php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79922 Crash after multiple calls to xml_parser_free()
Submitted: 2020-08-01 23:26 UTC Modified: 2020-08-10 10:30 UTC
From: srivas41 at purdue dot edu Assigned: cmb (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.3 OS: Ubuntu 18.04
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: srivas41 at purdue dot edu
New email:
PHP Version: OS:

 

 [2020-08-01 23:26 UTC] srivas41 at purdue dot edu
Description:
------------
It is possible to trigger a null pointer dereference in `date_parse` which causes the PHP interpreter to crash.

# Build instructions

## Download and build PHP-7.4.8
wget https://www.php.net/distributions/php-7.4.8.tar.gz && tar -xf php.7.4.8.tar.gz && cd php-7.4.8

## Setup PHP interpreter
./buildconf --force && CC=clang-9 CXX=clang++-9 CFLAGS="-fsanitize=address -g" ./configure && make -j`nproc`

## Run instructions
./sapi/cli/php -f test_script.php

# Authors

Prashast Srivastava, Mathias Payer


Test script:
---------------
<?php 
$c=xml_parser_create_ns();
$a=xml_parser_free($c);
$a=xml_parser_free($c);
$c=0;
date_parse($a);
?>

Expected result:
----------------
The PHP interpreter should not crash.

Actual result:
--------------
# ASAN-disabled interpreter result

$ ./sapi/cli/php -f null-ptr-deref.php

Segmentation fault (core dumped)  ./sapi/cli/php -f

# ASAN Backtrace from ASAN-enabled interpreter

$ ./sapi/cli/php -f null-ptr-deref.php

AddressSanitizer:DEADLYSIGNAL
=================================================================
==10121==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000141b0d0 bp 0x7ffffffeef20 sp 0x7ffffffeee00 T0)
==10121==The signal is caused by a READ memory access.
==10121==Hint: address points to the zero page.
    #0 0x141b0cf in zend_mm_alloc_small /root/build/php-7.4.8/Zend/zend_alloc.c:1255:33
    #1 0x141b0cf in zend_mm_alloc_heap /root/build/php-7.4.8/Zend/zend_alloc.c:1326:9
    #2 0x141b0cf in _emalloc /root/build/php-7.4.8/Zend/zend_alloc.c:2539:9
    #3 0x1421348 in _estrdup /root/build/php-7.4.8/Zend/zend_alloc.c:2622:15
    #4 0x54fdf9 in add_error /root/build/php-7.4.8/parse_date.re:350:66
    #5 0x5518be in scan /root/build/php-7.4.8/parse_date.re:1814:3
    #6 0x54ef13 in timelib_strtotime /root/build/php-7.4.8/parse_date.re:1878:7
    #7 0x50e22a in zif_date_parse /root/build/php-7.4.8/ext/date/php_date.c:3188:16
    #8 0x1b0a280 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /root/build/php-7.4.8/Zend/zend_vm_execute.h:1269:2
    #9 0x17bee0a in execute_ex /root/build/php-7.4.8/Zend/zend_vm_execute.h:53618:7
    #10 0x17c0377 in zend_execute /root/build/php-7.4.8/Zend/zend_vm_execute.h:57920:2
    #11 0x155204a in zend_execute_scripts /root/build/php-7.4.8/Zend/zend.c:1678:4
    #12 0x1283457 in php_execute_script /root/build/php-7.4.8/main/main.c:2621:14
    #13 0x1c3cbb8 in do_cli /root/build/php-7.4.8/sapi/cli/php_cli.c:964:5
    #14 0x1c39f29 in main /root/build/php-7.4.8/sapi/cli/php_cli.c:1359:18
    #15 0x7ffff6307b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
    #16 0x440049 in _start (/root/build/php-7.4.8/sapi/cli/php+0x440049)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/build/php-7.4.8/Zend/zend_alloc.c:1255:33 in zend_mm_alloc_small
==10121==ABORTING



Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-08-01 23:29 UTC] srivas41 at purdue dot edu
-Summary: Lack of error checking in `posix_kill` +Summary: Null-pointer-dereference in `date_parse` -Operating System: Ubuntu 16.04 +Operating System: Ubuntu 18.04
 [2020-08-01 23:29 UTC] srivas41 at purdue dot edu
The summary details (OS, version, summary) were incorrect while I was submitting the bug report. Fixed them now.
 [2020-08-02 03:21 UTC] stas@php.net
-Type: Security +Type: Bug
 [2020-08-08 14:03 UTC] cmb@php.net
-Summary: Null-pointer-dereference in `date_parse` +Summary: Crash after multiple calls to xml_parser_free() -Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2020-08-08 14:03 UTC] cmb@php.net
I can confirm the crash; this is not particularly related to
date_parse(), but rather to multiple calls to xml_parser_free() on
the same XML parsers.
 [2020-08-08 14:04 UTC] cmb@php.net
-PHP Version: 7.4.8 +PHP Version: 7.3
 [2020-08-08 14:04 UTC] cmb@php.net
7.3 is affected as well, but not PHP 8.0.
 [2020-08-10 09:15 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #79922: Crash after multiple calls to xml_parser_free()
On GitHub:  https://github.com/php/php-src/pull/5969
Patch:      https://github.com/php/php-src/pull/5969.patch
 [2020-08-10 10:30 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Oct 13 05:01:27 2024 UTC