php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81190 2 crashes(heap-buffer-overflow,SEGV) 5 memory leaks
Submitted: 2021-06-22 11:05 UTC Modified: 2021-07-02 08:26 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: gutaotao1995 at qq dot com Assigned: nikic (profile)
Status: Closed Package: *General Issues
PHP Version: 8.1.0alpha1 OS: linux
Private report: No CVE-ID: None
 [2021-06-22 11:05 UTC] gutaotao1995 at qq dot com
Description:
------------
The bugs are detected by fuzzer.
The build is from oss-fuzz project.
There is no script, so i can upload all POC in attached file.

Test script:
---------------
The details as flows

Expected result:
----------------
Attached is the poc file that reproduces the crash.

2 crashes: heap-buffer-overflow, SEGV

5 memory leaks

Actual result:
--------------
gtt@GTT:~/workspace/poc-all/php$ ../../oss-fuzz/build/libfuzzer/build/out-libfuzer/php/php-fuzz-execute  crash-eb98564ea8b9e5328defbc17269cfc2c6874d304
INFO: Seed: 2600008311
INFO: Loaded 1 modules   (134419 inline 8-bit counters): 134419 [0x198b0c0, 0x19abdd3),
INFO: Loaded 1 PC tables (134419 PCs): 134419 [0x19abdd8,0x1bb8f08),
../../oss-fuzz/build/libfuzzer/build/out-libfuzer/php/php-fuzz-execute: Running 1 inputs 1 time(s) each.
Running: crash-eb98564ea8b9e5328defbc17269cfc2c6874d304
=================================================================
==244852==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000015e28 at pc 0x000000c8c52c bp 0x7fff3f08c050 sp 0x7fff3f08c048
READ of size 4 at 0x612000015e28 thread T0
    #0 0xc8c52b in ZEND_ASSIGN_OBJ_SPEC_VAR_CONST_OP_DATA_CONST_HANDLER /src/php-src/Zend/zend_vm_execute.h:22878:3
    #1 0xf228d9 in fuzzer_execute_ex /src/php-src/sapi/fuzzer/fuzzer-execute.c:40:14
    #2 0xc56d46 in zend_execute /src/php-src/Zend/zend_vm_execute.h:59026:2
    #3 0xf23362 in fuzzer_do_request_from_buffer /src/php-src/sapi/fuzzer/fuzzer-sapi.c:261:5
    #4 0xf2276b in LLVMFuzzerTestOneInput /src/php-src/sapi/fuzzer/fuzzer-execute.c:69:2
    #5 0x480d11 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:558:15
    #6 0x46c482 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:296:6
    #7 0x4724ae in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:796:9
    #8 0x499ee2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #9 0x7f133ec680b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
    #10 0x446968 in _start (/home/gtt/workspace/oss-fuzz/build/libfuzzer/build/out-libfuzer/php/php-fuzz-execute+0x446968)

0x612000015e28 is located 104 bytes inside of 320-byte region [0x612000015dc0,0x612000015f00)
freed by thread T0 here:
    #0 0x54598d in free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
    #1 0xb66cd4 in tracked_free /src/php-src/Zend/zend_alloc.c:2761:2
    #2 0xb60437 in _efree_custom /src/php-src/Zend/zend_alloc.c:2428:3
    #3 0xb60341 in _efree /src/php-src/Zend/zend_alloc.c:2548:3
    #4 0xc28223 in zend_array_destroy /src/php-src/Zend/zend_hash.c:1682:2
    #5 0xdf5e5b in zend_object_std_dtor /src/php-src/Zend/zend_objects.c:54:5
    #6 0xe07dbd in zend_objects_store_del /src/php-src/Zend/zend_objects_API.c:200:4
    #7 0xbe6993 in rc_dtor_func /src/php-src/Zend/zend_variables.c:57:2
    #8 0xc28429 in i_zval_ptr_dtor /src/php-src/Zend/zend_variables.h:44:4
    #9 0xc2802b in zend_array_destroy /src/php-src/Zend/zend_hash.c:1659:5
    #10 0xdf5e5b in zend_object_std_dtor /src/php-src/Zend/zend_objects.c:54:5
    #11 0xe07dbd in zend_objects_store_del /src/php-src/Zend/zend_objects_API.c:200:4
    #12 0xbe6993 in rc_dtor_func /src/php-src/Zend/zend_variables.c:57:2
    #13 0xdfe05f in zend_assign_to_variable /src/php-src/Zend/zend_execute.h:145:5
    #14 0xdfd359 in zend_std_write_property /src/php-src/Zend/zend_object_handlers.c:741:4
    #15 0xc8bc84 in ZEND_ASSIGN_OBJ_SPEC_VAR_CONST_OP_DATA_CONST_HANDLER /src/php-src/Zend/zend_vm_execute.h:22870:10
    #16 0xf228d9 in fuzzer_execute_ex /src/php-src/sapi/fuzzer/fuzzer-execute.c:40:14
    #17 0xc56d46 in zend_execute /src/php-src/Zend/zend_vm_execute.h:59026:2
    #18 0xf23362 in fuzzer_do_request_from_buffer /src/php-src/sapi/fuzzer/fuzzer-sapi.c:261:5
    #19 0xf2276b in LLVMFuzzerTestOneInput /src/php-src/sapi/fuzzer/fuzzer-execute.c:69:2
    #20 0x480d11 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:558:15
    #21 0x46c482 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:296:6
    #22 0x4724ae in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:796:9
    #23 0x499ee2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #24 0x7f133ec680b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x545c0d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0xb60a49 in __zend_malloc /src/php-src/Zend/zend_alloc.c:3043:14
    #2 0xb5d87e in tracked_malloc /src/php-src/Zend/zend_alloc.c:2746:14
    #3 0xb60267 in _malloc_custom /src/php-src/Zend/zend_alloc.c:2419:10
    #4 0xb6016f in _emalloc /src/php-src/Zend/zend_alloc.c:2538:10
    #5 0xc1cec2 in zend_hash_real_init_mixed_ex /src/php-src/Zend/zend_hash.c:172:10
    #6 0xc1cdc9 in zend_hash_real_init_mixed /src/php-src/Zend/zend_hash.c:335:2
    #7 0xc2254b in _zend_hash_add_or_update_i /src/php-src/Zend/zend_hash.c:740:4
    #8 0xc21e95 in zend_hash_add_new /src/php-src/Zend/zend_hash.c:914:9
    #9 0xdfd67e in zend_std_write_property /src/php-src/Zend/zend_object_handlers.c:816:19
    #10 0xc8bc84 in ZEND_ASSIGN_OBJ_SPEC_VAR_CONST_OP_DATA_CONST_HANDLER /src/php-src/Zend/zend_vm_execute.h:22870:10
    #11 0xf228d9 in fuzzer_execute_ex /src/php-src/sapi/fuzzer/fuzzer-execute.c:40:14
    #12 0xc56d46 in zend_execute /src/php-src/Zend/zend_vm_execute.h:59026:2
    #13 0xf23362 in fuzzer_do_request_from_buffer /src/php-src/sapi/fuzzer/fuzzer-sapi.c:261:5
    #14 0xf2276b in LLVMFuzzerTestOneInput /src/php-src/sapi/fuzzer/fuzzer-execute.c:69:2
    #15 0x480d11 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:558:15
    #16 0x46c482 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:296:6
    #17 0x4724ae in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:796:9
    #18 0x499ee2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #19 0x7f133ec680b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /src/php-src/Zend/zend_vm_execute.h:22878:3 in ZEND_ASSIGN_OBJ_SPEC_VAR_CONST_OP_DATA_CONST_HANDLER
Shadow bytes around the buggy address:
  0x0c247fffab70: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c247fffab80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c247fffab90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c247fffaba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c247fffabb0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c247fffabc0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c247fffabd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c247fffabe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffabf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffac00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffac10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==244852==ABORTING




gtt@GTT:~/workspace/poc-all/php$ ../../oss-fuzz/build/libfuzzer/build/out-libfuzer/php/php-fuzz-execute  leak-570847a2eeae3e477d2ba8253adb1ca3f78feb26
INFO: Seed: 2551331490
INFO: Loaded 1 modules   (134419 inline 8-bit counters): 134419 [0x198b0c0, 0x19abdd3),
INFO: Loaded 1 PC tables (134419 PCs): 134419 [0x19abdd8,0x1bb8f08),
../../oss-fuzz/build/libfuzzer/build/out-libfuzer/php/php-fuzz-execute: Running 1 inputs 1 time(s) each.
Running: leak-570847a2eeae3e477d2ba8253adb1ca3f78feb26

=================================================================
==244793==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 56 byte(s) in 1 object(s) allocated from:
    #0 0x545c0d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0xb60a49 in __zend_malloc /src/php-src/Zend/zend_alloc.c:3043:14
    #2 0xb5d87e in tracked_malloc /src/php-src/Zend/zend_alloc.c:2746:14
    #3 0xb60267 in _malloc_custom /src/php-src/Zend/zend_alloc.c:2419:10
    #4 0xb6016f in _emalloc /src/php-src/Zend/zend_alloc.c:2538:10
    #5 0xc1c03c in _zend_new_array /src/php-src/Zend/zend_hash.c:279:18
    #6 0xcd21f4 in ZEND_INIT_ARRAY_SPEC_CV_UNUSED_HANDLER /src/php-src/Zend/zend_vm_execute.h:47115:3
    #7 0xf228d9 in fuzzer_execute_ex /src/php-src/sapi/fuzzer/fuzzer-execute.c:40:14
    #8 0xc56d46 in zend_execute /src/php-src/Zend/zend_vm_execute.h:59026:2
    #9 0xf23362 in fuzzer_do_request_from_buffer /src/php-src/sapi/fuzzer/fuzzer-sapi.c:261:5
    #10 0xf2276b in LLVMFuzzerTestOneInput /src/php-src/sapi/fuzzer/fuzzer-execute.c:69:2
    #11 0x480d11 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:558:15
    #12 0x46c482 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:296:6
    #13 0x4724ae in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:796:9
    #14 0x499ee2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #15 0x7fe85f90b0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16

Indirect leak of 264 byte(s) in 1 object(s) allocated from:
    #0 0x545c0d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0xb60a49 in __zend_malloc /src/php-src/Zend/zend_alloc.c:3043:14
    #2 0xb5d87e in tracked_malloc /src/php-src/Zend/zend_alloc.c:2746:14
    #3 0xb60267 in _malloc_custom /src/php-src/Zend/zend_alloc.c:2419:10
    #4 0xb6016f in _emalloc /src/php-src/Zend/zend_alloc.c:2538:10
    #5 0xc1c3d8 in zend_hash_real_init_packed_ex /src/php-src/Zend/zend_hash.c
    #6 0xc23cd0 in _zend_hash_index_add_or_update_i /src/php-src/Zend/zend_hash.c:1048:4
    #7 0xc23980 in zend_hash_next_index_insert /src/php-src/Zend/zend_hash.c:1122:9
    #8 0xcd7b3e in ZEND_ADD_ARRAY_ELEMENT_SPEC_CV_UNUSED_HANDLER /src/php-src/Zend/zend_vm_execute.h:47098:8
    #9 0xcd2270 in ZEND_INIT_ARRAY_SPEC_CV_UNUSED_HANDLER /src/php-src/Zend/zend_vm_execute.h:47120:3
    #10 0xf228d9 in fuzzer_execute_ex /src/php-src/sapi/fuzzer/fuzzer-execute.c:40:14
    #11 0xc56d46 in zend_execute /src/php-src/Zend/zend_vm_execute.h:59026:2
    #12 0xf23362 in fuzzer_do_request_from_buffer /src/php-src/sapi/fuzzer/fuzzer-sapi.c:261:5
    #13 0xf2276b in LLVMFuzzerTestOneInput /src/php-src/sapi/fuzzer/fuzzer-execute.c:69:2
    #14 0x480d11 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:558:15
    #15 0x46c482 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:296:6
    #16 0x4724ae in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:796:9
    #17 0x499ee2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #18 0x7fe85f90b0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: 320 byte(s) leaked in 2 allocation(s).

INFO: a leak has been found in the initial corpus.

INFO: to ignore leaks on libFuzzer side use -detect_leaks=0.



gtt@GTT:~/workspace/poc-all/php$ ../../oss-fuzz/build/libfuzzer/build/out-libfuzer/php/php-fuzz-execute  leak-d8ad2e3ddc6bd2dc1b8b90d888839a14c4fc3e0d
INFO: Seed: 1879066668
INFO: Loaded 1 modules   (134419 inline 8-bit counters): 134419 [0x198b0c0, 0x19abdd3),
INFO: Loaded 1 PC tables (134419 PCs): 134419 [0x19abdd8,0x1bb8f08),
../../oss-fuzz/build/libfuzzer/build/out-libfuzer/php/php-fuzz-execute: Running 1 inputs 1 time(s) each.
Running: leak-d8ad2e3ddc6bd2dc1b8b90d888839a14c4fc3e0d
Executed leak-d8ad2e3ddc6bd2dc1b8b90d888839a14c4fc3e0d in 15 ms
***
*** NOTE: fuzzing was not performed, you have only
***       executed the target code on a fixed set of inputs.
***

=================================================================
==244350==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 32 byte(s) in 1 object(s) allocated from:
    #0 0x545c0d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0xb60a49 in __zend_malloc /src/php-src/Zend/zend_alloc.c:3043:14
    #2 0xb5d87e in tracked_malloc /src/php-src/Zend/zend_alloc.c:2746:14
    #3 0xb60267 in _malloc_custom /src/php-src/Zend/zend_alloc.c:2419:10
    #4 0xb6016f in _emalloc /src/php-src/Zend/zend_alloc.c:2538:10
    #5 0xbd58cd in zend_string_alloc /src/php-src/Zend/zend_string.h:141:36
    #6 0xbe1ba1 in zend_string_init /src/php-src/Zend/zend_string.h:163:21
    #7 0xbce25d in zend_long_to_str /src/php-src/Zend/zend_operators.c:3090:10
    #8 0xbd01fa in __zval_get_string_func /src/php-src/Zend/zend_operators.c:943:11
    #9 0xbce465 in zval_try_get_string_func /src/php-src/Zend/zend_operators.c:981:9
    #10 0xd82b0f in zval_try_get_tmp_string /src/php-src/Zend/zend_operators.h:338:17
    #11 0xd9195d in zend_fetch_var_address_helper_SPEC_TMPVAR_UNUSED /src/php-src/Zend/zend_vm_execute.h:17503:10
    #12 0xceb248 in ZEND_FETCH_RW_SPEC_TMPVAR_UNUSED_HANDLER /src/php-src/Zend/zend_vm_execute.h:17587:2
    #13 0xf228d9 in fuzzer_execute_ex /src/php-src/sapi/fuzzer/fuzzer-execute.c:40:14
    #14 0xc56d46 in zend_execute /src/php-src/Zend/zend_vm_execute.h:59026:2
    #15 0xf23362 in fuzzer_do_request_from_buffer /src/php-src/sapi/fuzzer/fuzzer-sapi.c:261:5
    #16 0xf2276b in LLVMFuzzerTestOneInput /src/php-src/sapi/fuzzer/fuzzer-execute.c:69:2
    #17 0x480d11 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:558:15
    #18 0x46c482 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:296:6
    #19 0x4724ae in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:796:9
    #20 0x499ee2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #21 0x7fbc1bb740b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: 32 byte(s) leaked in 1 allocation(s).


gtt@GTT:~/workspace/poc-all/php$ ../../oss-fuzz/build/libfuzzer/build/out-libfuzer/php/php-fuzz-execute  leak-6b6a01c65b09e6170fa2c931a69bbd10b72dfa2d
INFO: Seed: 1824399938
INFO: Loaded 1 modules   (134419 inline 8-bit counters): 134419 [0x198b0c0, 0x19abdd3),
INFO: Loaded 1 PC tables (134419 PCs): 134419 [0x19abdd8,0x1bb8f08),
../../oss-fuzz/build/libfuzzer/build/out-libfuzer/php/php-fuzz-execute: Running 1 inputs 1 time(s) each.
Running: leak-6b6a01c65b09e6170fa2c931a69bbd10b72dfa2d

=================================================================
==244328==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 96 byte(s) in 3 object(s) allocated from:
    #0 0x545c0d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0xb60a49 in __zend_malloc /src/php-src/Zend/zend_alloc.c:3043:14
    #2 0xb5d87e in tracked_malloc /src/php-src/Zend/zend_alloc.c:2746:14
    #3 0xb60267 in _malloc_custom /src/php-src/Zend/zend_alloc.c:2419:10
    #4 0xb6016f in _emalloc /src/php-src/Zend/zend_alloc.c:2538:10
    #5 0xd2086e in ZEND_FE_FETCH_RW_SPEC_VAR_HANDLER /src/php-src/Zend/zend_vm_execute.h:22037:3
    #6 0xf228d9 in fuzzer_execute_ex /src/php-src/sapi/fuzzer/fuzzer-execute.c:40:14
    #7 0xc56d46 in zend_execute /src/php-src/Zend/zend_vm_execute.h:59026:2
    #8 0xf23362 in fuzzer_do_request_from_buffer /src/php-src/sapi/fuzzer/fuzzer-sapi.c:261:5
    #9 0xf2276b in LLVMFuzzerTestOneInput /src/php-src/sapi/fuzzer/fuzzer-execute.c:69:2
    #10 0x480d11 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:558:15
    #11 0x46c482 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:296:6
    #12 0x4724ae in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:796:9
    #13 0x499ee2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #14 0x7f13dbdcf0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: 96 byte(s) leaked in 3 allocation(s).

INFO: a leak has been found in the initial corpus.

INFO: to ignore leaks on libFuzzer side use -detect_leaks=0.



gtt@GTT:~/workspace/poc-all/php$ ../../oss-fuzz/build/libfuzzer/build/out-libfuzer/php/php-fuzz-execute  leak-267580dd60d6d8d048a8e40eaa74d897efabd313
INFO: Seed: 1772914219
INFO: Loaded 1 modules   (134419 inline 8-bit counters): 134419 [0x198b0c0, 0x19abdd3),
INFO: Loaded 1 PC tables (134419 PCs): 134419 [0x19abdd8,0x1bb8f08),
../../oss-fuzz/build/libfuzzer/build/out-libfuzer/php/php-fuzz-execute: Running 1 inputs 1 time(s) each.
Running: leak-267580dd60d6d8d048a8e40eaa74d897efabd313
Executed leak-267580dd60d6d8d048a8e40eaa74d897efabd313 in 1 ms
***
*** NOTE: fuzzing was not performed, you have only
***       executed the target code on a fixed set of inputs.
***

=================================================================
==244296==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 32 byte(s) in 1 object(s) allocated from:
    #0 0x545c0d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0xb60a49 in __zend_malloc /src/php-src/Zend/zend_alloc.c:3043:14
    #2 0xb5d87e in tracked_malloc /src/php-src/Zend/zend_alloc.c:2746:14
    #3 0xb60267 in _malloc_custom /src/php-src/Zend/zend_alloc.c:2419:10
    #4 0xb6016f in _emalloc /src/php-src/Zend/zend_alloc.c:2538:10
    #5 0xbd58cd in zend_string_alloc /src/php-src/Zend/zend_string.h:141:36
    #6 0xbd9704 in concat_function /src/php-src/Zend/zend_operators.c:1943:17
    #7 0xd84bc7 in zend_binary_op /src/php-src/Zend/zend_execute.c:1357:9
    #8 0xca33f7 in ZEND_ASSIGN_OP_SPEC_CV_TMPVAR_HANDLER /src/php-src/Zend/zend_vm_execute.h:43340:3
    #9 0xf228d9 in fuzzer_execute_ex /src/php-src/sapi/fuzzer/fuzzer-execute.c:40:14
    #10 0xc56d46 in zend_execute /src/php-src/Zend/zend_vm_execute.h:59026:2
    #11 0xf23362 in fuzzer_do_request_from_buffer /src/php-src/sapi/fuzzer/fuzzer-sapi.c:261:5
    #12 0xf2276b in LLVMFuzzerTestOneInput /src/php-src/sapi/fuzzer/fuzzer-execute.c:69:2
    #13 0x480d11 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:558:15
    #14 0x46c482 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:296:6
    #15 0x4724ae in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:796:9
    #16 0x499ee2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #17 0x7f0bcf77b0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: 32 byte(s) leaked in 1 allocation(s).



gtt@GTT:~/workspace/poc-all/php$ ../../oss-fuzz/build/libfuzzer/build/out-libfuzer/php/php-fuzz-execute  leak-1-php-execute
INFO: Seed: 1711718991
INFO: Loaded 1 modules   (134419 inline 8-bit counters): 134419 [0x198b0c0, 0x19abdd3),
INFO: Loaded 1 PC tables (134419 PCs): 134419 [0x19abdd8,0x1bb8f08),
../../oss-fuzz/build/libfuzzer/build/out-libfuzer/php/php-fuzz-execute: Running 1 inputs 1 time(s) each.
Running: leak-1-php-execute

=================================================================
==244235==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 224 byte(s) in 1 object(s) allocated from:
    #0 0x545c0d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0xb60a49 in __zend_malloc /src/php-src/Zend/zend_alloc.c:3043:14
    #2 0xb5d87e in tracked_malloc /src/php-src/Zend/zend_alloc.c:2746:14
    #3 0xb60267 in _malloc_custom /src/php-src/Zend/zend_alloc.c:2419:10
    #4 0xb6016f in _emalloc /src/php-src/Zend/zend_alloc.c:2538:10
    #5 0xe2004d in zend_string_alloc /src/php-src/Zend/zend_string.h:141:36
    #6 0xe1ff7a in smart_str_erealloc /src/php-src/Zend/zend_smart_str.c:35:12
    #7 0xaae9bd in smart_str_alloc /src/php-src/Zend/zend_smart_str.h:67:5
    #8 0xaaeab6 in smart_str_appendl_ex /src/php-src/Zend/zend_smart_str.h:118:19
    #9 0xaaa809 in xbuf_format_converter /src/php-src/main/spprintf.c:763:4
    #10 0xaae618 in php_printf_to_smart_str /src/php-src/main/spprintf.c:786:2
    #11 0xbe8447 in zend_vstrpprintf /src/php-src/Zend/zend.c:267:2
    #12 0xbe8912 in zend_strpprintf_unchecked /src/php-src/Zend/zend.c:300:8
    #13 0xbd00a2 in __zval_get_string_func /src/php-src/Zend/zend_operators.c:946:11
    #14 0xbce465 in zval_try_get_string_func /src/php-src/Zend/zend_operators.c:981:9
    #15 0xd82b0f in zval_try_get_tmp_string /src/php-src/Zend/zend_operators.h:338:17
    #16 0xd92487 in zend_fetch_var_address_helper_SPEC_CV_UNUSED /src/php-src/Zend/zend_vm_execute.h:46131:10
    #17 0xceb278 in ZEND_FETCH_RW_SPEC_CV_UNUSED_HANDLER /src/php-src/Zend/zend_vm_execute.h:46215:2
    #18 0xf228d9 in fuzzer_execute_ex /src/php-src/sapi/fuzzer/fuzzer-execute.c:40:14
    #19 0xc56d46 in zend_execute /src/php-src/Zend/zend_vm_execute.h:59026:2
    #20 0xf23362 in fuzzer_do_request_from_buffer /src/php-src/sapi/fuzzer/fuzzer-sapi.c:261:5
    #21 0xf2276b in LLVMFuzzerTestOneInput /src/php-src/sapi/fuzzer/fuzzer-execute.c:69:2
    #22 0x480d11 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:558:15
    #23 0x46c482 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:296:6
    #24 0x4724ae in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:796:9
    #25 0x499ee2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #26 0x7f3de4e000b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: 224 byte(s) leaked in 1 allocation(s).

INFO: a leak has been found in the initial corpus.

INFO: to ignore leaks on libFuzzer side use -detect_leaks=0.


gtt@GTT:~/workspace/poc-all/php$ ../../oss-fuzz/build/libfuzzer/build/out-libfuzer/php/php-fuzz-execute  crash-php-execute
INFO: Seed: 1660061608
INFO: Loaded 1 modules   (134419 inline 8-bit counters): 134419 [0x198b0c0, 0x19abdd3),
INFO: Loaded 1 PC tables (134419 PCs): 134419 [0x19abdd8,0x1bb8f08),
../../oss-fuzz/build/libfuzzer/build/out-libfuzer/php/php-fuzz-execute: Running 1 inputs 1 time(s) each.
Running: crash-php-execute
AddressSanitizer:DEADLYSIGNAL
=================================================================
==244105==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x000000c4e41c bp 0x7ffea66f3200 sp 0x7ffea66f31e0 T0)
==244105==The signal is caused by a READ memory access.
==244105==Hint: this fault was caused by a dereference of a high value address (see register values below).  Dissassemble the provided pc to learn which register was used.
    #0 0xc4e41c in zend_gc_delref /src/php-src/Zend/zend_types.h:1179:2
    #1 0xd7b115 in zval_delref_p /src/php-src/Zend/zend_types.h:1215:9
    #2 0xc510ce in zval_ptr_dtor_nogc /src/php-src/Zend/zend_variables.h:34:35
    #3 0xd3660f in ZEND_HANDLE_EXCEPTION_SPEC_HANDLER /src/php-src/Zend/zend_vm_execute.h:3117:6
    #4 0xf228d9 in fuzzer_execute_ex /src/php-src/sapi/fuzzer/fuzzer-execute.c:40:14
    #5 0xc56d46 in zend_execute /src/php-src/Zend/zend_vm_execute.h:59026:2
    #6 0xf23362 in fuzzer_do_request_from_buffer /src/php-src/sapi/fuzzer/fuzzer-sapi.c:261:5
    #7 0xf2276b in LLVMFuzzerTestOneInput /src/php-src/sapi/fuzzer/fuzzer-execute.c:69:2
    #8 0x480d11 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:558:15
    #9 0x46c482 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:296:6
    #10 0x4724ae in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:796:9
    #11 0x499ee2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #12 0x7f45765290b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
    #13 0x446968 in _start (/home/gtt/workspace/oss-fuzz/build/libfuzzer/build/out-libfuzer/php/php-fuzz-execute+0x446968)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/php-src/Zend/zend_types.h:1179:2 in zend_gc_delref
==244105==ABORTING



gtt@01:~/out/size-ft/build/out/php$ gdb php-fuzz-execute
GNU gdb (Ubuntu 9.1-0ubuntu1) 9.1
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from php-fuzz-execute...
(gdb) set args crash-d0e0d2a9d2a89a725fbc834b1c29b2613c90dea1
(gdb) r
Starting program: /home/gtt/out/size-ft/build/out/php/php-fuzz-execute crash-d0e0d2a9d2a89a725fbc834b1c29b2613c90dea1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3474530142
INFO: Loaded 1 modules   (134428 inline 8-bit counters): 134428 [0x1b97f00, 0x1bb8c1c),
INFO: Loaded 1 PC tables (134428 PCs): 134428 [0x1bb8c20,0x1dc5de0),
[New Thread 0x7ffff30f9700 (LWP 1962476)]
/home/gtt/out/size-ft/build/out/php/php-fuzz-execute: Running 1 inputs 1 time(s) each.
Running: crash-d0e0d2a9d2a89a725fbc834b1c29b2613c90dea1

Thread 1 "php-fuzz-execut" received signal SIGSEGV, Segmentation fault.
0x0000000000bf546c in zend_gc_delref () at Zend/zend_types.h:1179
1179	Zend/zend_types.h: 没有那个文件或目录.
(gdb) bt
#0  0x0000000000bf546c in zend_gc_delref () at Zend/zend_types.h:1179
#1  0x0000000000d22166 in zval_delref_p () at Zend/zend_types.h:1215
#2  0x0000000000bf811f in zval_ptr_dtor_nogc () at Zend/zend_variables.h:34
#3  0x0000000000cdd660 in ZEND_HANDLE_EXCEPTION_SPEC_HANDLER () at Zend/zend_vm_execute.h:3117
#4  0x0000000000ec992a in fuzzer_execute_ex () at sapi/fuzzer/fuzzer-execute.c:40
#5  0x0000000000bfdd97 in zend_execute () at Zend/zend_vm_execute.h:59026
#6  0x0000000000eca3b3 in fuzzer_do_request_from_buffer () at sapi/fuzzer/fuzzer-sapi.c:261
#7  0x0000000000ec97bc in LLVMFuzzerTestOneInput () at sapi/fuzzer/fuzzer-execute.c:69
#8  0x0000000000fb9a77 in ExecuteCallback () at /src/glibfuzzer/FuzzerLoop.cpp:605
#9  0x0000000000f62e20 in RunOneTest () at /src/glibfuzzer/FuzzerDriver.cpp:323
#10 0x0000000000f70f64 in FuzzerDriver () at /src/glibfuzzer/FuzzerDriver.cpp:856
#11 0x0000000000f62498 in main () at /src/glibfuzzer/FuzzerMain.cpp:20
(gdb) fname 4
Undefined command: "fname".  Try "help".
(gdb) frame 4
#4  0x0000000000ec992a in fuzzer_execute_ex () at sapi/fuzzer/fuzzer-execute.c:40
40	sapi/fuzzer/fuzzer-execute.c: 没有那个文件或目录.
(gdb) q
A debugging session is active.


Patches

no-patches (last revision 2021-06-22 11:09 UTC by gutaotao1995 at qq dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-06-22 11:09 UTC] gutaotao1995 at qq dot com
The following patch has been added/updated:

Patch Name: no-patches
Revision:   1624360190
URL:        https://bugs.php.net/patch-display.php?bug=81190&patch=no-patches&revision=1624360190
 [2021-06-22 11:14 UTC] gutaotao1995 at qq dot com
These problems are found through fuzz, please tell me where to upload the POC.
 [2021-06-22 14:43 UTC] cmb@php.net
> […] please tell me where to upload the POC.

Anywhere on the web, where it is publicly available.  Maybe
gist.github.com or pastebin.com.
 [2021-06-22 15:35 UTC] gutaotao1995 at qq dot com
Hello
This is poc  
git repo:https://github.com/gtt1995/poc
 [2021-06-23 11:10 UTC] gutaotao1995 at qq dot com
Hello,
What is the result of the processing?
 [2021-07-01 11:43 UTC] nikic@php.net
-Status: Open +Status: Feedback
 [2021-07-01 11:43 UTC] nikic@php.net
Looks like the repo is no longer available.
 [2021-07-01 12:01 UTC] gutaotao1995 at qq dot com
Hello,
    No one has replied to me a few days ago. 
    Since the vulnerability has not been disclosed, I set up private access 
    permissions for safety reasons. 
    
    At this time, I reset everyone to be accessible.
Thanks for your reply.
 [2021-07-01 13:18 UTC] nikic@php.net
-Status: Feedback +Status: Open
 [2021-07-01 13:18 UTC] nikic@php.net
leak-d8ad2e3ddc6bd2dc1b8b90d888839a14c4fc3e0d leak-9cce506f49cdcb36e163eec33660d04c4584b62c
leak-6ffa0db8b44422f944c7cef615626d8700f03aba
leak-54763f12cb80a6568ee17f2b20a51aa539d4081f
leak-267580dd60d6d8d048a8e40eaa74d897efabd313
leak-2-php-execute
leak-1-php-execute

Fixed by https://github.com/php/php-src/commit/540fed1b3654339fc4683ed128f7a1c351e34c4f just before I started looking at this bug, based on the report from https://oss-fuzz.com/testcase-detail/5794742387474432.

crash-15b5113dd0db60acc6b367b812c883f0e31c6258

Doesn't reproduce.

leak-6b6a01c65b09e6170fa2c931a69bbd10b72dfa2d

Reduction:

<?php
$obj = new stdClass;
foreach ([0] as &$obj->prop) {}

leak-570847a2eeae3e477d2ba8253adb1ca3f78feb26

Reduction:

<?php
null?->{[$x]};

crash-php-execute

Reduction:

<?php
set_error_handler(function(A $r){});
strlen($undef);

crash-eb98564ea8b9e5328defbc17269cfc2c6874d304 

Reduction:

<?php
$o = new stdClass;
$o->p =& $o; 
$o - $o->p="";
 [2021-07-01 13:54 UTC] nikic@php.net
leak-6b6a01c65b09e6170fa2c931a69bbd10b72dfa2d is fixed by https://github.com/php/php-src/commit/36f5d719f5ae005fe9ff47160a02cb57a189bc37.
 [2021-07-01 13:55 UTC] gutaotao1995 at qq dot com
Thanks for your work!
    Hello, some leak vulnerabilities have been fixed, but they are indeed triggered on the latest build of oss-fuzz. 
      Regarding other crashes, such as heap-UAF, have other leak vulnerabilities successfully reproduced? 
     In your comment, what does the final "reduction" mean? Please explain to me, is it impossible to reproduce? Or has it been confirmed as a vulnerability?
 [2021-07-01 13:56 UTC] gutaotao1995 at qq dot com
Thank you again for your work, your efficiency is so high!
Can I assign a CVE number to the POC I reported?
 [2021-07-01 14:07 UTC] gutaotao1995 at qq dot com
Thank you very much for your contribution to PHP .
 [2021-07-01 14:46 UTC] nikic@php.net
crash-php-execute is fixed by https://github.com/php/php-src/commit/353f963bba4f9abcba7d4609e56d0cf2e8af8dfc.

leak-570847a2eeae3e477d2ba8253adb1ca3f78feb26 is a tricky issue for which I don't have an immediate fix. Filed https://bugs.php.net/bug.php?id=81216 to track it for now, with some additional information.

@gutaotao1995 at qq dot com: The reductions are just simplified versions of the original inputs. Regarding CVEs, the PHP project only classifies issues that are potentially remotely expoitable as security issues, see https://wiki.php.net/security for the policy.
 [2021-07-01 14:59 UTC] gutaotao1995 at qq dot com
Thanks for your answer.
After your identification, are these issues of mine a security issue? Doesn't one belong ?
 [2021-07-02 08:26 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2021-07-02 08:26 UTC] nikic@php.net
Looks like crash-eb98564ea8b9e5328defbc17269cfc2c6874d304 is a duplicate of bug #80173, which is now fixed as well. With that all issues here are fixed, apart from bug #81216, which is tracked separately.

@gutaotao1995 at qq dot com: I don't see any way to remote exploit any of these issues, because they require specific malicious code on the server side (rather than, say, specific inputs to otherwise harmless code). As such, we don't track these as security issues.
 [2021-07-02 08:36 UTC] gutaotao1995 at qq dot com
Thanks a lot.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Aug 02 10:01:24 2021 UTC