php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #78711 Refreshable PHP crash
Submitted: 2019-10-21 11:55 UTC Modified: 2019-10-21 12:17 UTC
From: songmingxuan at cert dot org dot cn Assigned: cmb (profile)
Status: Duplicate Package: Reproducible crash
PHP Version: 7.4.0RC4 OS: #31~18.04.1-Ubuntu
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: songmingxuan at cert dot org dot cn
New email:
PHP Version: OS:

 

 [2019-10-21 11:55 UTC] songmingxuan at cert dot org dot cn 
Description:
------------
#/Desktop/fuzz_php/php-7.4.0beta4 
#php test.php

Test script:
---------------
<?php
spl_autoload_register(function ($name) {
  echo "IN:  autoload($name)\n";

  static $i = 0;
  if ($i++ > 10) {
      echo "-> Recursion detected - as expected.\n";
   ;
  }

  class_exists('UndefinedClass' . $i);

  echo "OUT: autoload($name)\n";
});

var_dump(class_exists('UndefinedClass0'));
?>


Expected result:
----------------
I submitted it very seriously. haha~
;)

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x0 
RCX: 0x106 
RDX: 0x7fffff7ff0b8 --> 0x0 
RSI: 0x555556bc74fa --> 0x696c61766e49007a ('z')
RDI: 0x1 
RBP: 0x7ffff20be810 --> 0x0 
RSP: 0x7fffff7feff0 
RIP: 0x5555566e5768 (<zend_parse_parameters+8>:	mov    QWORD PTR [rsp],rdx)
R8 : 0x555557176680 --> 0x0 
R9 : 0x7fffff7ff270 --> 0x55555731af60 --> 0x55555718b620 --> 0x0 
R10: 0x55555718e9f0 --> 0x0 
R11: 0x7fffff7ff2e0 --> 0x7ffff20dedb0 --> 0x600000003 
R12: 0x7fffff7ff280 --> 0x555557199560 --> 0x100000001 
R13: 0x555557176708 --> 0x33f0 
R14: 0x7ffff20be810 --> 0x0 
R15: 0x555557199560 --> 0x100000001
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555566e5758 <zend_parse_parameters_ex+408>:	
    call   0x55555566c000 <__stack_chk_fail@plt>
   0x5555566e575d:	nop    DWORD PTR [rax]
   0x5555566e5760 <zend_parse_parameters>:	lea    rsp,[rsp-0x98]
=> 0x5555566e5768 <zend_parse_parameters+8>:	mov    QWORD PTR [rsp],rdx
   0x5555566e576c <zend_parse_parameters+12>:	mov    QWORD PTR [rsp+0x8],rcx
   0x5555566e5771 <zend_parse_parameters+17>:	mov    QWORD PTR [rsp+0x10],rax
   0x5555566e5776 <zend_parse_parameters+22>:	mov    rcx,0x90bb
   0x5555566e577d <zend_parse_parameters+29>:	
    call   0x5555566f0ff8 <__afl_maybe_log>
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7feff0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555566e5768 in zend_parse_parameters (num_args=0x1, 
    type_spec=0x555556bc74fa "z")
    at /home/fuzz/Desktop/fuzz_php/php-7.4.0beta4/Zend/zend_API.c:1053
1053	{
gdb-peda$

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-21 12:17 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2019-10-21 12:17 UTC] cmb@php.net 
Duplicate of bug #78703 again.  I don't think that fuzzing this script will reveal any new information.  Thanks.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 25 05:01:33 2024 UTC