View Issue Details

IDProjectCategoryView StatusLast Update
0001091XdebugUncategorizedpublic2021-04-14 16:10
Reporterhakon Assigned Toderick  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionno change required 
OSLinux 
Product Version2.2.6 
Summary0001091: Memory corruption when throwing a message that overrides the 'message' property
Description

If a class extending Exception declares a $message property, throwing it causes use-after-free issues leading to memory corruption and random segfaults.

Steps To Reproduce

$ php --version
PHP 5.6.3 (cli) (built: Nov 25 2014 21:45:05)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2014 Zend Technologies
with Xdebug v2.2.6, Copyright (c) 2002-2014, by Derick Rethans

$ cat test_message.php
<?php

class Foo extends \Exception {
public $message;
}

try {
throw new Foo();
} catch (Exception $foo) {
}

$ USE_ZEND_ALLOC=0 valgrind sapi/cli/php test_message.php

==10603== Memcheck, a memory error detector
==10603== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==10603== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==10603== Command: sapi/cli/php test_message.php
==10603==
==10603== Invalid read of size 4
==10603== at 0x71580E: zval_delref_p (zend.h:411)
==10603== by 0x71580E: i_zval_ptr_dtor (zend_execute.h:76)
==10603== by 0x71580E: _zval_ptr_dtor (zend_execute_API.c:427)
==10603== by 0x71B676: destroy_zend_class (zend_opcode.c:283)
==10603== by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182)
==10603== by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192)
==10603== by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733)
==10603== by 0x7153C0: shutdown_executor (zend_execute_API.c:303)
==10603== by 0x72BC77: zend_deactivate (zend.c:963)
==10603== by 0x69EB81: php_request_shutdown (main.c:1884)
==10603== by 0x84BE73: do_cli (php_cli.c:1177)
==10603== by 0x84C567: main (php_cli.c:1378)
==10603== Address 0x113f8850 is 16 bytes inside a block of size 32 free'd
==10603== at 0x4C2B200: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10603== by 0x6F4B02: _efree (zend_alloc.c:2437)
==10603== by 0x71586E: i_zval_ptr_dtor (zend_execute.h:80)
==10603== by 0x71586E: _zval_ptr_dtor (zend_execute_API.c:427)
==10603== by 0x73DC39: zend_hash_destroy (zend_hash.c:548)
==10603== by 0x75E857: zend_object_std_dtor (zend_objects.c:44)
==10603== by 0x75ECC4: zend_objects_free_object_storage (zend_objects.c:137)
==10603== by 0x768A90: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226)
==10603== by 0x768789: zend_objects_store_del_ref (zend_objects_API.c:178)
==10603== by 0x7299BD: _zval_dtor_func (zend_variables.c:57)
==10603== by 0x715862: _zval_dtor (zend_variables.h:35)
==10603== by 0x715862: i_zval_ptr_dtor (zend_execute.h:79)
==10603== by 0x715862: _zval_ptr_dtor (zend_execute_API.c:427)
==10603== by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182)
==10603== by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192)
==10603== by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733)

TagsNo tags attached.
Attached Files
valgrind_output.txt (12,736 bytes)   
==10726== Memcheck, a memory error detector
==10726== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==10726== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==10726== Command: sapi/cli/php test_message.php
==10726== 
==10726== Invalid read of size 4
==10726==    at 0x71580E: zval_delref_p (zend.h:411)
==10726==    by 0x71580E: i_zval_ptr_dtor (zend_execute.h:76)
==10726==    by 0x71580E: _zval_ptr_dtor (zend_execute_API.c:427)
==10726==    by 0x71B676: destroy_zend_class (zend_opcode.c:283)
==10726==    by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182)
==10726==    by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192)
==10726==    by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733)
==10726==    by 0x7153C0: shutdown_executor (zend_execute_API.c:303)
==10726==    by 0x72BC77: zend_deactivate (zend.c:963)
==10726==    by 0x69EB81: php_request_shutdown (main.c:1884)
==10726==    by 0x84BE73: do_cli (php_cli.c:1177)
==10726==    by 0x84C567: main (php_cli.c:1378)
==10726==  Address 0x113f8730 is 16 bytes inside a block of size 32 free'd
==10726==    at 0x4C2B200: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10726==    by 0x6F4B02: _efree (zend_alloc.c:2437)
==10726==    by 0x71586E: i_zval_ptr_dtor (zend_execute.h:80)
==10726==    by 0x71586E: _zval_ptr_dtor (zend_execute_API.c:427)
==10726==    by 0x73DC39: zend_hash_destroy (zend_hash.c:548)
==10726==    by 0x75E857: zend_object_std_dtor (zend_objects.c:44)
==10726==    by 0x75ECC4: zend_objects_free_object_storage (zend_objects.c:137)
==10726==    by 0x768A90: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226)
==10726==    by 0x768789: zend_objects_store_del_ref (zend_objects_API.c:178)
==10726==    by 0x7299BD: _zval_dtor_func (zend_variables.c:57)
==10726==    by 0x715862: _zval_dtor (zend_variables.h:35)
==10726==    by 0x715862: i_zval_ptr_dtor (zend_execute.h:79)
==10726==    by 0x715862: _zval_ptr_dtor (zend_execute_API.c:427)
==10726==    by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182)
==10726==    by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192)
==10726==    by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733)
==10726== 
==10726== Invalid write of size 4
==10726==    at 0x715818: zval_delref_p (zend.h:411)
==10726==    by 0x715818: i_zval_ptr_dtor (zend_execute.h:76)
==10726==    by 0x715818: _zval_ptr_dtor (zend_execute_API.c:427)
==10726==    by 0x71B676: destroy_zend_class (zend_opcode.c:283)
==10726==    by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182)
==10726==    by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192)
==10726==    by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733)
==10726==    by 0x7153C0: shutdown_executor (zend_execute_API.c:303)
==10726==    by 0x72BC77: zend_deactivate (zend.c:963)
==10726==    by 0x69EB81: php_request_shutdown (main.c:1884)
==10726==    by 0x84BE73: do_cli (php_cli.c:1177)
==10726==    by 0x84C567: main (php_cli.c:1378)
==10726==  Address 0x113f8730 is 16 bytes inside a block of size 32 free'd
==10726==    at 0x4C2B200: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10726==    by 0x6F4B02: _efree (zend_alloc.c:2437)
==10726==    by 0x71586E: i_zval_ptr_dtor (zend_execute.h:80)
==10726==    by 0x71586E: _zval_ptr_dtor (zend_execute_API.c:427)
==10726==    by 0x73DC39: zend_hash_destroy (zend_hash.c:548)
==10726==    by 0x75E857: zend_object_std_dtor (zend_objects.c:44)
==10726==    by 0x75ECC4: zend_objects_free_object_storage (zend_objects.c:137)
==10726==    by 0x768A90: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226)
==10726==    by 0x768789: zend_objects_store_del_ref (zend_objects_API.c:178)
==10726==    by 0x7299BD: _zval_dtor_func (zend_variables.c:57)
==10726==    by 0x715862: _zval_dtor (zend_variables.h:35)
==10726==    by 0x715862: i_zval_ptr_dtor (zend_execute.h:79)
==10726==    by 0x715862: _zval_ptr_dtor (zend_execute_API.c:427)
==10726==    by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182)
==10726==    by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192)
==10726==    by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733)
==10726== 
==10726== Invalid read of size 4
==10726==    at 0x71581F: zval_delref_p (zend.h:411)
==10726==    by 0x71581F: i_zval_ptr_dtor (zend_execute.h:76)
==10726==    by 0x71581F: _zval_ptr_dtor (zend_execute_API.c:427)
==10726==    by 0x71B676: destroy_zend_class (zend_opcode.c:283)
==10726==    by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182)
==10726==    by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192)
==10726==    by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733)
==10726==    by 0x7153C0: shutdown_executor (zend_execute_API.c:303)
==10726==    by 0x72BC77: zend_deactivate (zend.c:963)
==10726==    by 0x69EB81: php_request_shutdown (main.c:1884)
==10726==    by 0x84BE73: do_cli (php_cli.c:1177)
==10726==    by 0x84C567: main (php_cli.c:1378)
==10726==  Address 0x113f8730 is 16 bytes inside a block of size 32 free'd
==10726==    at 0x4C2B200: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10726==    by 0x6F4B02: _efree (zend_alloc.c:2437)
==10726==    by 0x71586E: i_zval_ptr_dtor (zend_execute.h:80)
==10726==    by 0x71586E: _zval_ptr_dtor (zend_execute_API.c:427)
==10726==    by 0x73DC39: zend_hash_destroy (zend_hash.c:548)
==10726==    by 0x75E857: zend_object_std_dtor (zend_objects.c:44)
==10726==    by 0x75ECC4: zend_objects_free_object_storage (zend_objects.c:137)
==10726==    by 0x768A90: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226)
==10726==    by 0x768789: zend_objects_store_del_ref (zend_objects_API.c:178)
==10726==    by 0x7299BD: _zval_dtor_func (zend_variables.c:57)
==10726==    by 0x715862: _zval_dtor (zend_variables.h:35)
==10726==    by 0x715862: i_zval_ptr_dtor (zend_execute.h:79)
==10726==    by 0x715862: _zval_ptr_dtor (zend_execute_API.c:427)
==10726==    by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182)
==10726==    by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192)
==10726==    by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733)
==10726== 
==10726== Invalid read of size 4
==10726==    at 0x71587D: zval_refcount_p (zend.h:399)
==10726==    by 0x71587D: i_zval_ptr_dtor (zend_execute.h:82)
==10726==    by 0x71587D: _zval_ptr_dtor (zend_execute_API.c:427)
==10726==    by 0x71B676: destroy_zend_class (zend_opcode.c:283)
==10726==    by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182)
==10726==    by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192)
==10726==    by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733)
==10726==    by 0x7153C0: shutdown_executor (zend_execute_API.c:303)
==10726==    by 0x72BC77: zend_deactivate (zend.c:963)
==10726==    by 0x69EB81: php_request_shutdown (main.c:1884)
==10726==    by 0x84BE73: do_cli (php_cli.c:1177)
==10726==    by 0x84C567: main (php_cli.c:1378)
==10726==  Address 0x113f8730 is 16 bytes inside a block of size 32 free'd
==10726==    at 0x4C2B200: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10726==    by 0x6F4B02: _efree (zend_alloc.c:2437)
==10726==    by 0x71586E: i_zval_ptr_dtor (zend_execute.h:80)
==10726==    by 0x71586E: _zval_ptr_dtor (zend_execute_API.c:427)
==10726==    by 0x73DC39: zend_hash_destroy (zend_hash.c:548)
==10726==    by 0x75E857: zend_object_std_dtor (zend_objects.c:44)
==10726==    by 0x75ECC4: zend_objects_free_object_storage (zend_objects.c:137)
==10726==    by 0x768A90: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226)
==10726==    by 0x768789: zend_objects_store_del_ref (zend_objects_API.c:178)
==10726==    by 0x7299BD: _zval_dtor_func (zend_variables.c:57)
==10726==    by 0x715862: _zval_dtor (zend_variables.h:35)
==10726==    by 0x715862: i_zval_ptr_dtor (zend_execute.h:79)
==10726==    by 0x715862: _zval_ptr_dtor (zend_execute_API.c:427)
==10726==    by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182)
==10726==    by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192)
==10726==    by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733)
==10726== 
==10726== Invalid read of size 1
==10726==    at 0x7158A1: gc_zval_check_possible_root (zend_gc.h:182)
==10726==    by 0x7158A1: i_zval_ptr_dtor (zend_execute.h:86)
==10726==    by 0x7158A1: _zval_ptr_dtor (zend_execute_API.c:427)
==10726==    by 0x71B676: destroy_zend_class (zend_opcode.c:283)
==10726==    by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182)
==10726==    by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192)
==10726==    by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733)
==10726==    by 0x7153C0: shutdown_executor (zend_execute_API.c:303)
==10726==    by 0x72BC77: zend_deactivate (zend.c:963)
==10726==    by 0x69EB81: php_request_shutdown (main.c:1884)
==10726==    by 0x84BE73: do_cli (php_cli.c:1177)
==10726==    by 0x84C567: main (php_cli.c:1378)
==10726==  Address 0x113f8734 is 20 bytes inside a block of size 32 free'd
==10726==    at 0x4C2B200: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10726==    by 0x6F4B02: _efree (zend_alloc.c:2437)
==10726==    by 0x71586E: i_zval_ptr_dtor (zend_execute.h:80)
==10726==    by 0x71586E: _zval_ptr_dtor (zend_execute_API.c:427)
==10726==    by 0x73DC39: zend_hash_destroy (zend_hash.c:548)
==10726==    by 0x75E857: zend_object_std_dtor (zend_objects.c:44)
==10726==    by 0x75ECC4: zend_objects_free_object_storage (zend_objects.c:137)
==10726==    by 0x768A90: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226)
==10726==    by 0x768789: zend_objects_store_del_ref (zend_objects_API.c:178)
==10726==    by 0x7299BD: _zval_dtor_func (zend_variables.c:57)
==10726==    by 0x715862: _zval_dtor (zend_variables.h:35)
==10726==    by 0x715862: i_zval_ptr_dtor (zend_execute.h:79)
==10726==    by 0x715862: _zval_ptr_dtor (zend_execute_API.c:427)
==10726==    by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182)
==10726==    by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192)
==10726==    by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733)
==10726== 
==10726== Invalid read of size 1
==10726==    at 0x7158AD: gc_zval_check_possible_root (zend_gc.h:182)
==10726==    by 0x7158AD: i_zval_ptr_dtor (zend_execute.h:86)
==10726==    by 0x7158AD: _zval_ptr_dtor (zend_execute_API.c:427)
==10726==    by 0x71B676: destroy_zend_class (zend_opcode.c:283)
==10726==    by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182)
==10726==    by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192)
==10726==    by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733)
==10726==    by 0x7153C0: shutdown_executor (zend_execute_API.c:303)
==10726==    by 0x72BC77: zend_deactivate (zend.c:963)
==10726==    by 0x69EB81: php_request_shutdown (main.c:1884)
==10726==    by 0x84BE73: do_cli (php_cli.c:1177)
==10726==    by 0x84C567: main (php_cli.c:1378)
==10726==  Address 0x113f8734 is 20 bytes inside a block of size 32 free'd
==10726==    at 0x4C2B200: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10726==    by 0x6F4B02: _efree (zend_alloc.c:2437)
==10726==    by 0x71586E: i_zval_ptr_dtor (zend_execute.h:80)
==10726==    by 0x71586E: _zval_ptr_dtor (zend_execute_API.c:427)
==10726==    by 0x73DC39: zend_hash_destroy (zend_hash.c:548)
==10726==    by 0x75E857: zend_object_std_dtor (zend_objects.c:44)
==10726==    by 0x75ECC4: zend_objects_free_object_storage (zend_objects.c:137)
==10726==    by 0x768A90: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226)
==10726==    by 0x768789: zend_objects_store_del_ref (zend_objects_API.c:178)
==10726==    by 0x7299BD: _zval_dtor_func (zend_variables.c:57)
==10726==    by 0x715862: _zval_dtor (zend_variables.h:35)
==10726==    by 0x715862: i_zval_ptr_dtor (zend_execute.h:79)
==10726==    by 0x715862: _zval_ptr_dtor (zend_execute_API.c:427)
==10726==    by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182)
==10726==    by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192)
==10726==    by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733)
==10726== 
==10726== 
==10726== HEAP SUMMARY:
==10726==     in use at exit: 456 bytes in 14 blocks
==10726==   total heap usage: 30,123 allocs, 30,109 frees, 4,459,702 bytes allocated
==10726== 
==10726== LEAK SUMMARY:
==10726==    definitely lost: 160 bytes in 5 blocks
==10726==    indirectly lost: 176 bytes in 5 blocks
==10726==      possibly lost: 0 bytes in 0 blocks
==10726==    still reachable: 120 bytes in 4 blocks
==10726==         suppressed: 0 bytes in 0 blocks
==10726== Rerun with --leak-check=full to see details of leaked memory
==10726== 
==10726== For counts of detected and suppressed errors, rerun with: -v
==10726== ERROR SUMMARY: 6 errors from 6 contexts (suppressed: 0 from 0)
valgrind_output.txt (12,736 bytes)   
test_message.php (118 bytes)
Operating SystemArch Linux
PHP Version5.6.0-5.6.4

Activities

derick

2014-11-28 11:33

administrator   ~0002918

Just letting you know that I can reproduce this... no clue about a fix though (yet)!

derick

2016-11-29 23:51

administrator   ~0003852

I can reproduce this with PHP 5.5 and 5.6, but not with 7.0 or 7.1.

derick

2021-03-17 09:39

administrator   ~0005772

Is this issue still relevant to you?

derick

2021-04-14 16:10

administrator   ~0005846

Closing this, as it is missing requested feedback.

Issue History

Date Modified Username Field Change
2014-11-26 21:45 hakon New Issue
2014-11-26 21:45 hakon File Added: valgrind_output.txt
2014-11-26 21:47 hakon File Added: test_message.php
2014-11-28 11:33 derick Note Added: 0002918
2016-07-31 12:36 derick Category Usage problems => Usage problems (Crashes)
2016-07-31 12:38 derick Category Usage problems (Crashes) => Usage problems (Wrong Results)
2016-11-29 23:51 derick Note Added: 0003852
2016-11-29 23:51 derick Assigned To => derick
2016-11-29 23:51 derick Status new => confirmed
2020-03-12 16:35 derick Category Usage problems (Wrong Results) => Variable Display
2020-03-12 16:38 derick Category Variable Display => Uncategorized
2021-03-17 09:39 derick Status confirmed => feedback
2021-03-17 09:39 derick Note Added: 0005772
2021-04-14 16:10 derick Status feedback => closed
2021-04-14 16:10 derick Resolution open => no change required
2021-04-14 16:10 derick Note Added: 0005846