php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81619 Read segmentation fault in zend_hash.c:54:7
Submitted: 2021-11-12 21:39 UTC Modified: 2021-11-12 22:12 UTC
From: swirsz at gmail dot com Assigned:
Status: Open Package: Scripting Engine problem
PHP Version: master-Git-2021-11-12 (Git) OS: Ubuntu 20.04
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2021-11-12 21:39 UTC] swirsz at gmail dot com
Description:
------------
Running OSS-FUZZ locally on the master branch of github.  Compiled with address sanitizer, reproducible by executing php-fuzz-tracing-jit with the test script

AddressSanitizer:DEADLYSIGNAL
=================================================================
==327001==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x000000ebeee3 bp 0x7ffda218bb60 sp 0x7ffda218bb40 T0)
==327001==The signal is caused by a READ memory access.
==327001==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/php-src/Zend/zend_hash.c:54:7 in _zend_is_inconsistent
==327001==ABORTING

Test script:
---------------
https://www.wirsz.com/script/crash-260.txt

Expected result:
----------------
n/a

Actual result:
--------------
    #0 0xebeee3 in _zend_is_inconsistent /src/php-src/Zend/zend_hash.c:54:7
    #1 0xec6b82 in _zend_hash_add_or_update_i /src/php-src/Zend/zend_hash.c:749:2
    #2 0xec6b05 in zend_hash_update /src/php-src/Zend/zend_hash.c:922:9
    #3 0xfc47db in ZEND_ADD_ARRAY_ELEMENT_SPEC_TMP_TMPVAR_HANDLER /src/php-src/Zend/zend_vm_execute.h:20118:4
    #4 0x12d9869 in fuzzer_execute_ex /src/php-src/sapi/fuzzer/fuzzer-execute-common.h:53:14
    #5 0xf17bab in zend_execute /src/php-src/Zend/zend_vm_execute.h:59037:2
    #6 0x12da9ad in fuzzer_do_request_from_buffer /src/php-src/sapi/fuzzer/fuzzer-sapi.c:276:5
    #7 0x12d9005 in LLVMFuzzerTestOneInput /src/php-src/sapi/fuzzer/fuzzer-function-jit.c:34:2
    #8 0x639823 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp
    #9 0x625132 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #10 0x62abfa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp
    #11 0x653b22 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #12 0x7f69932480b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #13 0x6023bd in _start (/home/sw/oss-fuzz-master/build/out/php/php-fuzz-function-jit+0x6023bd)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Tue May 17 05:05:45 2022 UTC