Description
PHP NullPtr dereference - by misuse of the option "-w" or "-s"
When the program input contains the option of "-w" or "-s", the program will dereference null pointer and cause crash.
PHP/Zend/zend_exceptions.c Line 147:152
static zend_always_inline zend_bool is_handle_exception_set() {
zend_execute_data *execute_data = EG(current_execute_data);
return !execute_data->func
|| !ZEND_USER_CODE(execute_data->func->common.type)
|| execute_data->opline->opcode == ZEND_HANDLE_EXCEPTION;
}In is_handle_exception_set(),the option of -w or -s will make the program execute the function is_handle_exception_set. And the value of EG(current_execute_data) namely executor_globals.current_execute_data remains 0 from the parse of -w or -s to the is_handle_exception_set call. As a result, nullptr dereference will occur.
Test Environment
Ubuntu 20.04, 64 bit PHP (version: 8.0.23)
How to trigger
- Compile the program with AddressSanitizer
- Run command
$ ./php -s -w POC
Details
ASAN report
$ ../php -s -w POC
<?php
$flor="red"; switch ($favcolo; break; case "blue": echo "2"; ":
echo "d; break; default� echo "4"; } ?>AddressSanitizer:DEADLYSIGNAL
=================================================================
==805955==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x0000022e4bc5 bp 0x7fffbee259f0 sp 0x7fffbee258d0 T0)
==805955==The signal is caused by a READ memory access.
==805955==Hint: address points to the zero page.
#0 0x22e4bc5 in is_handle_exception_set /home/root/php/sourcecode/php/Zend/zend_exceptions.c:149:10
#1 0x22e4bc5 in zend_throw_exception_internal /home/root/php/sourcecode/php/Zend/zend_exceptions.c:177:4
#2 0x22ffd34 in zend_throw_exception_zstr /home/root/php/sourcecode/php/Zend/zend_exceptions.c:866:2
#3 0x22e9fdf in zend_throw_exception /home/root/php/sourcecode/php/Zend/zend_exceptions.c:875:20
#4 0x1a4d23d in report_bad_nesting /home/root/php/sourcecode/php/Zend/zend_language_scanner.l:1270:2
#5 0x1a4ce37 in check_nesting_at_end /home/root/php/sourcecode/php/Zend/zend_language_scanner.l:1304:3
#6 0x1a3d45f in lex_scan /home/root/php/sourcecode/php/Zend/zend_language_scanner.l:2195:3
#7 0x1b93834 in zend_strip /home/root/php/sourcecode/php/Zend/zend_highlight.c:180:21
#8 0x246f9d0 in do_cli /home/root/php/sourcecode/php/sapi/cli/php_cli.c:964:5
#9 0x246bac2 in main /home/root/php/sourcecode/php/sapi/cli/php_cli.c:1339:18
#10 0x7ff2d96e5082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#11 0x60289d in _start (/home/root/php/fuzz/php/php_a_s_w_random/php+0x60289d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/root/php/sourcecode/php/Zend/zend_exceptions.c:149:10 in is_handle_exception_set
==805955==ABORTING
POC can be downloaded from https://github.com/randomssr/bugissues/blob/main/php/POC
PHP Version
PHP 8.0.23
Operating System
No response
Description
PHP NullPtr dereference - by misuse of the option "-w" or "-s"
When the program input contains the option of "-w" or "-s", the program will dereference null pointer and cause crash.
PHP/Zend/zend_exceptions.c Line 147:152
In
is_handle_exception_set(),the option of-wor-swill make the program execute the functionis_handle_exception_set. And the value ofEG(current_execute_data)namelyexecutor_globals.current_execute_dataremains 0 from the parse of-wor-sto theis_handle_exception_setcall. As a result, nullptr dereference will occur.Test Environment
Ubuntu 20.04, 64 bit PHP (version: 8.0.23)
How to trigger
$ ./php -s -w POCDetails
ASAN report
POC can be downloaded from https://github.com/randomssr/bugissues/blob/main/php/POC
PHP Version
PHP 8.0.23
Operating System
No response