php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81622 Read segmentation fault in zend_jit_helpers.c:360:20
Submitted: 2021-11-15 02:00 UTC Modified: -
From: swirsz at gmail dot com Assigned:
Status: Open Package: Scripting Engine problem
PHP Version: master-Git-2021-11-15 (Git) OS: Ubuntu 20.04
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2021-11-15 02:00 UTC] swirsz at gmail dot com
Description:
------------
Compiled with address sanitizer, reproducible by executing php-fuzz-function-jit with the test script

==100149==ERROR: AddressSanitizer: SEGV on unknown address 0x000188396212 (pc 0x7eff82389697 bp 0x7ffc52ca1c00 sp 0x7ffc52ca1b20 T0)
==100149==The signal is caused by a READ memory access.

SUMMARY: AddressSanitizer: SEGV /php/ext/opcache/jit/zend_jit_helpers.c:360:20 in zend_jit_undefined_op_helper_write
==100149==ABORTING

Test script:
---------------
<?php
set_error_handler(function($_, $m){
    throw new Exception($m);
});
function test() {
    $√ďa = [];
    $res = $a[$undef] += 1;
}
try {
    test();
} catch (Exception $e) {
    echo $e->getMessage(), "\n";
}
?>

Actual result:
--------------
#0 0x7fc87a889697 in zend_jit_undefined_op_helper_write /src/php-src/ext/opcache/jit/zend_jit_helpers.c:360:20
    #1 0x7fc87a889697 in zend_jit_fetch_dim_rw_helper /src/php-src/ext/opcache/jit/zend_jit_helpers.c:586:9
    #2 0x49a88237  (/dev/zero (deleted)+0x8001237)
    #3 0xf17bab in zend_execute /src/php-src/Zend/zend_vm_execute.h:59037:2
    #4 0x12da9ad in fuzzer_do_request_from_buffer /src/php-src/sapi/fuzzer/fuzzer-sapi.c:276:5
    #5 0x12d9093 in LLVMFuzzerTestOneInput /src/php-src/sapi/fuzzer/fuzzer-function-jit.c:42:3
    #6 0x639823 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp
    #7 0x625132 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #8 0x62abfa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp
    #9 0x653b22 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #10 0x7fc87c2e30b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16


Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sat Jan 22 22:03:37 2022 UTC