Skip to content

SEGV zend_smart_str #18242

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
YuanchengJiang opened this issue Apr 4, 2025 · 3 comments
Closed

SEGV zend_smart_str #18242

YuanchengJiang opened this issue Apr 4, 2025 · 3 comments
Labels
Bug Category: Engine Status: Won't Fix

Comments

@YuanchengJiang
Copy link

Description

The following code:

<?php
class Foo {
}
$foo = new Foo();
try {zend_delref($foo);} catch (Exception $e) { echo($e); }
try {zend_delref($foo);} catch (Exception $e) { echo($e); }
try {$cls->__call($HTTP_RAW_POST_DATA,$HTTP_RAW_POST_DATA);} catch (Exception $e) { echo($e); }

Resulted in this output:

/home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_smart_str.c:237:64: runtime error: member access within misaligned address 0x00000000001a for type 'zend_class_entry' (aka 'struct _zend_class_entry'), which requires 8 byte alignment
0x00000000001a: note: pointer points here
<memory cannot be printed>
    #0 0x572cd42 in smart_str_append_zval /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_smart_str.c:237:64
    #1 0x497ac72 in _build_trace_args /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:506:6
    #2 0x4965e74 in _build_trace_string /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:578:5
    #3 0x4963de7 in zend_trace_to_string /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:604:3
    #4 0x4967225 in zim_Exception_getTraceAsString /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:634:2
    #5 0x49aaa8f in zend_call_function /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute_API.c:1021:4
    #6 0x4969d36 in zim_Exception___toString /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:679:3
    #7 0x49aaa8f in zend_call_function /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute_API.c:1021:4
    #8 0x49b051e in zend_call_known_function /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute_API.c:1102:23
    #9 0x497ec24 in zend_call_known_instance_method /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.h:860:2
    #10 0x497836b in zend_call_known_instance_method_with_0_params /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.h:866:2
    #11 0x4956847 in zend_exception_error /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:926:3
    #12 0x57c5d8f in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1950:11
    #13 0x3fa5eca in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2594:13
    #14 0x3fa7008 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2634:9
    #15 0x57da79a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:952:5
    #16 0x57d4b7f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1355:18
    #17 0x7904e8489d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #18 0x7904e8489e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #19 0x606174 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x606174)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_smart_str.c:237:64 in

To reproduce:

./php-src/sapi/cli/php  ./test.php

Commit:

68665d3cb5dcda5b966fc9edd577581be763ee63

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This report is automatically generated by FlowFusion

PHP Version

68665d3

Operating System

No response
@TimWolla
Copy link
Member

TimWolla commented Apr 4, 2025

zend_delref() was introduced in #18172 and intentionally violates memory-safety. It should be excluded from your fuzzer.

@devnexen
Copy link
Member

devnexen commented Apr 4, 2025

Ah good to know, I ll try to remember it.

@Girgias
Copy link
Member

Girgias commented Apr 4, 2025

Going to close this as FONT FIX considering this function is intentionally buggy.

@Girgias Girgias closed this as not planned Won't fix, can't repro, duplicate, stale Apr 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Category: Engine Status: Won't Fix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@TimWolla @devnexen @Girgias @YuanchengJiang