PHP :: Bug #80244 :: SEGV in zend_gc

Bug #80244

SEGV in zend_gc_delref()

Submitted:

2020-10-16 03:21 UTC

Modified:

2021-12-14 14:14 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

sanjeev dot das at ibm dot com

Assigned:

Status:

Open

Package:

Scripting Engine problem

PHP Version:

8.0.0rc1

OS:

18.04.4 LTS

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	sanjeev dot das at ibm dot com
New email:
PHP Version:		OS:

New Comment:

[2020-10-16 03:21 UTC] sanjeev dot das at ibm dot com

Description:
------------
php(cli) triggers segmentation fault with a crafted php file. The input triggers out of bounds read in zend_string_release_ex(). Address sanitizer also shows the crash caused by invalid read memory access in zend_string_release_ex(), which can potentially lead to information leakage or DOS. 
========================
Command : php -f crash_1.php (shown below)
 
Addrsan logs:
-----------------
Fatal error: Allowed memory size of 134217728 bytes exhausted at Zend/zend_string.h:141 (tried to allocate 14672 bytes) in crash_1.php on line 7
AddressSanitizer:DEADLYSIGNAL
=================================================================
==57581==ERROR: AddressSanitizer: SEGV on unknown address 0x7eff7ebf9000 (pc 0x0000024c9914 bp 0x7ffe413e5a90 sp 0x7ffe413e5a20 T0)
==57581==The signal is caused by a READ memory access.
    #0 0x24c9913 in zend_gc_delref php-src/Zend/zend_types.h:1172:2
    #1 0x24c976b in i_zval_ptr_dtor php-src/Zend/zend_variables.h:43:8
    #2 0x24896df in zend_unclean_zval_ptr_dtor php-src/Zend/zend_execute_API.c:214:2
    #3 0x26f7bad in _zend_hash_del_el_ex php-src/Zend/zend_hash.c:1330:3
    #4 0x26f2e16 in _zend_hash_del_el php-src/Zend/zend_hash.c:1353:2
    #5 0x2710b94 in zend_hash_graceful_reverse_destroy php-src/Zend/zend_hash.c:1807:3
    #6 0x248a20e in shutdown_executor php-src/Zend/zend_execute_API.c:279:3
    #7 0x25d4520 in zend_deactivate php-src/Zend/zend.c:1225:2
    #8 0x1f09573 in php_request_shutdown php-src/main/main.c:1807:2
    #9 0x358184c in do_cli php-src/sapi/cli/php_cli.c:1112:3
    #10 0x3579a07 in main php-src/sapi/cli/php_cli.c:1338:18
    #11 0x7eff8981ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x4368a9 in _start (php-src/sapi/cli/php+0x4368a9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV php-src/Zend/zend_types.h:1172:2 in zend_gc_delref
==57581==ABORTING
====================================

Test script:
---------------
<?php
$name = 'a';
for ($i = 0; $i < 100000; $i++) {
    if ($name .= 'i') {
        $$name =& $GLOBALS;
    }
    $name++;
}
?>

Expected result:
----------------
Should not seg fault.

Actual result:
--------------
Segmentation fault.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-10-16 08:31 UTC] stas@php.net

-Type: Security +Type: Bug

[2021-12-14 14:14 UTC] cmb@php.net

-Package: CGI/CLI related +Package: Scripting Engine problem

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2023 The PHP Group All rights reserved.	Last updated: Thu Jun 01 19:03:36 2023 UTC