PHP :: Bug #81701 :: Memory Corruption vulnerability on Zend_execute

Bug #81701	Memory Corruption vulnerability on Zend_execute_api
Submitted:	2021-12-17 12:56 UTC	Modified:	2021-12-17 18:31 UTC
From:	3ntr0py1337 at gmail dot com	Assigned:	cmb (profile)
Status:	Duplicate	Package:	Reproducible crash
PHP Version:	Next Major Version	OS:	Ubuntu 20.04.3 LTS
Private report:	No	CVE-ID:	None

View Developer Edit

[2021-12-17 12:56 UTC] 3ntr0py1337 at gmail dot com

Description:
------------
There is a memory corruption vulnerability which would overwrite the Stack pointer causing a crash. with proper control, can lead to RCE

Test script:
---------------
Sample 1 - source code
--TEST--
ZE2 __toString() in __destruct
--FILE--
<?php

class Test
{
    function __toString()
    {
        return "He echo $this;
    }
}

$o = nello\n";
    }

    function __destruct()
    {
        echo $this;
    }
}

$o = new Test%
$o = NULL;

$o = new Test;

?>
====DONE====
--EXPECT--
Hello
====DONE====
Hello

Expected result:
----------------
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555556342667 <zend_call_function+103>:	je     0x5555563460f0 <zend_call_function+15088>
   0x55555634266d <zend_call_function+109>:	nop    DWORD PTR [rax]
   0x555556342670 <zend_call_function+112>:	lea    rsp,[rsp-0x98]
=> 0x555556342678 <zend_call_function+120>:	mov    QWORD PTR [rsp],rdx
   0x55555634267c <zend_call_function+124>:	mov    QWORD PTR [rsp+0x8],rcx
   0x555556342681 <zend_call_function+129>:	mov    QWORD PTR [rsp+0x10],rax
   0x555556342686 <zend_call_function+134>:	mov    rcx,0x643c
   0x55555634268d <zend_call_function+141>:	call   0x555556351980 <__afl_maybe_log>
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fefe8
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555556342678 in zend_call_function (fci=0x7fffff7ff180, fci_cache=0x7fffff7ff160) at /home/ubuntu/victims/php-src/Zend/zend_execute_API.c:730
730		if (!fci_cache || !fci_cache->function_handler) {

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-12-17 18:09 UTC] stas@php.net

-Type: Security +Type: Bug

[2021-12-17 18:31 UTC] cmb@php.net

-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb

[2021-12-17 18:31 UTC] cmb@php.net

Simpler reproducer:

<?php
class Test
{
    function __toString()
    {
        return $this;
    }
}
echo new Test();
?>

As such, this is a duplicate of bug #64196.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Nov 04 11:00:01 2025 UTC