|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80244 SEGV in zend_gc_delref()
Submitted: 2020-10-16 03:21 UTC Modified: 2020-10-16 08:31 UTC
From: sanjeev dot das at ibm dot com Assigned:
Status: Open Package: CGI/CLI related
PHP Version: 8.0.0rc1 OS: 18.04.4 LTS
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: sanjeev dot das at ibm dot com
New email:
PHP Version: OS:


 [2020-10-16 03:21 UTC] sanjeev dot das at ibm dot com
php(cli) triggers segmentation fault with a crafted php file. The input triggers out of bounds read in zend_string_release_ex(). Address sanitizer also shows the crash caused by invalid read memory access in zend_string_release_ex(), which can potentially lead to information leakage or DOS. 
Command : php -f crash_1.php (shown below)
Addrsan logs:
Fatal error: Allowed memory size of 134217728 bytes exhausted at Zend/zend_string.h:141 (tried to allocate 14672 bytes) in crash_1.php on line 7
==57581==ERROR: AddressSanitizer: SEGV on unknown address 0x7eff7ebf9000 (pc 0x0000024c9914 bp 0x7ffe413e5a90 sp 0x7ffe413e5a20 T0)
==57581==The signal is caused by a READ memory access.
    #0 0x24c9913 in zend_gc_delref php-src/Zend/zend_types.h:1172:2
    #1 0x24c976b in i_zval_ptr_dtor php-src/Zend/zend_variables.h:43:8
    #2 0x24896df in zend_unclean_zval_ptr_dtor php-src/Zend/zend_execute_API.c:214:2
    #3 0x26f7bad in _zend_hash_del_el_ex php-src/Zend/zend_hash.c:1330:3
    #4 0x26f2e16 in _zend_hash_del_el php-src/Zend/zend_hash.c:1353:2
    #5 0x2710b94 in zend_hash_graceful_reverse_destroy php-src/Zend/zend_hash.c:1807:3
    #6 0x248a20e in shutdown_executor php-src/Zend/zend_execute_API.c:279:3
    #7 0x25d4520 in zend_deactivate php-src/Zend/zend.c:1225:2
    #8 0x1f09573 in php_request_shutdown php-src/main/main.c:1807:2
    #9 0x358184c in do_cli php-src/sapi/cli/php_cli.c:1112:3
    #10 0x3579a07 in main php-src/sapi/cli/php_cli.c:1338:18
    #11 0x7eff8981ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x4368a9 in _start (php-src/sapi/cli/php+0x4368a9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV php-src/Zend/zend_types.h:1172:2 in zend_gc_delref

Test script:
$name = 'a';
for ($i = 0; $i < 100000; $i++) {
    if ($name .= 'i') {
        $$name =& $GLOBALS;

Expected result:
Should not seg fault.

Actual result:
Segmentation fault.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-10-16 08:31 UTC]
-Type: Security +Type: Bug
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed Sep 29 03:03:33 2021 UTC