php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78709 Refreshable PHP crash
Submitted: 2019-10-21 11:47 UTC Modified: 2019-10-21 12:20 UTC
From: songmingxuan at cert dot org dot cn Assigned: cmb (profile)
Status: Duplicate Package: Reproducible crash
PHP Version: 7.4.0RC4 OS: #31~18.04.1-Ubuntu
Private report: No CVE-ID: None
 [2019-10-21 11:47 UTC] songmingxuan at cert dot org dot cn
Description:
------------
#/Desktop/fuzz_php/php-7.4.0beta4
#php test.php

crash.

Test script:
---------------
test.php

<?php
class Test {
	public    $publicProperty;
	protected $protectedProperty;
	private   $privateProperty;

	public function __conˆtruct() {
		unset(
			$¼his->publicProperty,
			$thXs->protectedProperty,
			$this->privateProperty
		);
	}

	function __get($name) {
		echo '__get ' . $nis->$name;
	}

	function __set($name, $value) {
		echo '__set ' . $name .="\n";
		$this->$name = $value;
	}

	function __isset($name) {
		echo '__isset ' . $nameisPe|($this->$name);
}
}

$test = new Test();

$test->nonExisting;
$test->publicProperty;
$test->protectedProperty;
$test->privateProperty;
isset($test->non);
isset($test->publicProperty);
isset($test->protectedProperty);
isset($test->privateProperty);
$test->nonExisting       = 'value';
$test->publicProperty	>= 'value';
$test->protectedPropetty = 'value';
$test->privateProperty   = 'val„e';

?>


Expected result:
----------------
no crash

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7fffed2ac6f0 --> 0x7fffed0d0000 --> 0x600000003 
RCX: 0x8 
RDX: 0x6 
RSI: 0x7fffed2ac6f0 --> 0x7fffed0d0000 --> 0x600000003 
RDI: 0x7fffed2ac6f0 --> 0x7fffed0d0000 --> 0x600000003 
RBP: 0x0 
RSP: 0x7fffff7fef98 
RIP: 0x555556686294 (<concat_function+132>:	mov    QWORD PTR [rsp],rdx)
R8 : 0x55555718b600 --> 0x55555731af60 --> 0x55555718b620 --> 0x0 
R9 : 0x7ffff2e07610 --> 0x0 
R10: 0x7fffed2ac700 --> 0x55555719d7a0 --> 0x1c600000001 
R11: 0x7fffff7ff330 --> 0x55555719d7a0 --> 0x1c600000001 
R12: 0x7ffff2e5fb00 --> 0x55555719a460 --> 0x1c600000001 
R13: 0x7fffed2ac6f0 --> 0x7fffed0d0000 --> 0x600000003 
R14: 0x7fffed2ac6a0 --> 0x7ffff2e5fa40 --> 0x55555699d634 (<execute_ex+14340>:	lea    rsp,[rsp-0x98])
R15: 0x7ffff2e5fa40 --> 0x55555699d634 (<execute_ex+14340>:	lea    rsp,[rsp-0x98])
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555556686283 <concat_function+115>:	cmp    dl,0x6
   0x555556686286 <concat_function+118>:	
    jne    0x555556686bb0 <concat_function+2464>
   0x55555668628c <concat_function+124>:	lea    rsp,[rsp-0x98]
=> 0x555556686294 <concat_function+132>:	mov    QWORD PTR [rsp],rdx
   0x555556686298 <concat_function+136>:	mov    QWORD PTR [rsp+0x8],rcx
   0x55555668629d <concat_function+141>:	mov    QWORD PTR [rsp+0x10],rax
   0x5555566862a2 <concat_function+146>:	mov    rcx,0x6ba2
   0x5555566862a9 <concat_function+153>:	
    call   0x5555566a6600 <__afl_maybe_log>
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fef98
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555556686294 in concat_function (result=0x7fffed2ac6f0, 
    op1=0x7fffed2ac6f0, op2=0x7ffff2e5fb00)
    at /home/fuzz/Desktop/fuzz_php/php-7.4.0beta4/Zend/zend_types.h:442
442		return pz->u1.v.type;
gdb-peda$ 


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-21 12:20 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2019-10-21 12:20 UTC] cmb@php.net
Duplicate of bug #78705.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 14 17:01:25 2024 UTC