php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81636 stack overflow
Submitted: 2021-11-18 14:15 UTC Modified: 2021-11-18 15:13 UTC
From: shaohua dot li at inf dot ethz dot ch Assigned: cmb (profile)
Status: Duplicate Package: Scripting Engine problem
PHP Version: 8.1Git-2021-11-18 (Git) OS: Ubuntu 20.04.3 LTS
Private report: No CVE-ID: None
 [2021-11-18 14:15 UTC] shaohua dot li at inf dot ethz dot ch
Description:
------------
Hi there,

I found a stack-overflow in `sapi/cli/php`.

- Compiler : clang13, --enable-address-sanitizer

AddressSanitizer report:

==176610==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe0e2cbc48 (pc 0x00000061bce8 bp 0x7ffe0e2cc490 sp 0x7ffe0e2cbc50 T0)
    #0 0x61bce8 in memchr (/php/analysis/debug/asan/clang13-default/sapi/cli/php+0x61bce8)
    #1 0xe2fa33 in zend_memnstr /php/analysis/debug/asan/clang13-default/Zend/zend_operators.h:196:27
    #2 0xe2fa33 in php_str_to_str_ex /php/analysis/debug/asan/clang13-default/ext/standard/string.c:3142:45
    #3 0xe4c6cc in php_str_replace_in_subject /php/analysis/debug/asan/clang13-default/ext/standard/string.c:4397:5
    #4 0xe384be in php_str_replace_common /php/analysis/debug/asan/clang13-default/ext/standard/string.c:4466:11
    #5 0x1349a54 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /php/analysis/debug/asan/clang13-default/Zend/zend_vm_execute.h:1297:2
    #6 0x117c086 in execute_ex /php/analysis/debug/asan/clang13-default/Zend/zend_vm_execute.h:54484:7
    #7 0x107e626 in zend_call_function /php/analysis/debug/asan/clang13-default/Zend/zend_execute_API.c:903:3
    #8 0x10818ea in zend_call_method_if_exists /php/analysis/debug/asan/clang13-default/Zend/zend_execute_API.c:1034:9
    #9 0xf94c1f in call_method_if_exists /php/analysis/debug/asan/clang13-default/main/streams/userspace.c:281:9
    #10 0xf94c1f in user_wrapper_stat_url /php/analysis/debug/asan/clang13-default/main/streams/userspace.c:1281:16
    #11 0xd9b4ef in php_stat /php/analysis/debug/asan/clang13-default/ext/standard/filestat.c:820:7
    #12 0xda21f0 in zif_stat /php/analysis/debug/asan/clang13-default/ext/standard/filestat.c:1080:1
    #13 0xb19a4d in phar_stat /php/analysis/debug/asan/clang13-default/ext/phar/func_interceptors.c:973:1
    #14 0x1349a54 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /php/analysis/debug/asan/clang13-default/Zend/zend_vm_execute.h:1297:2

Test script:
---------------
<?php

class StreamWrapper {
    public $context;
    public function url_stat($path, $flags) {
$pa4h = str_replace('test://', 'file://', $path);
        if (STREAM_URL_STAT_QUIET) {
    return @stat($path); } else {
            return stat($path);
        }
    }
}

stream_wrapper_register('test', StreamWrapper::class);
set_include_path('test://foo:test://bar');
try {
    require_once 'doesnt_exist.php';
} catch (Exception $e) {
    echo $e->getMessage(), "\n";
}

?>


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-11-18 15:13 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Type: Security +Type: Bug -Assigned To: +Assigned To: cmb
 [2021-11-18 15:13 UTC] cmb@php.net
This is infinite recursion, since url_stat() calls stat() which
calls url_stat() and so on.  This is not a security issue, since
that code always exhibits this behavior (and as such would be
malicious); see also our security classification[1].

Other than that, this is a duplicate of bug #64196.

[1] <https://wiki.php.net/security>
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Fri Dec 02 06:05:52 2022 UTC