php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80362 Running dtrace scripts can cause php to crash
Submitted: 2020-11-13 15:40 UTC Modified: 2020-11-24 12:03 UTC
From: al at coralnet dot name Assigned: nikic (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.4.12 OS: OmniOS r151034
Private report: No CVE-ID: None
 [2020-11-13 15:40 UTC] al at coralnet dot name
Description:
------------
Running dtace scripts using the php dtrace probes causes php to crash

The following patch seems to fix the issue

--- Zend/zend.c.orig    2020-09-29 10:17:15.000000000 +0000
+++ Zend/zend.c
@@ -1309,7 +1309,9 @@ static ZEND_COLD void zend_error_va_list
 #ifdef HAVE_DTRACE
        if (DTRACE_ERROR_ENABLED()) {
                char *dtrace_error_buffer;
-               zend_vspprintf(&dtrace_error_buffer, 0, format, args);
+               va_copy(usr_copy, args);
+               zend_vspprintf(&dtrace_error_buffer, 0, format, usr_copy);
+               va_end(usr_copy);
                DTRACE_ERROR(dtrace_error_buffer, (char *)error_filename, error_lineno);
                efree(dtrace_error_buffer);
        }


Test script:
---------------
Dtrace script

#!/usr/sbin/dtrace -Zs -x bufsize=20m

#pragma D option quiet

php*:::error
{
    printf("%Y Error '%s' %s:%d\n", walltimestamp, copyinstr(arg0), copyinstr(arg1), (int)arg2);
}

php*:::exception-caught
{
    printf("%Y Caught %s\n", walltimestamp, copyinstr(arg0));
}

php*:::exception-thrown
{
    printf("%Y Thrown %s\n", walltimestamp, copyinstr(arg0));
}


test.php
<?php

throw a

?>



Expected result:
----------------
php test.php 
PHP Warning:  Module 'dom' already loaded in Unknown on line 0
PHP Warning:  Use of undefined constant a - assumed 'a' (this will throw an Error in a future version of PHP) in /export/home/aslate/tmp/tuiuksys/public/test.php on line 3
PHP Fatal error:  Uncaught Error: Can only throw objects in /export/home/aslate/tmp/tuiuksys/public/test.php:3
Stack trace:
#0 {main}
  thrown in /export/home/aslate/tmp/tuiuksys/public/test.php on line 3


Actual result:
--------------
php test.php 
Segmentation Fault (core dumped)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-11-24 12:02 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fa713ec17ba6c1b7cbf4c00b121f34a1a6f77919
Log: Fixed bug #80362: Running dtrace scripts can cause php to crash
 [2020-11-24 12:02 UTC] nikic@php.net
-Status: Open +Status: Closed
 [2020-11-24 12:03 UTC] nikic@php.net
-Assigned To: +Assigned To: nikic
 [2020-11-24 12:03 UTC] nikic@php.net
I don't have a way to test this, but your patch looks sensible, so I've applied it.

In PHP 8.0 this issue has already been fixed as a side-effect of some refactorings (a pre-formatted message is provided).
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Jan 18 08:01:26 2021 UTC