|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2020-10-16 08:31 UTC] stas@php.net
-Type: Security
+Type: Bug
[2021-12-14 14:14 UTC] cmb@php.net
-Package: CGI/CLI related
+Package: Scripting Engine problem
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sun Oct 27 16:01:27 2024 UTC |
Description: ------------ php(cli) triggers segmentation fault with a crafted php file. The input triggers out of bounds read in zend_string_release_ex(). Address sanitizer also shows the crash caused by invalid read memory access in zend_string_release_ex(), which can potentially lead to information leakage or DOS. ======================== Command : php -f crash_1.php (shown below) Addrsan logs: ----------------- Fatal error: Allowed memory size of 134217728 bytes exhausted at Zend/zend_string.h:141 (tried to allocate 14672 bytes) in crash_1.php on line 7 AddressSanitizer:DEADLYSIGNAL ================================================================= ==57581==ERROR: AddressSanitizer: SEGV on unknown address 0x7eff7ebf9000 (pc 0x0000024c9914 bp 0x7ffe413e5a90 sp 0x7ffe413e5a20 T0) ==57581==The signal is caused by a READ memory access. #0 0x24c9913 in zend_gc_delref php-src/Zend/zend_types.h:1172:2 #1 0x24c976b in i_zval_ptr_dtor php-src/Zend/zend_variables.h:43:8 #2 0x24896df in zend_unclean_zval_ptr_dtor php-src/Zend/zend_execute_API.c:214:2 #3 0x26f7bad in _zend_hash_del_el_ex php-src/Zend/zend_hash.c:1330:3 #4 0x26f2e16 in _zend_hash_del_el php-src/Zend/zend_hash.c:1353:2 #5 0x2710b94 in zend_hash_graceful_reverse_destroy php-src/Zend/zend_hash.c:1807:3 #6 0x248a20e in shutdown_executor php-src/Zend/zend_execute_API.c:279:3 #7 0x25d4520 in zend_deactivate php-src/Zend/zend.c:1225:2 #8 0x1f09573 in php_request_shutdown php-src/main/main.c:1807:2 #9 0x358184c in do_cli php-src/sapi/cli/php_cli.c:1112:3 #10 0x3579a07 in main php-src/sapi/cli/php_cli.c:1338:18 #11 0x7eff8981ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #12 0x4368a9 in _start (php-src/sapi/cli/php+0x4368a9) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV php-src/Zend/zend_types.h:1172:2 in zend_gc_delref ==57581==ABORTING ==================================== Test script: --------------- <?php $name = 'a'; for ($i = 0; $i < 100000; $i++) { if ($name .= 'i') { $$name =& $GLOBALS; } $name++; } ?> Expected result: ---------------- Should not seg fault. Actual result: -------------- Segmentation fault.