Segmentation fault in zend_error() with --enable-dtrace
| Bug #65470 | Segmentation fault in zend_error() with --enable-dtrace | ||||
|---|---|---|---|---|---|
| Submitted: | 2013-08-18 04:40 UTC | Modified: | 2013-08-18 06:02 UTC | ||
| From: | sixd@php.net | Assigned: | |||
| Status: | Closed | Package: | Reproducible crash | ||
| PHP Version: | 5.4Git-2013-08-18 (Git) | OS: | Linux | ||
| Private report: | No | CVE-ID: | None | ||
[2013-08-18 04:40 UTC] sixd@php.net
Description:
------------
A segmentation fault can occur in zend_error() with --enable-dtrace.
The zend_vspprintf() call in the DTRACE_ERROR_ENABLED() block leaves
args undefined:
"If ap is passed to a function that uses va_arg(ap,type) then the
value of ap is undefined after the return of that function."
When args is used again later in zend_error(), a seg fault can occur.
Test script:
---------------
As root:
-------------------
# dtrace -Z -s error.d
dtrace: script 'error.d' matched 0 probes
CPU ID FUNCTION:NAME
0 6 zend_error:error PHP error
--------------------
As a normal user:
--------------------
$ php error.php
Segmentation fault (core dumped)
--------------------
Where error.d is:
php*:::error { printf("PHP error\n"); }
and error.php is:
<?php trigger_error('This is an error', E_USER_ERROR); ?>
Patches
bug65470 (last revision 2013-08-18 05:05 UTC by sixd@php.net)Pull Requests
History
AllCommentsChangesGit/SVN commits
[2013-08-18 04:40 UTC] sixd@php.net
-Assigned To: +Assigned To: sixd
[2013-08-18 04:41 UTC] sixd@php.net
[2013-08-18 06:02 UTC] sixd@php.net
-Status: Assigned +Status: Open -Assigned To: sixd +Assigned To:
[2013-08-18 06:02 UTC] sixd@php.net
[2013-08-19 00:23 UTC] stas@php.net
-Status: Open +Status: Closed