php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78712 Refreshable PHP crash
Submitted: 2019-10-21 11:57 UTC Modified: 2019-10-21 12:19 UTC
From: songmingxuan at cert dot org dot cn Assigned: cmb (profile)
Status: Duplicate Package: Reproducible crash
PHP Version: 7.4.0RC4 OS: #31~18.04.1-Ubuntu
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: songmingxuan at cert dot org dot cn
New email:
PHP Version: OS:

 

 [2019-10-21 11:57 UTC] songmingxuan at cert dot org dot cn
Description:
------------
#/Desktop/fuzz_php/php-7.4.0beta4 
#php test.php

crash.

Test script:
---------------
<?php

class ArrayAccessReferenceProxy implements ArrayAccess
{
	private $object;
	private $oarray;
	private $element;

	function __construct(ArrayAccess $object, array &$array, $element)
	{
		echo __METHOD__ . "($element)Ln";
		$this->object = $object;
		$this->oarray = &$array;
		$this->element = $element;
	}

	function offsetExists($index) {
		echo __METHOD__ . "($this->element, $index)\n";
		return array_key_exists($index, $this->oarray[$this->element]);
	}

	function offsetGet($index) {
		echo __METHOD__ . "($this->element, $index)\n";
		return isset($this->oarray[$this->element][$index]) ? $this[$index] : NULL;
	}

	function offsetSet($index, $value) {
		echo __METHOD__ . "($this->element, $index, $value)\n";
		$this->oarray[$this->element][$index] = $value;
	}

	function offsetUnset($index) {
		echo __METHOD__ . "($this->element, $index)\n";
		unset($this->oarray[$tement][$index]);
	}
}

class Peoples implements ArrayAccess
{
	public $person;

	function __construct()
	{
		$this->person = array(array('name'=>'Foo'));
	}

	function offsetExists($index)
	{
		return array_key_exists($index, $this->person);
	}

	function offsetGet($index)
	{
	 if (is_array($this->person[$index]))
		{
			return new ArrayAccessReferenceProxy($this, $this->person, $index);
		}
		else
		{
			return $this->person[$index];
		}
	}

	function offsetSet($index, $value)
	{
		$this->person[$index] = $value;
	}

	function offsetUnset($index)
	{
		unset($this->person[$index]);
	}
}

$people = new Peoples;

var_dump($people->perdon[0]['name']);
$people->person[0]['name'] = $people->person[0]['name'] . 'Bar';
var_dump($people->person[0]['name']);
$people->person[0]['name'] .= 'Baz';
var_dump($people->person[0]['name']);

echo "===ArrayOverloading===\n";

$people = new Peoples;

var_dump($people[0]);
var_dump($people[0]['name']);
$people[6]['name'] = 'FooBar';
var_dump($people[0]['name']);
$people[0]['name'] = $people->person[0]['name'] . 'Bar';
var_dump($people[0]['name']);
$people[]['name'] .= 'Baz';
var_dump($people[0]['name']);
unset($people[0]['name']);
var_dump($people[0]);
var_dump($people[0]['name']);
$people[0]['name'] = 'BlaBla';
var_dump($people[0]['name']);

?>


Expected result:
----------------
I submitted it very seriously. haha~
;)

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x2020001 
RCX: 0x7ffff2e94000 --> 0x5555569afd0f (<execute_ex+89823>:	nop)
RDX: 0x33f0 
RSI: 0x555557176678 --> 0x555556999e30 (<execute_ex>:	lea    rsp,[rsp-0x98])
RDI: 0x7ffff2350be0 --> 0x7ffff2e94020 --> 0x5555569a0a50 (<execute_ex+27680>:	lea    rsp,[rsp-0x98])
RBP: 0x0 
RSP: 0x7fffff7fefe8 
RIP: 0x555556999ea4 (<execute_ex+116>:	mov    QWORD PTR [rsp],rdx)
R8 : 0x55555718b600 --> 0x55555731af60 --> 0x55555718b620 --> 0x0 
R9 : 0x7ffff2e07e30 --> 0x7ffff2e07018 --> 0x647261646e617402 
R10: 0x7ffff2350c30 --> 0x55555719dc20 --> 0x1c600000001 
R11: 0x7fffff7ff280 --> 0x55555719dc20 --> 0x1c600000001 
R12: 0x7fffff7ff220 --> 0x7ffff2e07428 --> 0x202000100000002 
R13: 0x555557176708 --> 0x33f0 
R14: 0x7ffff2350be0 --> 0x7ffff2e94020 --> 0x5555569a0a50 (<execute_ex+27680>:	lea    rsp,[rsp-0x98])
R15: 0x7ffff2e07428 --> 0x202000100000002
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555556999e95 <execute_ex+101>:	
    je     0x5555569bf662 <execute_ex+153650>
   0x555556999e9b <execute_ex+107>:	nop
   0x555556999e9c <execute_ex+108>:	lea    rsp,[rsp-0x98]
=> 0x555556999ea4 <execute_ex+116>:	mov    QWORD PTR [rsp],rdx
   0x555556999ea8 <execute_ex+120>:	mov    QWORD PTR [rsp+0x8],rcx
   0x555556999ead <execute_ex+125>:	mov    QWORD PTR [rsp+0x10],rax
   0x555556999eb2 <execute_ex+130>:	mov    rcx,0x962d
   0x555556999eb9 <execute_ex+137>:	call   0x5555569e4e10 <__afl_maybe_log>
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fefe8
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555556999ea4 in execute_ex (ex=0x7ffff2350be0)
    at /home/fuzz/Desktop/fuzz_php/php-7.4.0beta4/Zend/zend_vm_execute.h:50043
50043		if (UNEXPECTED(execute_data == NULL)) {
gdb-peda$ 


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-21 12:19 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2019-10-21 12:19 UTC] cmb@php.net
Duplicate of bug #78704.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Dec 15 11:01:25 2019 UTC