PHP :: Bug #81700 :: Memory Corruption vulnerability on zen_vm

Bug #81700	Memory Corruption vulnerability on zen_vm_execute
Submitted:	2021-12-17 12:53 UTC	Modified:	2021-12-17 18:41 UTC
From:	3ntr0py1337 at gmail dot com	Assigned:	cmb (profile)
Status:	Duplicate	Package:	Reproducible crash
PHP Version:	master-Git-2021-12-17 (Git)	OS:	Ubuntu 20.04.3 LTS
Private report:	No	CVE-ID:	None

View Developer Edit

[2021-12-17 12:53 UTC] 3ntr0py1337 at gmail dot com

Description:
------------
error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable.

Test script:
---------------
--TEST--
Operatoerloadedproperty reWerence
--FILE--
<?php
class C {
    private $bar;
    function __construct() { $this->ber = str_repeat("1", 2); }
    function &__get($x) { return $this->ar; }
    function __set($x, $v) { $this->bar = $v= new C;
va; }
}
$x = new C;
var_dump(++$x->foo);
$x = ($x->foo++);
$x = new C;
var_dumphhhhhhhhhhhhhhh
?>
-EXPECT--
int(12)
string(2) "11"
int(13)

Expected result:
----------------
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555556666403 <execute_ex+99>:	test   rdi,rdi
   0x555556666406 <execute_ex+102>:	je     0x55555666668b <execute_ex+747>
   0x55555666640c <execute_ex+108>:	lea    rsp,[rsp-0x98]
=> 0x555556666414 <execute_ex+116>:	mov    QWORD PTR [rsp],rdx
   0x555556666418 <execute_ex+120>:	mov    QWORD PTR [rsp+0x8],rcx
   0x55555666641d <execute_ex+125>:	mov    QWORD PTR [rsp+0x10],rax
   0x555556666422 <execute_ex+130>:	mov    rcx,0x9103
   0x555556666429 <execute_ex+137>:	call   0x5555566b0628 <__afl_maybe_log>
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fefb8
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555556666414 in execute_ex (ex=0x7ffff50b4c00) at /home/ubuntu/victims/php-src/Zend/zend_vm_execute.h:51997

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-12-17 18:09 UTC] stas@php.net

-Type: Security +Type: Bug

[2021-12-17 18:41 UTC] cmb@php.net

-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb

[2021-12-17 18:41 UTC] cmb@php.net

Simpler reproducer:

<?php
class C {
    private $bar;
    function __construct() { $this->ber = str_repeat("1", 2); }
    function &__get($x) { return $this->ar; }
    function __set($x, $v) { $this->bar = $v = new C; }
}
$x = new C;
?>

As such, this is a duplicate of bug #64196.

Please do not submit the same bug more than once. An existing
bug report already describes this very problem. Even if you feel
that your issue is somewhat different, the resolution is likely
to be the same.

Thank you for your interest in PHP.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 24 16:00:02 2025 UTC