php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #81619 Read segmentation fault in zend_hash.c:54:7
Submitted: 2021-11-12 21:39 UTC Modified: 2024-07-19 21:24 UTC
From: swirsz at gmail dot com Assigned: cmb (profile)
Status: Feedback Package: Scripting Engine problem
PHP Version: master-Git-2021-11-12 (Git) OS: Ubuntu 20.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2021-11-12 21:39 UTC] swirsz at gmail dot com 
Description:
------------
Running OSS-FUZZ locally on the master branch of github.  Compiled with address sanitizer, reproducible by executing php-fuzz-tracing-jit with the test script

AddressSanitizer:DEADLYSIGNAL
=================================================================
==327001==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x000000ebeee3 bp 0x7ffda218bb60 sp 0x7ffda218bb40 T0)
==327001==The signal is caused by a READ memory access.
==327001==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/php-src/Zend/zend_hash.c:54:7 in _zend_is_inconsistent
==327001==ABORTING

Test script:
---------------
https://www.wirsz.com/script/crash-260.txt

Expected result:
----------------
n/a

Actual result:
--------------
    #0 0xebeee3 in _zend_is_inconsistent /src/php-src/Zend/zend_hash.c:54:7
    #1 0xec6b82 in _zend_hash_add_or_update_i /src/php-src/Zend/zend_hash.c:749:2
    #2 0xec6b05 in zend_hash_update /src/php-src/Zend/zend_hash.c:922:9
    #3 0xfc47db in ZEND_ADD_ARRAY_ELEMENT_SPEC_TMP_TMPVAR_HANDLER /src/php-src/Zend/zend_vm_execute.h:20118:4
    #4 0x12d9869 in fuzzer_execute_ex /src/php-src/sapi/fuzzer/fuzzer-execute-common.h:53:14
    #5 0xf17bab in zend_execute /src/php-src/Zend/zend_vm_execute.h:59037:2
    #6 0x12da9ad in fuzzer_do_request_from_buffer /src/php-src/sapi/fuzzer/fuzzer-sapi.c:276:5
    #7 0x12d9005 in LLVMFuzzerTestOneInput /src/php-src/sapi/fuzzer/fuzzer-function-jit.c:34:2
    #8 0x639823 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp
    #9 0x625132 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #10 0x62abfa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp
    #11 0x653b22 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #12 0x7f69932480b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #13 0x6023bd in _start (/home/sw/oss-fuzz-master/build/out/php/php-fuzz-function-jit+0x6023bd)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-11-12 22:12 UTC] stas@php.net
-Type: Security +Type: Bug -Package: Unknown/Other Function +Package: Scripting Engine problem
 [2024-07-19 21:24 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2024-07-19 21:24 UTC] cmb@php.net 
Is that still an issue with any of the actively supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Jul 27 03:01:30 2024 UTC