|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80362 Running dtrace scripts can cause php to crash
Submitted: 2020-11-13 15:40 UTC Modified: 2020-11-24 12:03 UTC
From: al at coralnet dot name Assigned: nikic (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.4.12 OS: OmniOS r151034
Private report: No CVE-ID: None
 [2020-11-13 15:40 UTC] al at coralnet dot name
Running dtace scripts using the php dtrace probes causes php to crash

The following patch seems to fix the issue

--- Zend/zend.c.orig    2020-09-29 10:17:15.000000000 +0000
+++ Zend/zend.c
@@ -1309,7 +1309,9 @@ static ZEND_COLD void zend_error_va_list
        if (DTRACE_ERROR_ENABLED()) {
                char *dtrace_error_buffer;
-               zend_vspprintf(&dtrace_error_buffer, 0, format, args);
+               va_copy(usr_copy, args);
+               zend_vspprintf(&dtrace_error_buffer, 0, format, usr_copy);
+               va_end(usr_copy);
                DTRACE_ERROR(dtrace_error_buffer, (char *)error_filename, error_lineno);

Test script:
Dtrace script

#!/usr/sbin/dtrace -Zs -x bufsize=20m

#pragma D option quiet

    printf("%Y Error '%s' %s:%d\n", walltimestamp, copyinstr(arg0), copyinstr(arg1), (int)arg2);

    printf("%Y Caught %s\n", walltimestamp, copyinstr(arg0));

    printf("%Y Thrown %s\n", walltimestamp, copyinstr(arg0));


throw a


Expected result:
php test.php 
PHP Warning:  Module 'dom' already loaded in Unknown on line 0
PHP Warning:  Use of undefined constant a - assumed 'a' (this will throw an Error in a future version of PHP) in /export/home/aslate/tmp/tuiuksys/public/test.php on line 3
PHP Fatal error:  Uncaught Error: Can only throw objects in /export/home/aslate/tmp/tuiuksys/public/test.php:3
Stack trace:
#0 {main}
  thrown in /export/home/aslate/tmp/tuiuksys/public/test.php on line 3

Actual result:
php test.php 
Segmentation Fault (core dumped)


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-11-24 12:02 UTC]
Automatic comment on behalf of
Log: Fixed bug #80362: Running dtrace scripts can cause php to crash
 [2020-11-24 12:02 UTC]
-Status: Open +Status: Closed
 [2020-11-24 12:03 UTC]
-Assigned To: +Assigned To: nikic
 [2020-11-24 12:03 UTC]
I don't have a way to test this, but your patch looks sensible, so I've applied it.

In PHP 8.0 this issue has already been fixed as a side-effect of some refactorings (a pre-formatted message is provided).
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jun 16 19:01:30 2024 UTC