php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78703 Refreshable PHP crash
Submitted: 2019-10-21 05:21 UTC Modified: 2019-10-21 07:59 UTC
From: songmingxuan at cert dot org dot cn Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 7.3.10 OS: #31~18.04.1-Ubuntu
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: songmingxuan at cert dot org dot cn
New email:
PHP Version: OS:

 

 [2019-10-21 05:21 UTC] songmingxuan at cert dot org dot cn
Description:
------------
#php test.php

crash.

Test script:
---------------
test.php

<?php
spl_autoload_register(function ($name) {
  echo "IN:  autoload($name)\n";

  static $i = 0;
  if ($i++ > 10) {
      echo "-> Recursion detected - as expected.\n";
   ;
  }

  class_exists('UndefinedClass' . $i);

  echo "OUT: autoload($name)\n";
});

var_dump(class_exists('UndefinedClass0'));
?>


Expected result:
----------------
no crash.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x7ffff7fd4878 --> 0x555557804650 --> 0x55555799f6c0 --> 0x5555578046a0 --> 0x0 
RBX: 0x0 
RCX: 0x555557808600 --> 0x0 
RDX: 0x55555799f6c0 --> 0x5555578046a0 --> 0x0 
RSI: 0x555557804650 --> 0x55555799f6c0 --> 0x5555578046a0 --> 0x0 
RDI: 0x7fffff7ff180 --> 0x38 ('8')
RBP: 0x7fffff7ff180 --> 0x38 ('8')
RSP: 0x7fffff7fefc8 
RIP: 0x555556dc9e7c (<zend_call_function+172>:	mov    QWORD PTR [rsp],rdx)
R8 : 0x55555785a7b0 --> 0x10000000001 
R9 : 0x48 ('H')
R10: 0x555557808600 --> 0x0 
R11: 0x555557808600 --> 0x0 
R12: 0x7fffff7ff160 --> 0x55555785a7b0 --> 0x10000000001 
R13: 0x5555577f02c8 --> 0x9 ('\t')
R14: 0x7fffff7ff1c0 --> 0x7ffff1d23000 --> 0x600000002 
R15: 0x5555577f02c8 --> 0x9 ('\t')
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555556dc9e67 <zend_call_function+151>:	cmp    BYTE PTR [rcx+0x3e0],0x0
   0x555556dc9e6e <zend_call_function+158>:	je     0x555556dca92c <zend_call_function+2908>
   0x555556dc9e74 <zend_call_function+164>:	lea    rsp,[rsp-0x98]
=> 0x555556dc9e7c <zend_call_function+172>:	mov    QWORD PTR [rsp],rdx
   0x555556dc9e80 <zend_call_function+176>:	mov    QWORD PTR [rsp+0x8],rcx
   0x555556dc9e85 <zend_call_function+181>:	mov    QWORD PTR [rsp+0x10],rax
   0x555556dc9e8a <zend_call_function+186>:	mov    rcx,0xd8ba
   0x555556dc9e91 <zend_call_function+193>:	call   0x555556dd77b8 <__afl_maybe_log>
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fefc8
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555556dc9e7c in zend_call_function (fci=0x7fffff7ff180, fci_cache=0x7fffff7ff160)
    at /home/fuzz/Desktop/fuzz_php/php-7.3.10/Zend/zend_execute_API.c:611
611		if (!EG(active)) {
gdb-peda$ 


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-21 07:58 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2019-10-21 07:58 UTC] nikic@php.net
This is essentially the same test case as bug #78703, which has the same root cause as #64196.
 [2019-10-21 07:59 UTC] nikic@php.net
Sorry, I meant bug #78702 in the first reference.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 05 15:01:31 2024 UTC