php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81091 SIGSEGV (Address boundary error) in zend_mm_alloc_small
Submitted: 2021-05-31 12:39 UTC Modified: 2021-06-03 17:16 UTC
From: rafal dot janiczek at gmail dot com Assigned:
Status: Open Package: ssh2 (PECL)
PHP Version: 7.4.19 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: rafal dot janiczek at gmail dot com
New email:
PHP Version: OS:

 

 [2021-05-31 12:39 UTC] rafal dot janiczek at gmail dot com
Description:
------------
CLI script crash after load ~15 classes via composer (2.0.14). Same with php8.0.5

vendor/composer/ClassLoader.php:478 includeFile() (just after include $file)

'php fetcher.one.php mini-virt' terminated by signal SIGSEGV (Address boundary error)


Actual result:
--------------
#0  zend_mm_alloc_small (bin_num=0, heap=0x7f1157200040) at ./Zend/zend_alloc.c:1255
#1  _emalloc_8 () at ./Zend/zend_alloc.c:2466
#2  0x0000560638d7dd12 in init_op_array (op_array=op_array@entry=0x7f1157212440, type=type@entry=2 '\002', initial_ops_size=initial_ops_size@entry=64) at ./Zend/zend_opcode.c:53
#3  0x0000560638d76665 in zend_compile_func_decl (result=0x0, ast=0x7f1157264810, toplevel=<optimized out>) at ./Zend/zend_compile.c:5992
#4  0x0000560638d755dc in zend_compile_stmt (ast=0x7f1157264810) at ./Zend/zend_compile.c:8550
#5  0x0000560638d7656f in zend_compile_stmt_list (ast=ast@entry=0x7f1157266288) at ./Zend/zend_compile.c:5271
#6  0x0000560638d755c7 in zend_compile_stmt (ast=ast@entry=0x7f1157266288) at ./Zend/zend_compile.c:8494
#7  0x0000560638d772f0 in zend_compile_class_decl (ast=0x7f11572664e0, toplevel=<optimized out>) at ./Zend/zend_compile.c:6482
#8  0x0000560638d78277 in zend_compile_top_stmt (ast=0x7f11572664e0) at ./Zend/zend_compile.c:8469
#9  0x0000560638d782a0 in zend_compile_top_stmt (ast=0x7f1157262018) at ./Zend/zend_compile.c:8458
#10 0x0000560638d4f804 in zend_compile (type=type@entry=2) at Zend/zend_language_scanner.l:614
#11 0x0000560638d50f6a in compile_file (file_handle=0x7ffeacbb4120, type=2) at Zend/zend_language_scanner.l:650
#12 0x00007f115496b96d in phar_compile_file (file_handle=0x7ffeacbb4120, type=2) at ./ext/phar/phar.c:3323
#13 0x0000560638d50fe7 in compile_filename (type=type@entry=2, filename=filename@entry=0x7f1157213580) at Zend/zend_language_scanner.l:671
#14 0x0000560638dd5d27 in zend_include_or_eval (inc_filename=0x7f1157213580, type=2) at ./Zend/zend_execute.c:4299
#15 0x0000560638df2aee in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER () at ./Zend/zend_vm_execute.h:37797
#16 0x0000560638e0a869 in execute_ex (ex=0x7f1157200040) at ./Zend/zend_vm_execute.h:57041
#17 0x0000560638d7b41f in zend_call_function (fci=fci@entry=0x7ffeacbb4490, fci_cache=0x7f115727f090, fci_cache@entry=0x7ffeacbb4470) at ./Zend/zend_execute_API.c:820
#18 0x0000560638c85974 in zif_spl_autoload_call (execute_data=<optimized out>, return_value=<optimized out>) at ./ext/spl/php_spl.c:452
#19 0x0000560638d7b33b in zend_call_function (fci=0x7ffeacbb4630, fci_cache=0x7ffeacbb4610) at ./Zend/zend_execute_API.c:833
#20 0x0000560638d7b9f5 in zend_lookup_class_ex (name=name@entry=0x7f11572d3480, key=0x7f11572d35c0, flags=flags@entry=512) at ./Zend/zend_execute_API.c:1002
#21 0x0000560638d7c243 in zend_fetch_class_by_name (class_name=0x7f11572d3480, key=<optimized out>, fetch_type=fetch_type@entry=512) at ./Zend/zend_execute_API.c:1433
#22 0x0000560638defe17 in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER () at ./Zend/zend_vm_execute.h:9255
#23 0x0000560638e0c017 in execute_ex (ex=0x7f1157200040) at ./Zend/zend_vm_execute.h:54651
#24 0x0000560638e13a4b in zend_execute (op_array=0x7f115727e2a0, return_value=0x0) at ./Zend/zend_vm_execute.h:57993
#25 0x0000560638d8a03c in zend_execute_scripts (type=type@entry=8, retval=0x7f115727ad60, retval@entry=0x0, file_count=1461793392, file_count@entry=3) at ./Zend/zend.c:1679
#26 0x0000560638d29810 in php_execute_script (primary_file=<optimized out>) at ./main/main.c:2621
#27 0x0000560638e15b8a in do_cli (argc=3, argv=0x56063a9cc1d0) at ./sapi/cli/php_cli.c:964
#28 0x0000560638beeed8 in main (argc=3, argv=0x56063a9cc1d0) at ./sapi/cli/php_cli.c:1359


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-05-31 12:41 UTC] nikic@php.net
-Status: Open +Status: Feedback
 [2021-05-31 12:41 UTC] nikic@php.net
Is there some way to reproduce this issue? (What is the fetcher.one.php script here?)
 [2021-05-31 22:56 UTC] rafal dot janiczek at gmail dot com
-Status: Feedback +Status: Open
 [2021-05-31 22:56 UTC] rafal dot janiczek at gmail dot com
Simple repo to reproduce problem: https://github.com/erjotek/phpbug

You need to connect via ssh to a real server and try four "todos" in the code.
 [2021-06-01 07:27 UTC] nikic@php.net
-Package: Reproducible crash +Package: ssh2
 [2021-06-01 07:27 UTC] nikic@php.net
Based on the test case, this is very likely a bug in the ssh2 PECL extension, not in PHP, to transferring there.
 [2021-06-01 12:14 UTC] cmb@php.net
Are you using the latest ssh2 (1.3.1)?  That has several stabilty
and segfault fixes.
 [2021-06-03 17:16 UTC] rafal dot janiczek at gmail dot com
Yes, i use version 1.3.1

Same problem is on:
- ubuntu (1.3.1+0.13-1+ubuntu20.04.1+deb.sury.org+1)
- alpine (php7-pecl-ssh2-1.3.1-r0 x86_64 {php7-pecl-ssh2})
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Sep 11 22:01:26 2024 UTC