php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #78830 Infinite recursion crash
Submitted: 2019-11-18 12:18 UTC Modified: 2019-11-19 08:52 UTC
From: syjzwjj at gmail dot com Assigned: cmb (profile)
Status: Wont fix Package: Class/Object related
PHP Version: 7.3.11 OS: linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: syjzwjj at gmail dot com
New email:
PHP Version: OS:

 

 [2019-11-18 12:18 UTC] syjzwjj at gmail dot com 
Description:
------------
php class faild to check the object relationship, which can cause stack overflow when user destruct the object.

Test script:
---------------
<?php
class a {
   function __destruct() {
      $obj = new b;
   }
}

class b extends a {
}

$obj = new b;
echo "before unset the object\n";
unset($obj);
echo "after unset the object\n";

?>

Expected result:
----------------
not crash

Actual result:
--------------
php crash with backtrace information below. I compiled php with asan enable.

zwjj@zwjj-SuperServer:~/research/php-7.3.11/sapi/cli/fuzz$ ./php ~/Desktop/crash1.php 
before unset the object
ASAN:SIGSEGV
=================================================================
==27703==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc19a88fe8 (pc 0x000001b121a8 bp 0x7ffc19a892c0 sp 0x7ffc19a88fd0 T0)
    #0 0x1b121a7 in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:603
    #1 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #2 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #3 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #4 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #5 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #6 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #7 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #8 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #9 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #10 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #11 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #12 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #13 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #14 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #15 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #16 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #17 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #18 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #19 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #20 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #21 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #22 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #23 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #24 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #25 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #26 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #27 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #28 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #29 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #30 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #31 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #32 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #33 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #34 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #35 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #36 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #37 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #38 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #39 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #40 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #41 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #42 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #43 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #44 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #45 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #46 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #47 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #48 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #49 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #50 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #51 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #52 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #53 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #54 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #55 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #56 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #57 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #58 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #59 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #60 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #61 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #62 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #63 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #64 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #65 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #66 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #67 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #68 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #69 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #70 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #71 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #72 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #73 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #74 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #75 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #76 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #77 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #78 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #79 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #80 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #81 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #82 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #83 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #84 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #85 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #86 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #87 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #88 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #89 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #90 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #91 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #92 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #93 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #94 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #95 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #96 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #97 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #98 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #99 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #100 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #101 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #102 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #103 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #104 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #105 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #106 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #107 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #108 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #109 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #110 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #111 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #112 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #113 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #114 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #115 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #116 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #117 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #118 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #119 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #120 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #121 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #122 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #123 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #124 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #125 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #126 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #127 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #128 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #129 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #130 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #131 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #132 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #133 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #134 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #135 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #136 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #137 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #138 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #139 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #140 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #141 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #142 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #143 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #144 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #145 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #146 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #147 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #148 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #149 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #150 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #151 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #152 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #153 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #154 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #155 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #156 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #157 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #158 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #159 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #160 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #161 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #162 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #163 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #164 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #165 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #166 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #167 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #168 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #169 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #170 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #171 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #172 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #173 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #174 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #175 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #176 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #177 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #178 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #179 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #180 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #181 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #182 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #183 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #184 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #185 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #186 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #187 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #188 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #189 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #190 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #191 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #192 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #193 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #194 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #195 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #196 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #197 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #198 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #199 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #200 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #201 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #202 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #203 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #204 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #205 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #206 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #207 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #208 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #209 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #210 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #211 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #212 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #213 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #214 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #215 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #216 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #217 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #218 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #219 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #220 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #221 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #222 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #223 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #224 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #225 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #226 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #227 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #228 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #229 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #230 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #231 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #232 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #233 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #234 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #235 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #236 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #237 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #238 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #239 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #240 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #241 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #242 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #243 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #244 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #245 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #246 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159
    #247 0x1d5b893 in zend_objects_store_del /home/zwjj/research/php-7.3.11/Zend/zend_objects_API.c:174
    #248 0x1e2c5ed in i_free_compiled_variables /home/zwjj/research/php-7.3.11/Zend/zend_execute.c:2363
    #249 0x2041c99 in execute_ex /home/zwjj/research/php-7.3.11/Zend/zend_vm_execute.h:55431
    #250 0x1b1610b in zend_call_function /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:756
    #251 0x1d35f62 in zend_objects_destroy_object /home/zwjj/research/php-7.3.11/Zend/zend_objects.c:159

SUMMARY: AddressSanitizer: stack-overflow /home/zwjj/research/php-7.3.11/Zend/zend_execute_API.c:603 zend_call_function
==27703==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-11-18 12:22 UTC] syjzwjj at gmail dot com 
This issue was report by Hillstone Network Neuron security team He yisheng and Zhang WangJunJie. Please assign a cve number for it when it finish, thank you !
 [2019-11-18 13:15 UTC] syjzwjj at gmail dot com 
php 7.1.33 and 7.2.24 also has this issue, so the main stable version are all affected.
 [2019-11-18 16:15 UTC] cmb@php.net 
This is not related to inheritance, but rather to the fact that
the code creates a new instance in the destructor of the class,
which is then immediately destroyed, causing infinite recursion,
resulting in a stack overflow.

In my opinion, this is not a bug in PHP (let alone a security
issue), but rather a userland programming error, similar to

    function foo() {
        foo();
    }
 [2019-11-18 16:39 UTC] syjzwjj at gmail dot com 
I don't think so. 

Firstly, the code you describe can't lead the interpreter crash, both for php engine and php engine, the engine should do the job of checking whether the engine are in infinite recursion. You can check the code of the js engine like chakra, webkit or v8, the engine itself must handle the problem.

Secondly, if you think the poc can only cause the engine crash, then you should't assign https://bugs.php.net/bug.php?id=77020 for a cve, because it just a null pointer, which can't cause any effect for the system, but why you still assign a number for it ?
 [2019-11-18 22:29 UTC] stas@php.net
-Type: Security +Type: Bug
 [2019-11-18 22:29 UTC] stas@php.net 
This looks like regular stack overflow driven by endless loop.
 [2019-11-19 08:52 UTC] cmb@php.net
-Summary: php +Summary: Infinite recursion crash -Status: Open +Status: Wont fix -Assigned To: +Assigned To: cmb
 [2019-11-19 08:52 UTC] cmb@php.net 
> […] the engine should do the job of checking whether the engine
> are in infinite recursion.

PHP doesn't do this for performance reasons[1].  During
development, Xdebug can be used to catch such issues[2].

[1] <https://www.php.net/manual/en/functions.user-defined.php>
[2] <https://xdebug.org/docs/basic>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Apr 20 00:01:27 2024 UTC