search

php / php-src

The PHP Interpreter
https://www.php.net
Other
38.18k stars 7.75k forks source link

Segmentation fault (stack overflow) in Zend #15869

Open YuanchengJiang opened 1 month ago

YuanchengJiang commented 1 month ago

Description

The following code:

<?php
function test($vars) {
}
function foo() {
foreach ($array as $value) {
try {
try {
foreach ($array as $_) {
}
} finally {
throw new Exception;
}
} catch (Exception $e) { }
}
}
for ($i=0; $fusion < 550; $i++) {
$array = array($array);
}

Resulted in this output:

Segmentation fault (core dumped)

this seems to crash very old php like php 5.5

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04

iluuu1994 commented 1 month ago

I cannot reproduce this on PHP-8.2 or master. @YuanchengJiang Did you only test this on 5.5? If so, we no longer support that. See https://www.php.net/supported-versions.php.

iluuu1994 commented 1 month ago

Ah, nevermind. I can see it now. If the memory_limit is higher, this can trigger a stack-overflow when freeing the memory.

Fatal error: Allowed memory size of 134217728 bytes exhausted at file:0 (tried to allocate 224 bytes) in /home/ilutov/Developer/php-src/test.php on line 17
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2207238==ERROR: AddressSanitizer: stack-overflow on address 0x7fff20c31ff8 (pc 0x0000012e7936 bp 0x7fff20c32030 sp 0x7fff20c31ff0 T0)
    #0 0x12e7936 in zend_array_destroy /home/ilutov/Developer/php-src/Zend/zend_hash.c:1747
    #1 0x1268336 in rc_dtor_func /home/ilutov/Developer/php-src/Zend/zend_variables.c:57
    #2 0x12cc9b1 in i_zval_ptr_dtor /home/ilutov/Developer/php-src/Zend/zend_variables.h:44
    #3 0x12e7ec2 in zend_array_destroy /home/ilutov/Developer/php-src/Zend/zend_hash.c:1769
    #4 0x1268336 in rc_dtor_func /home/ilutov/Developer/php-src/Zend/zend_variables.c:57
    #5 0x12cc9b1 in i_zval_ptr_dtor /home/ilutov/Developer/php-src/Zend/zend_variables.h:44
    #6 0x12e7ec2 in zend_array_destroy /home/ilutov/Developer/php-src/Zend/zend_hash.c:1769
    #7 0x1268336 in rc_dtor_func /home/ilutov/Developer/php-src/Zend/zend_variables.c:57
    #8 0x12cc9b1 in i_zval_ptr_dtor /home/ilutov/Developer/php-src/Zend/zend_variables.h:44
    #9 0x12e7ec2 in zend_array_destroy /home/ilutov/Developer/php-src/Zend/zend_hash.c:1769
    #10 0x1268336 in rc_dtor_func /home/ilutov/Developer/php-src/Zend/zend_variables.c:57
    #11 0x12cc9b1 in i_zval_ptr_dtor /home/ilutov/Developer/php-src/Zend/zend_variables.h:44
    #12 0x12e7ec2 in zend_array_destroy /home/ilutov/Developer/php-src/Zend/zend_hash.c:1769
    #13 0x1268336 in rc_dtor_func /home/ilutov/Developer/php-src/Zend/zend_variables.c:57
    #14 0x12cc9b1 in i_zval_ptr_dtor /home/ilutov/Developer/php-src/Zend/zend_variables.h:44
    #15 0x12e7ec2 in zend_array_destroy /home/ilutov/Developer/php-src/Zend/zend_hash.c:1769

I'm not sure this is worth fixing. It realistically only occurs in maliciously crafted data. /cc @arnaud-lb

arnaud-lb commented 1 month ago

It would be useful to fix this (it can happen with real code due to bugs - at least it happened to me during development), but I'm not sure we have a good way to do it. The same problem exists with nested objects.