php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78705 Refreshable PHP crash
Submitted: 2019-10-21 05:28 UTC Modified: 2019-10-21 08:02 UTC
From: songmingxuan at cert dot org dot cn Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 7.3.10 OS: #31~18.04.1-Ubuntu
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: songmingxuan at cert dot org dot cn
New email:
PHP Version: OS:

 

 [2019-10-21 05:28 UTC] songmingxuan at cert dot org dot cn
Description:
------------
#php test.php

crash.

Test script:
---------------
test.php

<?php
class Test {
	public    $publicProperty;
	protected $protectedProperty;
	private   $privateProperty;

	public function __conˆtruct() {
		unset(
			$¼his->publicProperty,
			$thXs->protectedProperty,
			$this->privateProperty
		);
	}

	function __get($name) {
		echo '__get ' . $nis->$name;
	}

	function __set($name, $value) {
		echo '__set ' . $name .="\n";
		$this->$name = $value;
	}

	function __isset($name) {
		echo '__isset ' . $nameisPe|($this->$name);
}
}

$test = new Test();

$test->nonExisting;
$test->publicProperty;
$test->protectedProperty;
$test->privateProperty;
isset($test->non);
isset($test->publicProperty);
isset($test->protectedProperty);
isset($test->privateProperty);
$test->nonExisting       = 'value';
$test->publicProperty	>= 'value';
$test->protectedPropetty = 'value';
$test->privateProperty   = 'val„e';

?>


Expected result:
----------------
no crash.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x555557804650 --> 0x55555799f6c0 --> 0x5555578046a0 --> 0x0 
RBX: 0x4000 ('')
RCX: 0x55555799f6c0 --> 0x5555578046a0 --> 0x0 
RDX: 0x6 
RSI: 0x4 
RDI: 0x7ffff2a00040 --> 0x0 
RBP: 0x7ffff2a00040 --> 0x0 
RSP: 0x7fffff7fefe8 
RIP: 0x555556d3f54c (<zend_mm_alloc_pages+2604>:	mov    QWORD PTR [rsp],rdx)
R8 : 0x0 
R9 : 0x55555799f6c0 --> 0x5555578046a0 --> 0x0 
R10: 0x7fffec361000 --> 0x600000002 
R11: 0x7ffff2a00000 --> 0x7ffff2a00040 --> 0x0 
R12: 0x7ffff2a00000 --> 0x7ffff2a00040 --> 0x0 
R13: 0x4 
R14: 0x0 
R15: 0x200
EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555556d3f538 <zend_mm_alloc_pages+2584>:	mov    rdx,QWORD PTR [rsp]
   0x555556d3f53c <zend_mm_alloc_pages+2588>:	lea    rsp,[rsp+0x98]
   0x555556d3f544 <zend_mm_alloc_pages+2596>:	lea    rsp,[rsp-0x98]
=> 0x555556d3f54c <zend_mm_alloc_pages+2604>:	mov    QWORD PTR [rsp],rdx
   0x555556d3f550 <zend_mm_alloc_pages+2608>:	mov    QWORD PTR [rsp+0x8],rcx
   0x555556d3f555 <zend_mm_alloc_pages+2613>:	mov    QWORD PTR [rsp+0x10],rax
   0x555556d3f55a <zend_mm_alloc_pages+2618>:	mov    rcx,0x6f69
   0x555556d3f561 <zend_mm_alloc_pages+2625>:	call   0x555556d4fcc8 <__afl_maybe_log>
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fefe8
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555556d3f54c in zend_mm_alloc_pages (
    heap=<error reading variable: Cannot access memory at address 0x7fffff7feff0>, pages_count=0x4)
    at /home/fuzz/Desktop/fuzz_php/php-7.3.10/Zend/zend_alloc.c:977
977			if (chunk->next == heap->main_chunk) {
gdb-peda$ 


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-21 08:02 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2019-10-21 08:02 UTC] nikic@php.net
Another magic method recursion stack overflow, this time through __get(), tracked at bug #64196.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 14 16:01:26 2024 UTC