php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81619 Read segmentation fault in zend_hash.c:54:7
Submitted: 2021-11-12 21:39 UTC Modified: 2021-11-12 22:12 UTC
From: swirsz at gmail dot com Assigned:
Status: Open Package: Scripting Engine problem
PHP Version: master-Git-2021-11-12 (Git) OS: Ubuntu 20.04
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2021-11-12 21:39 UTC] swirsz at gmail dot com
Description:
------------
Running OSS-FUZZ locally on the master branch of github.  Compiled with address sanitizer, reproducible by executing php-fuzz-tracing-jit with the test script

AddressSanitizer:DEADLYSIGNAL
=================================================================
==327001==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x000000ebeee3 bp 0x7ffda218bb60 sp 0x7ffda218bb40 T0)
==327001==The signal is caused by a READ memory access.
==327001==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/php-src/Zend/zend_hash.c:54:7 in _zend_is_inconsistent
==327001==ABORTING

Test script:
---------------
https://www.wirsz.com/script/crash-260.txt

Expected result:
----------------
n/a

Actual result:
--------------
    #0 0xebeee3 in _zend_is_inconsistent /src/php-src/Zend/zend_hash.c:54:7
    #1 0xec6b82 in _zend_hash_add_or_update_i /src/php-src/Zend/zend_hash.c:749:2
    #2 0xec6b05 in zend_hash_update /src/php-src/Zend/zend_hash.c:922:9
    #3 0xfc47db in ZEND_ADD_ARRAY_ELEMENT_SPEC_TMP_TMPVAR_HANDLER /src/php-src/Zend/zend_vm_execute.h:20118:4
    #4 0x12d9869 in fuzzer_execute_ex /src/php-src/sapi/fuzzer/fuzzer-execute-common.h:53:14
    #5 0xf17bab in zend_execute /src/php-src/Zend/zend_vm_execute.h:59037:2
    #6 0x12da9ad in fuzzer_do_request_from_buffer /src/php-src/sapi/fuzzer/fuzzer-sapi.c:276:5
    #7 0x12d9005 in LLVMFuzzerTestOneInput /src/php-src/sapi/fuzzer/fuzzer-function-jit.c:34:2
    #8 0x639823 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp
    #9 0x625132 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #10 0x62abfa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp
    #11 0x653b22 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #12 0x7f69932480b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #13 0x6023bd in _start (/home/sw/oss-fuzz-master/build/out/php/php-fuzz-function-jit+0x6023bd)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-11-12 22:12 UTC] stas@php.net
-Type: Security +Type: Bug -Package: Unknown/Other Function +Package: Scripting Engine problem
 [2022-11-29 05:57 UTC] robesonldspj11 at gmail dot com
I totally like your gave limits as the post you passed on has some uncommon information which is totally essential for me. A commitment of appreciation is all together for the data. I will endeavor to figure it out for extra. (https://www.acaeronet.net/)github.com
 [2022-12-23 12:18 UTC] barrykaau74 at gmail dot com
A commitment of appreciation is all together for sharing, I found a tremendous store of stimulating information here. A striking post, incredibly grateful and obliging that you will make on a very major level more posts like this one. (https://www.flying-together.net/)github.com
 [2022-12-28 11:13 UTC] bakaauamo at gmail dot com
Thankful for the little by little useful exercise. Has conclusively the ordinary impact. (https://www.flying-together.org/)github.com
 [2022-12-29 06:59 UTC] NicholasBarry at dayrep dot com
this fault was caused by a dereference of a high value address.

<https://www.avalon-access.org/>github.com
 [2023-01-02 11:54 UTC] barrykaauamo477 at gmail dot com
I totally like your gave limits as the post you passed on has some uncommon information which is totally essential for me. (https://www.aimproviderportal.net/)github.com
 [2023-04-13 13:02 UTC] archanasinghalka at gmail dot com
(https://acaeronet.site/)github.com
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Mar 02 04:01:28 2024 UTC