php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79658 circular clone cause a crash
Submitted: 2020-06-01 11:10 UTC Modified: 2020-06-01 11:12 UTC
From: rvn dot plvhx at gmail dot com Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 7.4.6 OS: Linux
Private report: No CVE-ID: None
 [2020-06-01 11:10 UTC] rvn dot plvhx at gmail dot com
Description:
------------
<?php

class Foo
{
    public function __construct() {}

    private function wrapClone()
    {
        $q = clone $this;
        return $q;
    }

    public function __clone() {
        $ret = $this->wrapClone();
        //unset($ret);
        return $ret;
    }
}

$foo = new Foo();
$bar = clone $foo;

Test script:
---------------
<?php

class Foo
{
    public function __construct() {}

    private function wrapClone()
    {
        $q = clone $this;
        return $q;
    }

    public function __clone() {
        $ret = $this->wrapClone();
        //unset($ret);
        return $ret;
    }
}

$foo = new Foo();
$bar = clone $foo;

Actual result:
--------------
vagrant@ubuntu-bionic:/tmp$ php -v
PHP 7.4.6 (cli) (built: Jun  1 2020 11:03:53) ( ZTS DEBUG )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
vagrant@ubuntu-bionic:/tmp$ gdb -q $(which php)
Reading symbols from /usr/local/bin/php...done.
(gdb) r test.php
Starting program: /usr/local/bin/php test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000555555a7e365 in zend_mm_alloc_small_slow (heap=<error reading variable: Cannot access memory at address 0x7fffff7feff8>,
    bin_num=<error reading variable: Cannot access memory at address 0x7fffff7feff4>, __zend_filename=<error reading variable: Cannot access memory at address 0x7fffff7fefe8>,
    __zend_lineno=<error reading variable: Cannot access memory at address 0x7fffff7feff0>,
    __zend_orig_filename=<error reading variable: Cannot access memory at address 0x7fffff7fefe0>,
    __zend_orig_lineno=<error reading variable: Cannot access memory at address 0x7fffff7fefdc>) at /vagrant/php-7.4.6/Zend/zend_alloc.c:1187
1187	{
(gdb) bt
#0  0x0000555555a7e365 in zend_mm_alloc_small_slow (heap=<error reading variable: Cannot access memory at address 0x7fffff7feff8>,
    bin_num=<error reading variable: Cannot access memory at address 0x7fffff7feff4>, __zend_filename=<error reading variable: Cannot access memory at address 0x7fffff7fefe8>,
    __zend_lineno=<error reading variable: Cannot access memory at address 0x7fffff7feff0>,
    __zend_orig_filename=<error reading variable: Cannot access memory at address 0x7fffff7fefe0>,
    __zend_orig_lineno=<error reading variable: Cannot access memory at address 0x7fffff7fefdc>) at /vagrant/php-7.4.6/Zend/zend_alloc.c:1187
#1  0x0000555555a7e6af in zend_mm_alloc_small (heap=0x7ffff3a00040, bin_num=8, __zend_filename=0x5555562734e8 "/vagrant/php-7.4.6/Zend/zend_objects.c", __zend_lineno=196,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /vagrant/php-7.4.6/Zend/zend_alloc.c:1258
#2  0x0000555555a7e913 in zend_mm_alloc_heap (heap=0x7ffff3a00040, size=72, __zend_filename=0x5555562734e8 "/vagrant/php-7.4.6/Zend/zend_objects.c", __zend_lineno=196,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /vagrant/php-7.4.6/Zend/zend_alloc.c:1326
#3  0x0000555555a817f5 in _emalloc (size=40, __zend_filename=0x5555562734e8 "/vagrant/php-7.4.6/Zend/zend_objects.c", __zend_lineno=196, __zend_orig_filename=0x0,
    __zend_orig_lineno=0) at /vagrant/php-7.4.6/Zend/zend_alloc.c:2539
#4  0x0000555555b1a2f5 in zend_objects_new (ce=0x7ffff3a03018) at /vagrant/php-7.4.6/Zend/zend_objects.c:196
#5  0x0000555555b1a8c5 in zend_objects_clone_obj (zobject=0x7ffff38fcb40) at /vagrant/php-7.4.6/Zend/zend_objects.c:301
#6  0x0000555555b597bf in ZEND_CLONE_SPEC_TMPVAR_HANDLER () at /vagrant/php-7.4.6/Zend/zend_vm_execute.h:13649
#7  0x0000555555baae4b in execute_ex (ex=0x7ffff38fca60) at /vagrant/php-7.4.6/Zend/zend_vm_execute.h:55172
#8  0x0000555555aa8829 in zend_call_function (fci=0x7fffff7ff550, fci_cache=0x7fffff7ff530) at /vagrant/php-7.4.6/Zend/zend_execute_API.c:812
#9  0x0000555555b1a86d in zend_objects_clone_members (new_object=0x7ffff3937fa0, old_object=0x7ffff3937f50) at /vagrant/php-7.4.6/Zend/zend_objects.c:287
#10 0x0000555555b1a930 in zend_objects_clone_obj (zobject=0x7ffff38fca30) at /vagrant/php-7.4.6/Zend/zend_objects.c:313
#11 0x0000555555b597bf in ZEND_CLONE_SPEC_TMPVAR_HANDLER () at /vagrant/php-7.4.6/Zend/zend_vm_execute.h:13649
#12 0x0000555555baae4b in execute_ex (ex=0x7ffff38fc950) at /vagrant/php-7.4.6/Zend/zend_vm_execute.h:55172
#13 0x0000555555aa8829 in zend_call_function (fci=0x7fffff7ff980, fci_cache=0x7fffff7ff960) at /vagrant/php-7.4.6/Zend/zend_execute_API.c:812
#14 0x0000555555b1a86d in zend_objects_clone_members (new_object=0x7ffff3937f50, old_object=0x7ffff3937f00) at /vagrant/php-7.4.6/Zend/zend_objects.c:287
#15 0x0000555555b1a930 in zend_objects_clone_obj (zobject=0x7ffff38fc920) at /vagrant/php-7.4.6/Zend/zend_objects.c:313
#16 0x0000555555b597bf in ZEND_CLONE_SPEC_TMPVAR_HANDLER () at /vagrant/php-7.4.6/Zend/zend_vm_execute.h:13649
#17 0x0000555555baae4b in execute_ex (ex=0x7ffff38fc840) at /vagrant/php-7.4.6/Zend/zend_vm_execute.h:55172
#18 0x0000555555aa8829 in zend_call_function (fci=0x7fffff7ffdb0, fci_cache=0x7fffff7ffd90) at /vagrant/php-7.4.6/Zend/zend_execute_API.c:812
#19 0x0000555555b1a86d in zend_objects_clone_members (new_object=0x7ffff3937f00, old_object=0x7ffff3937eb0) at /vagrant/php-7.4.6/Zend/zend_objects.c:287
#20 0x0000555555b1a930 in zend_objects_clone_obj (zobject=0x7ffff38fc810) at /vagrant/php-7.4.6/Zend/zend_objects.c:313
#21 0x0000555555b597bf in ZEND_CLONE_SPEC_TMPVAR_HANDLER () at /vagrant/php-7.4.6/Zend/zend_vm_execute.h:13649
#22 0x0000555555baae4b in execute_ex (ex=0x7ffff38fc730) at /vagrant/php-7.4.6/Zend/zend_vm_execute.h:55172
#23 0x0000555555aa8829 in zend_call_function (fci=0x7fffff8001e0, fci_cache=0x7fffff8001c0) at /vagrant/php-7.4.6/Zend/zend_execute_API.c:812
#24 0x0000555555b1a86d in zend_objects_clone_members (new_object=0x7ffff3937eb0, old_object=0x7ffff3937e60) at /vagrant/php-7.4.6/Zend/zend_objects.c:287
#25 0x0000555555b1a930 in zend_objects_clone_obj (zobject=0x7ffff38fc700) at /vagrant/php-7.4.6/Zend/zend_objects.c:313
#26 0x0000555555b597bf in ZEND_CLONE_SPEC_TMPVAR_HANDLER () at /vagrant/php-7.4.6/Zend/zend_vm_execute.h:13649
#27 0x0000555555baae4b in execute_ex (ex=0x7ffff38fc620) at /vagrant/php-7.4.6/Zend/zend_vm_execute.h:55172
#28 0x0000555555aa8829 in zend_call_function (fci=0x7fffff800610, fci_cache=0x7fffff8005f0) at /vagrant/php-7.4.6/Zend/zend_execute_API.c:812
#29 0x0000555555b1a86d in zend_objects_clone_members (new_object=0x7ffff3937e60, old_object=0x7ffff3937e10) at /vagrant/php-7.4.6/Zend/zend_objects.c:287
#30 0x0000555555b1a930 in zend_objects_clone_obj (zobject=0x7ffff38fc5f0) at /vagrant/php-7.4.6/Zend/zend_objects.c:313
#31 0x0000555555b597bf in ZEND_CLONE_SPEC_TMPVAR_HANDLER () at /vagrant/php-7.4.6/Zend/zend_vm_execute.h:13649
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) x/i $pc
=> 0x555555a7e365 <zend_mm_alloc_small_slow+8>:	mov    %rdi,-0x48(%rbp)
(gdb) p/x $rdi
$1 = 0x7ffff3a00040
(gdb) p/x $rbp - 0x48
$2 = 0x7fffff7feff8
(gdb) x/30gx 0x7fffff7feff8
0x7fffff7feff8:	Cannot access memory at address 0x7fffff7feff8

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-06-01 11:12 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2020-06-01 11:12 UTC] nikic@php.net
Duplicate of bug #64196.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Aug 15 18:01:26 2020 UTC