php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79434 PHP 7.3 and PHP-7.4 crash with NULL-pointer dereference on !CS constant
Submitted: 2020-03-30 15:53 UTC Modified: 2020-03-31 07:49 UTC
From: bruno dot premont at restena dot lu Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 7.3.16 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bruno dot premont at restena dot lu
New email:
PHP Version: OS:

 

 [2020-03-30 15:53 UTC] bruno dot premont at restena dot lu
Description:
------------
Reproductible:
- PHP-7.3.15-r1
- PHP-7.4.3-r1
Not affected:
- PHP-7.2.28-r1

For all of them, pecl-radius 1.4.0_beta is loaded.


Accessing constants defined by pecl-radius (which are defined as being case-insensitive) in namespaced manner causes PHP to crash (SEGFAULT on 0x01, 1byte within a NULL-pointer).
Accessing the same constant in non-namespaced manner works as expected.

Marking all pecl-radius constants case-sensistive also prevents the crash.


Could not reproduce the same crash with TRUE/FALSE PHP-core constants which are case-insensitive as well.

Test script:
---------------
# following line works:
echo RADIUS_ACCESS_REQUEST;

# following alternate line crashes:
echo \RADIUS_ACCESS_REQUEST);



Actual result:
--------------
Backtrace captured with php-cli-7.3.15-r1 (Gentoo)

Code at zend_execute.c:3373 would be:
  is_deprecated = memcmp(ZSTR_VAL(c->name) + shortname_offset, Z_STRVAL_P(orig_key - 1) + shortname_offset, shortname_len) != 0;




#0  0xf6dc4f60 in ?? () from /libx32/libc.so.6
No symbol table info available.
#1  0x569b632d in _zend_quick_get_constant (check_defined_only=0, flags=<optimized out>, key=0xf4c8d0a0) at /var/tmp/portage/dev-lang/php-7.3.15-r1/work/sapis-build/cli/Zend/zend_execute.c:3373
        ns_sep = <optimized out>
        shortname_offset = <optimized out>
        shortname_len = <optimized out>
        is_deprecated = <optimized out>
        zv = <optimized out>
        orig_key = <optimized out>
        c = 0x57426c90
        zv = <optimized out>
        orig_key = <optimized out>
        c = <optimized out>
        actual = <optimized out>
        __z = <optimized out>
        __s = <optimized out>
        __z = <optimized out>
        __s = <optimized out>
        _z1 = <optimized out>
        _z2 = <optimized out>
        _gc = <optimized out>
        _t = <optimized out>
        _w2 = <optimized out>
        ns_sep = <optimized out>
        shortname_offset = <optimized out>
        shortname_len = <optimized out>
        is_deprecated = <optimized out>
        access_key = <optimized out>
#2  zend_quick_get_constant (key=<optimized out>, flags=<optimized out>) at /var/tmp/portage/dev-lang/php-7.3.15-r1/work/sapis-build/cli/Zend/zend_execute.c:3394
No locals.
#3  0x569f7de6 in ZEND_FETCH_CONSTANT_SPEC_UNUSED_CONST_HANDLER () at /var/tmp/portage/dev-lang/php-7.3.15-r1/work/sapis-build/cli/Zend/zend_vm_execute.h:32077
        c = 0x1
        c = <optimized out>
        _z1 = <optimized out>
        _z2 = <optimized out>
        _gc = <optimized out>
        _t = <optimized out>
        _w2 = <optimized out>


Patches

WORKAROUND_Mark-pecl-radius-consts-case-sensitive.patch (last revision 2020-03-31 06:43 UTC by bruno dot premont at restena dot lu)

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-03-31 06:43 UTC] bruno dot premont at restena dot lu
The following patch has been added/updated:

Patch Name: WORKAROUND_Mark-pecl-radius-consts-case-sensitive.patch
Revision:   1585636995
URL:        https://bugs.php.net/patch-display.php?bug=79434&patch=WORKAROUND_Mark-pecl-radius-consts-case-sensitive.patch&revision=1585636995
 [2020-03-31 07:49 UTC] cmb@php.net
-Status: Open +Status: Verified -Package: Variables related +Package: Scripting Engine problem
 [2020-03-31 07:49 UTC] cmb@php.net
I can confirm the issue; the segfault happens as of commit
88dd38e[1].

Thanks for the radius patch!  While I think it would be reasonable
to make the constant case-sensitive in radius, we still need to
fix the engine crashing on qualified case-insensitive constants.

[1] <http://git.php.net/?p=php-src.git;a=commit;h=88dd38ee814f242befa7f9f40599b7b22b5ff8c8>
 [2020-04-02 14:36 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cf68bc413bd7548643058a63dbf4d907346d184c
Log: Fixed bug #79434
 [2020-04-02 14:36 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Sep 07 21:01:27 2024 UTC