php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79434 PHP 7.3 and PHP-7.4 crash with NULL-pointer dereference on !CS constant
Submitted: 2020-03-30 15:53 UTC Modified: 2020-03-31 07:49 UTC
From: bruno dot premont at restena dot lu Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 7.3.16 OS: Linux
Private report: No CVE-ID: None
 [2020-03-30 15:53 UTC] bruno dot premont at restena dot lu
Description:
------------
Reproductible:
- PHP-7.3.15-r1
- PHP-7.4.3-r1
Not affected:
- PHP-7.2.28-r1

For all of them, pecl-radius 1.4.0_beta is loaded.


Accessing constants defined by pecl-radius (which are defined as being case-insensitive) in namespaced manner causes PHP to crash (SEGFAULT on 0x01, 1byte within a NULL-pointer).
Accessing the same constant in non-namespaced manner works as expected.

Marking all pecl-radius constants case-sensistive also prevents the crash.


Could not reproduce the same crash with TRUE/FALSE PHP-core constants which are case-insensitive as well.

Test script:
---------------
# following line works:
echo RADIUS_ACCESS_REQUEST;

# following alternate line crashes:
echo \RADIUS_ACCESS_REQUEST);



Actual result:
--------------
Backtrace captured with php-cli-7.3.15-r1 (Gentoo)

Code at zend_execute.c:3373 would be:
  is_deprecated = memcmp(ZSTR_VAL(c->name) + shortname_offset, Z_STRVAL_P(orig_key - 1) + shortname_offset, shortname_len) != 0;




#0  0xf6dc4f60 in ?? () from /libx32/libc.so.6
No symbol table info available.
#1  0x569b632d in _zend_quick_get_constant (check_defined_only=0, flags=<optimized out>, key=0xf4c8d0a0) at /var/tmp/portage/dev-lang/php-7.3.15-r1/work/sapis-build/cli/Zend/zend_execute.c:3373
        ns_sep = <optimized out>
        shortname_offset = <optimized out>
        shortname_len = <optimized out>
        is_deprecated = <optimized out>
        zv = <optimized out>
        orig_key = <optimized out>
        c = 0x57426c90
        zv = <optimized out>
        orig_key = <optimized out>
        c = <optimized out>
        actual = <optimized out>
        __z = <optimized out>
        __s = <optimized out>
        __z = <optimized out>
        __s = <optimized out>
        _z1 = <optimized out>
        _z2 = <optimized out>
        _gc = <optimized out>
        _t = <optimized out>
        _w2 = <optimized out>
        ns_sep = <optimized out>
        shortname_offset = <optimized out>
        shortname_len = <optimized out>
        is_deprecated = <optimized out>
        access_key = <optimized out>
#2  zend_quick_get_constant (key=<optimized out>, flags=<optimized out>) at /var/tmp/portage/dev-lang/php-7.3.15-r1/work/sapis-build/cli/Zend/zend_execute.c:3394
No locals.
#3  0x569f7de6 in ZEND_FETCH_CONSTANT_SPEC_UNUSED_CONST_HANDLER () at /var/tmp/portage/dev-lang/php-7.3.15-r1/work/sapis-build/cli/Zend/zend_vm_execute.h:32077
        c = 0x1
        c = <optimized out>
        _z1 = <optimized out>
        _z2 = <optimized out>
        _gc = <optimized out>
        _t = <optimized out>
        _w2 = <optimized out>


Patches

WORKAROUND_Mark-pecl-radius-consts-case-sensitive.patch (last revision 2020-03-31 06:43 UTC by bruno dot premont at restena dot lu)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-03-31 06:43 UTC] bruno dot premont at restena dot lu
The following patch has been added/updated:

Patch Name: WORKAROUND_Mark-pecl-radius-consts-case-sensitive.patch
Revision:   1585636995
URL:        https://bugs.php.net/patch-display.php?bug=79434&patch=WORKAROUND_Mark-pecl-radius-consts-case-sensitive.patch&revision=1585636995
 [2020-03-31 07:49 UTC] cmb@php.net
-Status: Open +Status: Verified -Package: Variables related +Package: Scripting Engine problem
 [2020-03-31 07:49 UTC] cmb@php.net
I can confirm the issue; the segfault happens as of commit
88dd38e[1].

Thanks for the radius patch!  While I think it would be reasonable
to make the constant case-sensitive in radius, we still need to
fix the engine crashing on qualified case-insensitive constants.

[1] <http://git.php.net/?p=php-src.git;a=commit;h=88dd38ee814f242befa7f9f40599b7b22b5ff8c8>
 [2020-04-02 14:36 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cf68bc413bd7548643058a63dbf4d907346d184c
Log: Fixed bug #79434
 [2020-04-02 14:36 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Jul 10 12:01:33 2020 UTC