php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81619 Read segmentation fault in zend_hash.c:54:7
Submitted: 2021-11-12 21:39 UTC Modified: 2024-07-28 04:22 UTC
From: swirsz at gmail dot com Assigned: cmb (profile)
Status: No Feedback Package: Scripting Engine problem
PHP Version: master-Git-2021-11-12 (Git) OS: Ubuntu 20.04
Private report: No CVE-ID: None
 [2021-11-12 21:39 UTC] swirsz at gmail dot com
Description:
------------
Running OSS-FUZZ locally on the master branch of github.  Compiled with address sanitizer, reproducible by executing php-fuzz-tracing-jit with the test script

AddressSanitizer:DEADLYSIGNAL
=================================================================
==327001==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x000000ebeee3 bp 0x7ffda218bb60 sp 0x7ffda218bb40 T0)
==327001==The signal is caused by a READ memory access.
==327001==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/php-src/Zend/zend_hash.c:54:7 in _zend_is_inconsistent
==327001==ABORTING

Test script:
---------------
https://www.wirsz.com/script/crash-260.txt

Expected result:
----------------
n/a

Actual result:
--------------
    #0 0xebeee3 in _zend_is_inconsistent /src/php-src/Zend/zend_hash.c:54:7
    #1 0xec6b82 in _zend_hash_add_or_update_i /src/php-src/Zend/zend_hash.c:749:2
    #2 0xec6b05 in zend_hash_update /src/php-src/Zend/zend_hash.c:922:9
    #3 0xfc47db in ZEND_ADD_ARRAY_ELEMENT_SPEC_TMP_TMPVAR_HANDLER /src/php-src/Zend/zend_vm_execute.h:20118:4
    #4 0x12d9869 in fuzzer_execute_ex /src/php-src/sapi/fuzzer/fuzzer-execute-common.h:53:14
    #5 0xf17bab in zend_execute /src/php-src/Zend/zend_vm_execute.h:59037:2
    #6 0x12da9ad in fuzzer_do_request_from_buffer /src/php-src/sapi/fuzzer/fuzzer-sapi.c:276:5
    #7 0x12d9005 in LLVMFuzzerTestOneInput /src/php-src/sapi/fuzzer/fuzzer-function-jit.c:34:2
    #8 0x639823 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp
    #9 0x625132 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #10 0x62abfa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp
    #11 0x653b22 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #12 0x7f69932480b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #13 0x6023bd in _start (/home/sw/oss-fuzz-master/build/out/php/php-fuzz-function-jit+0x6023bd)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-11-12 22:12 UTC] stas@php.net
-Type: Security +Type: Bug -Package: Unknown/Other Function +Package: Scripting Engine problem
 [2024-07-19 21:24 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2024-07-19 21:24 UTC] cmb@php.net
Is that still an issue with any of the actively supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions>
 [2024-07-28 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Oct 12 00:01:40 2024 UTC