php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80244 SEGV in zend_gc_delref()
Submitted: 2020-10-16 03:21 UTC Modified: 2021-12-14 14:14 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: sanjeev dot das at ibm dot com Assigned:
Status: Open Package: Scripting Engine problem
PHP Version: 8.0.0rc1 OS: 18.04.4 LTS
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: sanjeev dot das at ibm dot com
New email:
PHP Version: OS:

 

 [2020-10-16 03:21 UTC] sanjeev dot das at ibm dot com
Description:
------------
php(cli) triggers segmentation fault with a crafted php file. The input triggers out of bounds read in zend_string_release_ex(). Address sanitizer also shows the crash caused by invalid read memory access in zend_string_release_ex(), which can potentially lead to information leakage or DOS. 
========================
Command : php -f crash_1.php (shown below)
 
Addrsan logs:
-----------------
Fatal error: Allowed memory size of 134217728 bytes exhausted at Zend/zend_string.h:141 (tried to allocate 14672 bytes) in crash_1.php on line 7
AddressSanitizer:DEADLYSIGNAL
=================================================================
==57581==ERROR: AddressSanitizer: SEGV on unknown address 0x7eff7ebf9000 (pc 0x0000024c9914 bp 0x7ffe413e5a90 sp 0x7ffe413e5a20 T0)
==57581==The signal is caused by a READ memory access.
    #0 0x24c9913 in zend_gc_delref php-src/Zend/zend_types.h:1172:2
    #1 0x24c976b in i_zval_ptr_dtor php-src/Zend/zend_variables.h:43:8
    #2 0x24896df in zend_unclean_zval_ptr_dtor php-src/Zend/zend_execute_API.c:214:2
    #3 0x26f7bad in _zend_hash_del_el_ex php-src/Zend/zend_hash.c:1330:3
    #4 0x26f2e16 in _zend_hash_del_el php-src/Zend/zend_hash.c:1353:2
    #5 0x2710b94 in zend_hash_graceful_reverse_destroy php-src/Zend/zend_hash.c:1807:3
    #6 0x248a20e in shutdown_executor php-src/Zend/zend_execute_API.c:279:3
    #7 0x25d4520 in zend_deactivate php-src/Zend/zend.c:1225:2
    #8 0x1f09573 in php_request_shutdown php-src/main/main.c:1807:2
    #9 0x358184c in do_cli php-src/sapi/cli/php_cli.c:1112:3
    #10 0x3579a07 in main php-src/sapi/cli/php_cli.c:1338:18
    #11 0x7eff8981ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x4368a9 in _start (php-src/sapi/cli/php+0x4368a9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV php-src/Zend/zend_types.h:1172:2 in zend_gc_delref
==57581==ABORTING
====================================

Test script:
---------------
<?php
$name = 'a';
for ($i = 0; $i < 100000; $i++) {
    if ($name .= 'i') {
        $$name =& $GLOBALS;
    }
    $name++;
}
?>

Expected result:
----------------
Should not seg fault.

Actual result:
--------------
Segmentation fault.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-10-16 08:31 UTC] stas@php.net
-Type: Security +Type: Bug
 [2021-12-14 14:14 UTC] cmb@php.net
-Package: CGI/CLI related +Package: Scripting Engine problem
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 02 19:01:29 2024 UTC