php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78711 Refreshable PHP crash
Submitted: 2019-10-21 11:55 UTC Modified: 2019-10-21 12:17 UTC
From: songmingxuan at cert dot org dot cn Assigned: cmb (profile)
Status: Duplicate Package: Reproducible crash
PHP Version: 7.4.0RC4 OS: #31~18.04.1-Ubuntu
Private report: No CVE-ID: None
 [2019-10-21 11:55 UTC] songmingxuan at cert dot org dot cn
Description:
------------
#/Desktop/fuzz_php/php-7.4.0beta4 
#php test.php

Test script:
---------------
<?php
spl_autoload_register(function ($name) {
  echo "IN:  autoload($name)\n";

  static $i = 0;
  if ($i++ > 10) {
      echo "-> Recursion detected - as expected.\n";
   ;
  }

  class_exists('UndefinedClass' . $i);

  echo "OUT: autoload($name)\n";
});

var_dump(class_exists('UndefinedClass0'));
?>


Expected result:
----------------
I submitted it very seriously. haha~
;)

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x0 
RCX: 0x106 
RDX: 0x7fffff7ff0b8 --> 0x0 
RSI: 0x555556bc74fa --> 0x696c61766e49007a ('z')
RDI: 0x1 
RBP: 0x7ffff20be810 --> 0x0 
RSP: 0x7fffff7feff0 
RIP: 0x5555566e5768 (<zend_parse_parameters+8>:	mov    QWORD PTR [rsp],rdx)
R8 : 0x555557176680 --> 0x0 
R9 : 0x7fffff7ff270 --> 0x55555731af60 --> 0x55555718b620 --> 0x0 
R10: 0x55555718e9f0 --> 0x0 
R11: 0x7fffff7ff2e0 --> 0x7ffff20dedb0 --> 0x600000003 
R12: 0x7fffff7ff280 --> 0x555557199560 --> 0x100000001 
R13: 0x555557176708 --> 0x33f0 
R14: 0x7ffff20be810 --> 0x0 
R15: 0x555557199560 --> 0x100000001
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555566e5758 <zend_parse_parameters_ex+408>:	
    call   0x55555566c000 <__stack_chk_fail@plt>
   0x5555566e575d:	nop    DWORD PTR [rax]
   0x5555566e5760 <zend_parse_parameters>:	lea    rsp,[rsp-0x98]
=> 0x5555566e5768 <zend_parse_parameters+8>:	mov    QWORD PTR [rsp],rdx
   0x5555566e576c <zend_parse_parameters+12>:	mov    QWORD PTR [rsp+0x8],rcx
   0x5555566e5771 <zend_parse_parameters+17>:	mov    QWORD PTR [rsp+0x10],rax
   0x5555566e5776 <zend_parse_parameters+22>:	mov    rcx,0x90bb
   0x5555566e577d <zend_parse_parameters+29>:	
    call   0x5555566f0ff8 <__afl_maybe_log>
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7feff0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555566e5768 in zend_parse_parameters (num_args=0x1, 
    type_spec=0x555556bc74fa "z")
    at /home/fuzz/Desktop/fuzz_php/php-7.4.0beta4/Zend/zend_API.c:1053
1053	{
gdb-peda$ 


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-21 12:17 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2019-10-21 12:17 UTC] cmb@php.net
Duplicate of bug #78703 again.  I don't think that fuzzing this script will reveal any new information.  Thanks.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 05 16:01:30 2024 UTC