|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81700 Memory Corruption vulnerability on zen_vm_execute
Submitted: 2021-12-17 12:53 UTC Modified: 2021-12-17 18:41 UTC
From: 3ntr0py1337 at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: Reproducible crash
PHP Version: master-Git-2021-12-17 (Git) OS: Ubuntu 20.04.3 LTS
Private report: No CVE-ID: None
 [2021-12-17 12:53 UTC] 3ntr0py1337 at gmail dot com
error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable.

Test script:
Operatoerloadedproperty reWerence
class C {
    private $bar;
    function __construct() { $this->ber = str_repeat("1", 2); }
    function &__get($x) { return $this->ar; }
    function __set($x, $v) { $this->bar = $v= new C;
va; }
$x = new C;
$x = ($x->foo++);
$x = new C;
string(2) "11"

Expected result:
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
   0x555556666403 <execute_ex+99>:	test   rdi,rdi
   0x555556666406 <execute_ex+102>:	je     0x55555666668b <execute_ex+747>
   0x55555666640c <execute_ex+108>:	lea    rsp,[rsp-0x98]
=> 0x555556666414 <execute_ex+116>:	mov    QWORD PTR [rsp],rdx
   0x555556666418 <execute_ex+120>:	mov    QWORD PTR [rsp+0x8],rcx
   0x55555666641d <execute_ex+125>:	mov    QWORD PTR [rsp+0x10],rax
   0x555556666422 <execute_ex+130>:	mov    rcx,0x9103
   0x555556666429 <execute_ex+137>:	call   0x5555566b0628 <__afl_maybe_log>
Invalid $SP address: 0x7fffff7fefb8
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555556666414 in execute_ex (ex=0x7ffff50b4c00) at /home/ubuntu/victims/php-src/Zend/zend_vm_execute.h:51997


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-12-17 18:09 UTC]
-Type: Security +Type: Bug
 [2021-12-17 18:41 UTC]
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2021-12-17 18:41 UTC]
Simpler reproducer:

class C {
    private $bar;
    function __construct() { $this->ber = str_repeat("1", 2); }
    function &__get($x) { return $this->ar; }
    function __set($x, $v) { $this->bar = $v = new C; }
$x = new C;

As such, this is a duplicate of bug #64196.

Please do not submit the same bug more than once. An existing
bug report already describes this very problem. Even if you feel
that your issue is somewhat different, the resolution is likely
to be the same.

Thank you for your interest in PHP.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Fri Dec 08 20:01:28 2023 UTC