Sorry, I meant bug #78702 in the first reference.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Nov 24 02:01:28 2024 UTC