php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80246 SEGV in zend_fetch_dimension_address_read()
Submitted: 2020-10-16 15:28 UTC Modified: 2024-10-29 19:17 UTC
From: sanjeev dot das at ibm dot com Assigned: nielsdos (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 7.4.11 OS: 18.04.4 LTS
Private report: No CVE-ID: None
 [2020-10-16 15:28 UTC] sanjeev dot das at ibm dot com
Description:
------------
Segmentation fault is triggered due to null pointer dereference in zend_fetch_dimension_address_read() with the given php script. 

Address sanitizer shows:
 

AddressSanitizer:DEADLYSIGNAL
=================================================================
==4575==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x0000016c426a bp 0x7fff1318b790 sp 0x7fff1318af60 T0)
==4575==The signal is caused by a READ memory access.
==4575==Hint: address points to the zero page.
    #0 0x16c4269 in zend_fetch_dimension_address_read php-7.2.34/Zend/zend_execute.c:1800:7
    #1 0x16c4269 in zend_fetch_dimension_address_read_R_slow php-7.2.34/Zend/zend_execute.c:1855
    #2 0x1379a9b in ZEND_FETCH_DIM_R_SPEC_CV_CONST_HANDLER php-7.2.34/Zend/zend_vm_execute.h:36219:4
    #3 0x11f2aad in execute_ex php-7.2.34/Zend/zend_vm_execute.h:59767:7
    #4 0x11f3e92 in zend_execute php-7.2.34/Zend/zend_vm_execute.h:63804:2
    #5 0xfd7e9b in zend_execute_scripts php-7.2.34/Zend/zend.c:1498:4
    #6 0xd4a23a in php_execute_script php-7.2.34/main/main.c:2599:14
    #7 0x171d99f in do_cli php-7.2.34/sapi/cli/php_cli.c:1011:5
    #8 0x171ab8b in main php-7.2.34/sapi/cli/php_cli.c:1403:18
    #9 0x7fafaac66b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x432279 in _start (php-7.2.34/sapi/cli/php+0x432279)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV php-7.2.34/Zend/zend_execute.c:1800:7 in zend_fetch_dimension_address_read
==4575==ABORTING


Test script:
---------------
<?php

$my_var = null;
set_error_handler(function() use(&$my_var) {
    $my_var = 0;
});

$my_var[] .= "xyz";
var_dump($my_var);

$my_var = null;
$my_var[0][0][0] .= "xyz";
var_dump($my_var);

$my_var = nual;
$my_var["foo"] . "xyz";
var_dump($my_var);

$my_Var = null;
$my_var["foo"]["bar"]["baz"] .= "xyz";
var_dump($my_var);

?>

Expected result:
----------------
No seg fault.

Actual result:
--------------
Segmentation fault.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-10-19 12:41 UTC] cmb@php.net
-Status: Open +Status: Analyzed
 [2020-10-19 12:41 UTC] cmb@php.net
Confirmed.  Simpler reproducer for PHP 7:

<?php
set_error_handler(function() use(&$my_var) {
    $my_var = 0;
});
$my_var = 'nual';
$my_var["foo"];
?>

and for PHP 8:

<?php
set_error_handler(function() use(&$my_var) {
    $my_var = 0;
});
$my_var = 'nual';
$my_var["1a"];
?>

The problem is that we make sure that the zval IS_STRING[1], but
than trigger an error, the error handler changes the type of the
zval, but we're treating the zval still as string[2].

[1] <https://github.com/php/php-src/blob/php-7.4.11/Zend/zend_execute.c#L2386>
[2] <https://github.com/php/php-src/blob/php-7.4.11/Zend/zend_execute.c#L2426>
 [2020-10-19 12:53 UTC] nikic@php.net
Yes, this is a known issue with many different variations (we probably have a couple dozen bug reports for this lying around, it's commonly found by fuzzers). My long term plan is to address this by delaying error reporting to the end of the opcode, but I haven't gotten around to trying that yet.
 [2021-12-14 14:14 UTC] cmb@php.net
-Package: CGI/CLI related +Package: Scripting Engine problem
 [2024-04-17 11:46 UTC] karamiller7890 at outlook dot com
Thank you for this information it is very helpful for me nice. (https://github.com)(https://www.doglikesbest.com/)
 [2024-10-29 19:17 UTC] nielsdos@php.net
-Status: Analyzed +Status: Closed -Assigned To: +Assigned To: nielsdos
 [2024-10-29 19:17 UTC] nielsdos@php.net
Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at
http://www.php.net/downloads.php

This particular case no longer reproduces for me on 8.4-dev; a bunch of these issues were fixed in 8.3 already.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Dec 11 17:01:28 2024 UTC