php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78705 Refreshable PHP crash
Submitted: 2019-10-21 05:28 UTC Modified: 2019-10-21 08:02 UTC
From: songmingxuan at cert dot org dot cn Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 7.3.10 OS: #31~18.04.1-Ubuntu
Private report: No CVE-ID: None
 [2019-10-21 05:28 UTC] songmingxuan at cert dot org dot cn
Description:
------------
#php test.php

crash.

Test script:
---------------
test.php

<?php
class Test {
	public    $publicProperty;
	protected $protectedProperty;
	private   $privateProperty;

	public function __conˆtruct() {
		unset(
			$¼his->publicProperty,
			$thXs->protectedProperty,
			$this->privateProperty
		);
	}

	function __get($name) {
		echo '__get ' . $nis->$name;
	}

	function __set($name, $value) {
		echo '__set ' . $name .="\n";
		$this->$name = $value;
	}

	function __isset($name) {
		echo '__isset ' . $nameisPe|($this->$name);
}
}

$test = new Test();

$test->nonExisting;
$test->publicProperty;
$test->protectedProperty;
$test->privateProperty;
isset($test->non);
isset($test->publicProperty);
isset($test->protectedProperty);
isset($test->privateProperty);
$test->nonExisting       = 'value';
$test->publicProperty	>= 'value';
$test->protectedPropetty = 'value';
$test->privateProperty   = 'val„e';

?>


Expected result:
----------------
no crash.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x555557804650 --> 0x55555799f6c0 --> 0x5555578046a0 --> 0x0 
RBX: 0x4000 ('')
RCX: 0x55555799f6c0 --> 0x5555578046a0 --> 0x0 
RDX: 0x6 
RSI: 0x4 
RDI: 0x7ffff2a00040 --> 0x0 
RBP: 0x7ffff2a00040 --> 0x0 
RSP: 0x7fffff7fefe8 
RIP: 0x555556d3f54c (<zend_mm_alloc_pages+2604>:	mov    QWORD PTR [rsp],rdx)
R8 : 0x0 
R9 : 0x55555799f6c0 --> 0x5555578046a0 --> 0x0 
R10: 0x7fffec361000 --> 0x600000002 
R11: 0x7ffff2a00000 --> 0x7ffff2a00040 --> 0x0 
R12: 0x7ffff2a00000 --> 0x7ffff2a00040 --> 0x0 
R13: 0x4 
R14: 0x0 
R15: 0x200
EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555556d3f538 <zend_mm_alloc_pages+2584>:	mov    rdx,QWORD PTR [rsp]
   0x555556d3f53c <zend_mm_alloc_pages+2588>:	lea    rsp,[rsp+0x98]
   0x555556d3f544 <zend_mm_alloc_pages+2596>:	lea    rsp,[rsp-0x98]
=> 0x555556d3f54c <zend_mm_alloc_pages+2604>:	mov    QWORD PTR [rsp],rdx
   0x555556d3f550 <zend_mm_alloc_pages+2608>:	mov    QWORD PTR [rsp+0x8],rcx
   0x555556d3f555 <zend_mm_alloc_pages+2613>:	mov    QWORD PTR [rsp+0x10],rax
   0x555556d3f55a <zend_mm_alloc_pages+2618>:	mov    rcx,0x6f69
   0x555556d3f561 <zend_mm_alloc_pages+2625>:	call   0x555556d4fcc8 <__afl_maybe_log>
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fefe8
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555556d3f54c in zend_mm_alloc_pages (
    heap=<error reading variable: Cannot access memory at address 0x7fffff7feff0>, pages_count=0x4)
    at /home/fuzz/Desktop/fuzz_php/php-7.3.10/Zend/zend_alloc.c:977
977			if (chunk->next == heap->main_chunk) {
gdb-peda$ 


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-21 08:02 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2019-10-21 08:02 UTC] nikic@php.net
Another magic method recursion stack overflow, this time through __get(), tracked at bug #64196.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 12:01:29 2024 UTC