[PHP-BUG] Bug #78182 [NEW]: Segmentation Fault in zend_execute.c:2572
From: nguyenmanhdung1710 at gmail dot com Operating system: Ubuntu 16.04 x64 PHP version: 7.3.6 Package: Testing related Bug Type: Bug Bug description:Segmentation Fault in zend_execute.c:2572 Description: Our fuzzer found a crash (a potential false positive) on php version 3.1.6 (commit b1bdae7621) due to a malformed input. PoC: https://github.com/strongcourage/PoCs/blob/master/php_v3.1.6_b1bdae7621/PoC Command: php $POC Valgrind says: ==25180== Invalid read of size 1 ==25180==at 0x12A5359: zend_object_fetch_property_type_info (zend_execute.c:2572) ==25180==by 0x12A5359: ZEND_ASSIGN_OBJ_REF_SPEC_VAR_TMPVAR_OP_DATA_VAR_HANDLER (zend_vm_execute.h:26956) ==25180==by 0x12D6428: execute_ex (zend_vm_execute.h:62493) ==25180==by 0x130F8DB: zend_execute (zend_vm_execute.h:65287) ==25180==by 0xF374A2: zend_execute_scripts (zend.c:1625) ==25180==by 0xD08147: php_execute_script (main.c:2650) ==25180==by 0x131A67C: do_cli (php_cli.c:985) ==25180==by 0x26F6FC: main (php_cli.c:1375) ==25180== Address 0x125 is not stack'd, malloc'd or (recently) free'd ASAN says: ASAN:DEADLYSIGNAL = ==11961==ERROR: AddressSanitizer: SEGV on unknown address 0x0124 (pc 0x5654a71320f8 bp 0x7ffc1c9e4470 sp 0x7ffc1c9e4460 T0) ==11961==The signal is caused by a READ memory access. ==11961==Hint: address points to the zero page. #0 0x5654a71320f7 in zend_object_fetch_property_type_info /home/dungnm/fuzzing/php-7.3.6/Zend/zend_execute.c:2572 #1 0x5654a7293da3 in ZEND_ASSIGN_OBJ_REF_SPEC_VAR_TMPVAR_OP_DATA_VAR_HANDLER /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:26956 #2 0x5654a741388d in execute_ex /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:62493 #3 0x5654a742a6f5 in zend_execute /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:65287 #4 0x5654a6fab1e2 in zend_execute_scripts /home/dungnm/fuzzing/php-7.3.6/Zend/zend.c:1625 #5 0x5654a6e04ee1 in php_execute_script /home/dungnm/fuzzing/php-7.3.6/main/main.c:2650 #6 0x5654a7433157 in do_cli /home/dungnm/fuzzing/php-7.3.6/sapi/cli/php_cli.c:985 #7 0x5654a74358aa in main /home/dungnm/fuzzing/php-7.3.6/sapi/cli/php_cli.c:1375 #8 0x7f4efe1a9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #9 0x5654a6513369 in _start (/home/dungnm/fuzzing/php-7.3.6/obj-asan/sapi/cli/php+0x341369) Thanks, Manh Dung -- Edit bug report at https://bugs.php.net/bug.php?id=78182&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=78182&r=trysnapshot54 Try a snapshot (PHP 5.5): https://bugs.php.net/fix.php?id=78182&r=trysnapshot55 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=78182&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=78182&r=fixed Fixed in release: https://bugs.php.net/fix.php?id=78182&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=78182&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=78182&r=needscript Try newer version: https://bugs.php.net/fix.php?id=78182&r=oldversion Not developer issue:https://bugs.php.net/fix.php?id=78182&r=support Expected behavior: https://bugs.php.net/fix.php?id=78182&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=78182&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=78182&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=78182&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=78182&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=78182&r=dst IIS Stability: https://bugs.php.net/fix.php?id=78182&r=isapi Install GNU Sed:https://bugs.php.net/fix.php?id=78182&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=78182&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=78182&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=78182&r=mysqlcfg
Bug #78182 [Com]: Segmentation Fault in zend_execute.c:2572
Edit report at https://bugs.php.net/bug.php?id=78182&edit=1 ID: 78182 Comment by: dan...@php.net Reported by:nguyenmanhdung1710 at gmail dot com Summary:Segmentation Fault in zend_execute.c:2572 Status: Open Type: Bug Package:Testing related Operating System: Ubuntu 16.04 x64 PHP Version:7.3.6 Block user comment: N Private report: N New Comment: "php version 3.1.6" That version of PHP is 'slightly' out of date. Can you confirm you really meant 7.3.6? Previous Comments: [2019-06-19 14:01:30] nguyenmanhdung1710 at gmail dot com Description: Our fuzzer found a crash (a potential false positive) on php version 3.1.6 (commit b1bdae7621) due to a malformed input. PoC: https://github.com/strongcourage/PoCs/blob/master/php_v3.1.6_b1bdae7621/PoC Command: php $POC Valgrind says: ==25180== Invalid read of size 1 ==25180==at 0x12A5359: zend_object_fetch_property_type_info (zend_execute.c:2572) ==25180==by 0x12A5359: ZEND_ASSIGN_OBJ_REF_SPEC_VAR_TMPVAR_OP_DATA_VAR_HANDLER (zend_vm_execute.h:26956) ==25180==by 0x12D6428: execute_ex (zend_vm_execute.h:62493) ==25180==by 0x130F8DB: zend_execute (zend_vm_execute.h:65287) ==25180==by 0xF374A2: zend_execute_scripts (zend.c:1625) ==25180==by 0xD08147: php_execute_script (main.c:2650) ==25180==by 0x131A67C: do_cli (php_cli.c:985) ==25180==by 0x26F6FC: main (php_cli.c:1375) ==25180== Address 0x125 is not stack'd, malloc'd or (recently) free'd ASAN says: ASAN:DEADLYSIGNAL = ==11961==ERROR: AddressSanitizer: SEGV on unknown address 0x0124 (pc 0x5654a71320f8 bp 0x7ffc1c9e4470 sp 0x7ffc1c9e4460 T0) ==11961==The signal is caused by a READ memory access. ==11961==Hint: address points to the zero page. #0 0x5654a71320f7 in zend_object_fetch_property_type_info /home/dungnm/fuzzing/php-7.3.6/Zend/zend_execute.c:2572 #1 0x5654a7293da3 in ZEND_ASSIGN_OBJ_REF_SPEC_VAR_TMPVAR_OP_DATA_VAR_HANDLER /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:26956 #2 0x5654a741388d in execute_ex /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:62493 #3 0x5654a742a6f5 in zend_execute /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:65287 #4 0x5654a6fab1e2 in zend_execute_scripts /home/dungnm/fuzzing/php-7.3.6/Zend/zend.c:1625 #5 0x5654a6e04ee1 in php_execute_script /home/dungnm/fuzzing/php-7.3.6/main/main.c:2650 #6 0x5654a7433157 in do_cli /home/dungnm/fuzzing/php-7.3.6/sapi/cli/php_cli.c:985 #7 0x5654a74358aa in main /home/dungnm/fuzzing/php-7.3.6/sapi/cli/php_cli.c:1375 #8 0x7f4efe1a9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #9 0x5654a6513369 in _start (/home/dungnm/fuzzing/php-7.3.6/obj-asan/sapi/cli/php+0x341369) Thanks, Manh Dung -- Edit this bug report at https://bugs.php.net/bug.php?id=78182&edit=1
Bug #78182 [Opn->Ver]: Segmentation Fault in zend_execute.c:2572
Edit report at https://bugs.php.net/bug.php?id=78182&edit=1 ID: 78182 Updated by: ni...@php.net Reported by:nguyenmanhdung1710 at gmail dot com Summary:Segmentation Fault in zend_execute.c:2572 -Status: Open +Status: Verified Type: Bug Package:Testing related Operating System: Ubuntu 16.04 x64 -PHP Version:7.3.6 +PHP Version:7.4.0alpha1 Block user comment: N Private report: N New Comment: Based on the trace this has to be on 7.4 or master. I can confirm the segfault on 7.4. Previous Comments: [2019-06-19 14:12:06] dan...@php.net "php version 3.1.6" That version of PHP is 'slightly' out of date. Can you confirm you really meant 7.3.6? [2019-06-19 14:01:30] nguyenmanhdung1710 at gmail dot com Description: Our fuzzer found a crash (a potential false positive) on php version 3.1.6 (commit b1bdae7621) due to a malformed input. PoC: https://github.com/strongcourage/PoCs/blob/master/php_v3.1.6_b1bdae7621/PoC Command: php $POC Valgrind says: ==25180== Invalid read of size 1 ==25180==at 0x12A5359: zend_object_fetch_property_type_info (zend_execute.c:2572) ==25180==by 0x12A5359: ZEND_ASSIGN_OBJ_REF_SPEC_VAR_TMPVAR_OP_DATA_VAR_HANDLER (zend_vm_execute.h:26956) ==25180==by 0x12D6428: execute_ex (zend_vm_execute.h:62493) ==25180==by 0x130F8DB: zend_execute (zend_vm_execute.h:65287) ==25180==by 0xF374A2: zend_execute_scripts (zend.c:1625) ==25180==by 0xD08147: php_execute_script (main.c:2650) ==25180==by 0x131A67C: do_cli (php_cli.c:985) ==25180==by 0x26F6FC: main (php_cli.c:1375) ==25180== Address 0x125 is not stack'd, malloc'd or (recently) free'd ASAN says: ASAN:DEADLYSIGNAL = ==11961==ERROR: AddressSanitizer: SEGV on unknown address 0x0124 (pc 0x5654a71320f8 bp 0x7ffc1c9e4470 sp 0x7ffc1c9e4460 T0) ==11961==The signal is caused by a READ memory access. ==11961==Hint: address points to the zero page. #0 0x5654a71320f7 in zend_object_fetch_property_type_info /home/dungnm/fuzzing/php-7.3.6/Zend/zend_execute.c:2572 #1 0x5654a7293da3 in ZEND_ASSIGN_OBJ_REF_SPEC_VAR_TMPVAR_OP_DATA_VAR_HANDLER /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:26956 #2 0x5654a741388d in execute_ex /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:62493 #3 0x5654a742a6f5 in zend_execute /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:65287 #4 0x5654a6fab1e2 in zend_execute_scripts /home/dungnm/fuzzing/php-7.3.6/Zend/zend.c:1625 #5 0x5654a6e04ee1 in php_execute_script /home/dungnm/fuzzing/php-7.3.6/main/main.c:2650 #6 0x5654a7433157 in do_cli /home/dungnm/fuzzing/php-7.3.6/sapi/cli/php_cli.c:985 #7 0x5654a74358aa in main /home/dungnm/fuzzing/php-7.3.6/sapi/cli/php_cli.c:1375 #8 0x7f4efe1a9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #9 0x5654a6513369 in _start (/home/dungnm/fuzzing/php-7.3.6/obj-asan/sapi/cli/php+0x341369) Thanks, Manh Dung -- Edit this bug report at https://bugs.php.net/bug.php?id=78182&edit=1
Bug #78182 [Ver]: Segmentation Fault in zend_execute.c:2572
Edit report at https://bugs.php.net/bug.php?id=78182&edit=1 ID: 78182 Updated by: ni...@php.net Reported by:nguyenmanhdung1710 at gmail dot com Summary:Segmentation Fault in zend_execute.c:2572 Status: Verified Type: Bug Package:Testing related Operating System: Ubuntu 16.04 x64 PHP Version:7.4.0alpha1 Block user comment: N Private report: N New Comment: Cleaned up repro: $propName =& $$varName; Previous Comments: [2019-06-19 14:17:04] ni...@php.net Based on the trace this has to be on 7.4 or master. I can confirm the segfault on 7.4. [2019-06-19 14:12:06] dan...@php.net "php version 3.1.6" That version of PHP is 'slightly' out of date. Can you confirm you really meant 7.3.6? [2019-06-19 14:01:30] nguyenmanhdung1710 at gmail dot com Description: Our fuzzer found a crash (a potential false positive) on php version 3.1.6 (commit b1bdae7621) due to a malformed input. PoC: https://github.com/strongcourage/PoCs/blob/master/php_v3.1.6_b1bdae7621/PoC Command: php $POC Valgrind says: ==25180== Invalid read of size 1 ==25180==at 0x12A5359: zend_object_fetch_property_type_info (zend_execute.c:2572) ==25180==by 0x12A5359: ZEND_ASSIGN_OBJ_REF_SPEC_VAR_TMPVAR_OP_DATA_VAR_HANDLER (zend_vm_execute.h:26956) ==25180==by 0x12D6428: execute_ex (zend_vm_execute.h:62493) ==25180==by 0x130F8DB: zend_execute (zend_vm_execute.h:65287) ==25180==by 0xF374A2: zend_execute_scripts (zend.c:1625) ==25180==by 0xD08147: php_execute_script (main.c:2650) ==25180==by 0x131A67C: do_cli (php_cli.c:985) ==25180==by 0x26F6FC: main (php_cli.c:1375) ==25180== Address 0x125 is not stack'd, malloc'd or (recently) free'd ASAN says: ASAN:DEADLYSIGNAL = ==11961==ERROR: AddressSanitizer: SEGV on unknown address 0x0124 (pc 0x5654a71320f8 bp 0x7ffc1c9e4470 sp 0x7ffc1c9e4460 T0) ==11961==The signal is caused by a READ memory access. ==11961==Hint: address points to the zero page. #0 0x5654a71320f7 in zend_object_fetch_property_type_info /home/dungnm/fuzzing/php-7.3.6/Zend/zend_execute.c:2572 #1 0x5654a7293da3 in ZEND_ASSIGN_OBJ_REF_SPEC_VAR_TMPVAR_OP_DATA_VAR_HANDLER /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:26956 #2 0x5654a741388d in execute_ex /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:62493 #3 0x5654a742a6f5 in zend_execute /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:65287 #4 0x5654a6fab1e2 in zend_execute_scripts /home/dungnm/fuzzing/php-7.3.6/Zend/zend.c:1625 #5 0x5654a6e04ee1 in php_execute_script /home/dungnm/fuzzing/php-7.3.6/main/main.c:2650 #6 0x5654a7433157 in do_cli /home/dungnm/fuzzing/php-7.3.6/sapi/cli/php_cli.c:985 #7 0x5654a74358aa in main /home/dungnm/fuzzing/php-7.3.6/sapi/cli/php_cli.c:1375 #8 0x7f4efe1a9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #9 0x5654a6513369 in _start (/home/dungnm/fuzzing/php-7.3.6/obj-asan/sapi/cli/php+0x341369) Thanks, Manh Dung -- Edit this bug report at https://bugs.php.net/bug.php?id=78182&edit=1
Bug #78182 [Ver->Csd]: Segmentation fault during by-reference property assignment
Edit report at https://bugs.php.net/bug.php?id=78182&edit=1 ID: 78182 Updated by: ni...@php.net Reported by:nguyenmanhdung1710 at gmail dot com Summary:Segmentation fault during by-reference property assignment -Status: Verified +Status: Closed Type: Bug Package:Testing related Operating System: Ubuntu 16.04 x64 PHP Version:7.4.0alpha1 Block user comment: N Private report: N New Comment: Automatic comment on behalf of nikita@gmail.com Revision: http://git.php.net/?p=php-src.git;a=commit;h=268b5fec8e42e82dce398b86a4970ad8875978d3 Log: Fixed bug #78182 Previous Comments: [2019-06-19 14:22:18] ni...@php.net Cleaned up repro: $propName =& $$varName; [2019-06-19 14:17:04] ni...@php.net Based on the trace this has to be on 7.4 or master. I can confirm the segfault on 7.4. [2019-06-19 14:12:06] dan...@php.net "php version 3.1.6" That version of PHP is 'slightly' out of date. Can you confirm you really meant 7.3.6? [2019-06-19 14:01:30] nguyenmanhdung1710 at gmail dot com Description: Our fuzzer found a crash (a potential false positive) on php version 3.1.6 (commit b1bdae7621) due to a malformed input. PoC: https://github.com/strongcourage/PoCs/blob/master/php_v3.1.6_b1bdae7621/PoC Command: php $POC Valgrind says: ==25180== Invalid read of size 1 ==25180==at 0x12A5359: zend_object_fetch_property_type_info (zend_execute.c:2572) ==25180==by 0x12A5359: ZEND_ASSIGN_OBJ_REF_SPEC_VAR_TMPVAR_OP_DATA_VAR_HANDLER (zend_vm_execute.h:26956) ==25180==by 0x12D6428: execute_ex (zend_vm_execute.h:62493) ==25180==by 0x130F8DB: zend_execute (zend_vm_execute.h:65287) ==25180==by 0xF374A2: zend_execute_scripts (zend.c:1625) ==25180==by 0xD08147: php_execute_script (main.c:2650) ==25180==by 0x131A67C: do_cli (php_cli.c:985) ==25180==by 0x26F6FC: main (php_cli.c:1375) ==25180== Address 0x125 is not stack'd, malloc'd or (recently) free'd ASAN says: ASAN:DEADLYSIGNAL = ==11961==ERROR: AddressSanitizer: SEGV on unknown address 0x0124 (pc 0x5654a71320f8 bp 0x7ffc1c9e4470 sp 0x7ffc1c9e4460 T0) ==11961==The signal is caused by a READ memory access. ==11961==Hint: address points to the zero page. #0 0x5654a71320f7 in zend_object_fetch_property_type_info /home/dungnm/fuzzing/php-7.3.6/Zend/zend_execute.c:2572 #1 0x5654a7293da3 in ZEND_ASSIGN_OBJ_REF_SPEC_VAR_TMPVAR_OP_DATA_VAR_HANDLER /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:26956 #2 0x5654a741388d in execute_ex /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:62493 #3 0x5654a742a6f5 in zend_execute /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:65287 #4 0x5654a6fab1e2 in zend_execute_scripts /home/dungnm/fuzzing/php-7.3.6/Zend/zend.c:1625 #5 0x5654a6e04ee1 in php_execute_script /home/dungnm/fuzzing/php-7.3.6/main/main.c:2650 #6 0x5654a7433157 in do_cli /home/dungnm/fuzzing/php-7.3.6/sapi/cli/php_cli.c:985 #7 0x5654a74358aa in main /home/dungnm/fuzzing/php-7.3.6/sapi/cli/php_cli.c:1375 #8 0x7f4efe1a9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #9 0x5654a6513369 in _start (/home/dungnm/fuzzing/php-7.3.6/obj-asan/sapi/cli/php+0x341369) Thanks, Manh Dung -- Edit this bug report at https://bugs.php.net/bug.php?id=78182&edit=1
