php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #81577 Segfault when signal handler raising a fatal error interrupts sleep+negation
Submitted: 2021-10-31 08:42 UTC Modified: 2021-11-11 18:28 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: abecker at mailbox dot org Assigned:
Status: Verified Package: PCNTL related
PHP Version: 8.0.12 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: abecker at mailbox dot org
New email:
PHP Version: OS:

 

 [2021-10-31 08:42 UTC] abecker at mailbox dot org 
Description:
------------
Run the test script on the command line and press Ctrl+C. The program will crash.

A crash will occur if sleep is interrupted by the faulty signal handler and
a negation of any variable with any value follows immediately. Negation of
a constant will not result in a crash.

Test script:
---------------
pcntl_async_signals(true);
pcntl_signal(SIGINT, function() { 0/0; });
sleep(10);
! $anyVariableWithAnyValue;

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-11-02 09:40 UTC] cmb@php.net
-Package: Reproducible crash +Package: PCNTL related
 [2021-11-04 11:13 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2021-11-04 11:13 UTC] nikic@php.net 
Confirmed under valgrind:

^C==185861== Conditional jump or move depends on uninitialised value(s)
==185861==    at 0xA256BE: zval_ptr_dtor_nogc (zend_variables.h:34)
==185861==    by 0xA3B359: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (zend_vm_execute.h:2978)
==185861==    by 0xAA6D96: execute_ex (zend_vm_execute.h:54284)
==185861==    by 0xAAC367: zend_execute (zend_vm_execute.h:58523)
==185861==    by 0x9FCCCE: zend_execute_scripts (zend.c:1680)
==185861==    by 0x95E7C2: php_execute_script (main.c:2539)
==185861==    by 0xAED57D: do_cli (php_cli.c:949)
==185861==    by 0xAEE5CA: main (php_cli.c:1337)
==185861==
 [2021-11-04 14:08 UTC] nikic@php.net 
The following pull request has been associated:

Patch Name: Fix bug #81577: Execute interrupt handler on original opline
On GitHub:  https://github.com/php/php-src/pull/7624
Patch:      https://github.com/php/php-src/pull/7624.patch
 [2021-11-11 08:08 UTC] nikic@php.net 
Related To: Bug #81610
 [2021-11-11 18:28 UTC] dmitry@php.net 
The bug is partially fixed in PHP-8.0 and above by the following commits:

https://github.com/php/php-src/commit/fa0b84a06b03a1c2a2bcadd647232a8a4a90aa05
https://github.com/php/php-src/commit/5380b415a243e538240fbbb92bf020a3719ab927
 [2021-11-12 03:05 UTC] tstarling@php.net 
I confirmed that the commits by Dmitry fix the test case I reported at bug #81610. I did still observe an "AddressSanitizer: heap-use-after-free" error during random testing, from debug_backtrace_get_args() due to exception object creation. I haven't isolated it and I don't plan on working on it right now, but I can provide the backtrace if you're interested.
 [2023-01-05 08:11 UTC] EmmaGallagher at jourrapide dot com 
If you're the original bug submitter, here's where you can edit the bug or add additional notes. If this is not your bug, you can add a comment by following this link.

<https://www.dmvnow.me/>github.com
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Apr 24 22:01:30 2024 UTC