php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79979 passing value to by-ref param via CUFA crashes
Submitted: 2020-08-16 02:56 UTC Modified: 2020-08-24 13:04 UTC
From: 1126774947 at qq dot com Assigned: cmb (profile)
Status: Closed Package: Reproducible crash
PHP Version: 8.0.0beta1 OS: *
Private report: No CVE-ID: None
 [2020-08-16 02:56 UTC] 1126774947 at qq dot com
Description:
------------
exec be called in call_user_function_array wrong param will cause segment fault but still exec code

backtrace

#0  php_exec_ex (execute_data=0x7ffff3e150f0, return_value=0x7ffff3e15070, mode=0) at /tmp/tmp/php-src/ext/standard/exec.c:214

#1  0x00000000006cf3d5 in zif_exec (execute_data=0x7ffff3e150f0, return_value=0x7ffff3e15070) at /tmp/tmp/php-src/ext/standard/exec.c:263

#2  0x00000000008afcb4 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at /tmp/tmp/php-src/Zend/zend_vm_execute.h:1730

#3  0x0000000000914c75 in execute_ex (ex=0x7ffff3e15020) at /tmp/tmp/php-src/Zend/zend_vm_execute.h:53828

#4  0x0000000000918d53 in zend_execute (op_array=0x7ffff3e03100, return_value=0x0) at /tmp/tmp/php-src/Zend/zend_vm_execute.h:57920

#5  0x000000000083be3c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /tmp/tmp/php-src/Zend/zend.c:1678

#6  0x000000000079cc72 in php_execute_script (primary_file=0x7fffffffca30) at /tmp/tmp/php-src/main/main.c:2621

#7  0x000000000092500a in php_cli_server_dispatch_script (server=0x141c320 <server>, client=0x156a5e0) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2077

#8  0x0000000000925819 in php_cli_server_dispatch (server=0x141c320 <server>, client=0x156a5e0) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2248

#9  0x00000000009261cc in php_cli_server_recv_event_read_request (server=0x141c320 <server>, client=0x156a5e0) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2492

#10 0x00000000009265b1 in php_cli_server_do_event_for_each_fd_callback (_params=0x7fffffffcc90, fd=4, event=1) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2578

#11 0x0000000000922138 in php_cli_server_poller_iter_on_active (poller=0x141c328 <server+8>, opaque=0x7fffffffcc90, callback=0x92635b <php_cli_server_do_event_for_each_fd_callback>) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:919

#12 0x0000000000926647 in php_cli_server_do_event_for_each_fd (server=0x141c320 <server>, rhandler=0x926064 <php_cli_server_recv_event_read_request>, whandler=0x926207 <php_cli_server_send_event>) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2596

#13 0x00000000009266cf in php_cli_server_do_event_loop (server=0x141c320 <server>) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2606

#14 0x0000000000926a7b in do_cli_server (argc=3, argv=0x1437cd0) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2734

#15 0x000000000091ca7d in main (argc=3, argv=0x1437cd0) at /tmp/tmp/php-src/sapi/cli/php_cli.c:1362

after execute the code

php: /tmp/tmp/php-src/ext/standard/exec.c:254: php_exec_ex: Assertion `(zval_get_type(&(*(ret_code))) == 10)' failed.


#0  0x00007ffff6a82428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54

#1  0x00007ffff6a8402a in __GI_abort () at abort.c:89
#2  0x00007ffff6a7abd7 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0xf965a0 "(zval_get_type(&(*(ret_code))) == 10)", file=file@entry=0xf964e0 "/tmp/tmp/php-src/ext/standard/exec.c", line=line@entry=254, function=function@entry=0xf96928 <__PRETTY_FUNCTION__.17203> "php_exec_ex") at assert.c:92
#3  0x00007ffff6a7ac82 in __GI___assert_fail (assertion=0xf965a0 "(zval_get_type(&(*(ret_code))) == 10)", file=0xf964e0 "/tmp/tmp/php-src/ext/standard/exec.c", line=254, function=0xf96928 <__PRETTY_FUNCTION__.17203> "php_exec_ex") at assert.c:101
#4  0x00000000006cf316 in php_exec_ex (execute_data=0x7ffff3e150f0, return_value=0x7ffff3e15070, mode=0) at /tmp/tmp/php-src/ext/standard/exec.c:254
#5  0x00000000006cf3d5 in zif_exec (execute_data=0x7ffff3e150f0, return_value=0x7ffff3e15070) at /tmp/tmp/php-src/ext/standard/exec.c:263
#6  0x00000000008afcb4 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at /tmp/tmp/php-src/Zend/zend_vm_execute.h:1730
#7  0x0000000000914c75 in execute_ex (ex=0x7ffff3e15020) at /tmp/tmp/php-src/Zend/zend_vm_execute.h:53828
#8  0x0000000000918d53 in zend_execute (op_array=0x7ffff3e03100, return_value=0x0) at /tmp/tmp/php-src/Zend/zend_vm_execute.h:57920
#9  0x000000000083be3c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /tmp/tmp/php-src/Zend/zend.c:1678
#10 0x000000000079cc72 in php_execute_script (primary_file=0x7fffffffca30) at /tmp/tmp/php-src/main/main.c:2621
#11 0x000000000092500a in php_cli_server_dispatch_script (server=0x141c320 <server>, client=0x156a5e0) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2077
#12 0x0000000000925819 in php_cli_server_dispatch (server=0x141c320 <server>, client=0x156a5e0) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2248
#13 0x00000000009261cc in php_cli_server_recv_event_read_request (server=0x141c320 <server>, client=0x156a5e0) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2492
#14 0x00000000009265b1 in php_cli_server_do_event_for_each_fd_callback (_params=0x7fffffffcc90, fd=4, event=1) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2578
#15 0x0000000000922138 in php_cli_server_poller_iter_on_active (poller=0x141c328 <server+8>, opaque=0x7fffffffcc90, callback=0x92635b <php_cli_server_do_event_for_each_fd_callback>) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:919
#16 0x0000000000926647 in php_cli_server_do_event_for_each_fd (server=0x141c320 <server>, rhandler=0x926064 <php_cli_server_recv_event_read_request>, whandler=0x926207 <php_cli_server_send_event>) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2596
#17 0x00000000009266cf in php_cli_server_do_event_loop (server=0x141c320 <server>) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2606
#18 0x0000000000926a7b in do_cli_server (argc=3, argv=0x1437cd0) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2734
#19 0x000000000091ca7d in main (argc=3, argv=0x1437cd0) at /tmp/tmp/php-src/sapi/cli/php_cli.c:1362


Test script:
---------------
<?php
    call_user_func_array("exec",["echo '<?php phpinfo();?>' > bbb.php","??????","????"]);

Expected result:
----------------
PHP Warning:  Parameter 2 to exec() expected to be a reference, value given in php shell code on line 1

Warning: Parameter 2 to exec() expected to be a reference, value given in php shell code on line 1
PHP Warning:  Parameter 3 to exec() expected to be a reference, value given in php shell code on line 1

Warning: Parameter 3 to exec() expected to be a reference, value given in php shell code on line 1

Actual result:
--------------
Warning: Parameter 2 to exec() expected to be a reference, value given in php shell code on line 1

Warning: Parameter 3 to exec() expected to be a reference, value given in php shell code on line 1
Segmentation fault (core dumped)

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-08-16 08:23 UTC] 1126774947 at qq dot com
-Summary: stream_socket_client be called by call_user_func_array with wrong param and cau +Summary: exec function execute code and cause crash with call_user_func_array
 [2020-08-16 08:23 UTC] 1126774947 at qq dot com
Wrong bug title
 [2020-08-16 08:51 UTC] requinix@php.net
As shown in the other similar reports, looks like this is an issue with call_user_func[_array] and non-reference values where references are expected.
 [2020-08-17 08:51 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #79979: passing value to by-ref param via CUF(A) crashes
On GitHub:  https://github.com/php/php-src/pull/6000
Patch:      https://github.com/php/php-src/pull/6000.patch
 [2020-08-18 17:52 UTC] cmb@php.net
-Status: Open +Status: Verified -Operating System: ubuntu 16.04 +Operating System: * -Assigned To: +Assigned To: cmb
 [2020-08-24 13:04 UTC] cmb@php.net
-Summary: exec function execute code and cause crash with call_user_func_array +Summary: passing value to by-ref param via CUFA crashes
 [2020-08-24 13:04 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6b6c2c003c69729832a7804c76bff6e230b73c91
Log: Fix #79979: passing value to by-ref param via CUFA crashes
 [2020-08-24 13:04 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Oct 21 08:01:23 2020 UTC