php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79922 Crash after multiple calls to xml_parser_free()
Submitted: 2020-08-01 23:26 UTC Modified: 2020-08-10 10:30 UTC
From: srivas41 at purdue dot edu Assigned: cmb (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.3 OS: Ubuntu 18.04
Private report: No CVE-ID: None
 [2020-08-01 23:26 UTC] srivas41 at purdue dot edu
Description:
------------
It is possible to trigger a null pointer dereference in `date_parse` which causes the PHP interpreter to crash.

# Build instructions

## Download and build PHP-7.4.8
wget https://www.php.net/distributions/php-7.4.8.tar.gz && tar -xf php.7.4.8.tar.gz && cd php-7.4.8

## Setup PHP interpreter
./buildconf --force && CC=clang-9 CXX=clang++-9 CFLAGS="-fsanitize=address -g" ./configure && make -j`nproc`

## Run instructions
./sapi/cli/php -f test_script.php

# Authors

Prashast Srivastava, Mathias Payer


Test script:
---------------
<?php 
$c=xml_parser_create_ns();
$a=xml_parser_free($c);
$a=xml_parser_free($c);
$c=0;
date_parse($a);
?>

Expected result:
----------------
The PHP interpreter should not crash.

Actual result:
--------------
# ASAN-disabled interpreter result

$ ./sapi/cli/php -f null-ptr-deref.php

Segmentation fault (core dumped)  ./sapi/cli/php -f

# ASAN Backtrace from ASAN-enabled interpreter

$ ./sapi/cli/php -f null-ptr-deref.php

AddressSanitizer:DEADLYSIGNAL
=================================================================
==10121==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000141b0d0 bp 0x7ffffffeef20 sp 0x7ffffffeee00 T0)
==10121==The signal is caused by a READ memory access.
==10121==Hint: address points to the zero page.
    #0 0x141b0cf in zend_mm_alloc_small /root/build/php-7.4.8/Zend/zend_alloc.c:1255:33
    #1 0x141b0cf in zend_mm_alloc_heap /root/build/php-7.4.8/Zend/zend_alloc.c:1326:9
    #2 0x141b0cf in _emalloc /root/build/php-7.4.8/Zend/zend_alloc.c:2539:9
    #3 0x1421348 in _estrdup /root/build/php-7.4.8/Zend/zend_alloc.c:2622:15
    #4 0x54fdf9 in add_error /root/build/php-7.4.8/parse_date.re:350:66
    #5 0x5518be in scan /root/build/php-7.4.8/parse_date.re:1814:3
    #6 0x54ef13 in timelib_strtotime /root/build/php-7.4.8/parse_date.re:1878:7
    #7 0x50e22a in zif_date_parse /root/build/php-7.4.8/ext/date/php_date.c:3188:16
    #8 0x1b0a280 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /root/build/php-7.4.8/Zend/zend_vm_execute.h:1269:2
    #9 0x17bee0a in execute_ex /root/build/php-7.4.8/Zend/zend_vm_execute.h:53618:7
    #10 0x17c0377 in zend_execute /root/build/php-7.4.8/Zend/zend_vm_execute.h:57920:2
    #11 0x155204a in zend_execute_scripts /root/build/php-7.4.8/Zend/zend.c:1678:4
    #12 0x1283457 in php_execute_script /root/build/php-7.4.8/main/main.c:2621:14
    #13 0x1c3cbb8 in do_cli /root/build/php-7.4.8/sapi/cli/php_cli.c:964:5
    #14 0x1c39f29 in main /root/build/php-7.4.8/sapi/cli/php_cli.c:1359:18
    #15 0x7ffff6307b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
    #16 0x440049 in _start (/root/build/php-7.4.8/sapi/cli/php+0x440049)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/build/php-7.4.8/Zend/zend_alloc.c:1255:33 in zend_mm_alloc_small
==10121==ABORTING



Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-08-01 23:29 UTC] srivas41 at purdue dot edu
-Summary: Lack of error checking in `posix_kill` +Summary: Null-pointer-dereference in `date_parse` -Operating System: Ubuntu 16.04 +Operating System: Ubuntu 18.04
 [2020-08-01 23:29 UTC] srivas41 at purdue dot edu
The summary details (OS, version, summary) were incorrect while I was submitting the bug report. Fixed them now.
 [2020-08-02 03:21 UTC] stas@php.net
-Type: Security +Type: Bug
 [2020-08-08 14:03 UTC] cmb@php.net
-Summary: Null-pointer-dereference in `date_parse` +Summary: Crash after multiple calls to xml_parser_free() -Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2020-08-08 14:03 UTC] cmb@php.net
I can confirm the crash; this is not particularly related to
date_parse(), but rather to multiple calls to xml_parser_free() on
the same XML parsers.
 [2020-08-08 14:04 UTC] cmb@php.net
-PHP Version: 7.4.8 +PHP Version: 7.3
 [2020-08-08 14:04 UTC] cmb@php.net
7.3 is affected as well, but not PHP 8.0.
 [2020-08-10 09:15 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #79922: Crash after multiple calls to xml_parser_free()
On GitHub:  https://github.com/php/php-src/pull/5969
Patch:      https://github.com/php/php-src/pull/5969.patch
 [2020-08-10 10:30 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Sep 29 15:01:25 2020 UTC