Skip to content

Segfault in stripslashes() with arm64 #10187

Closed
@todeveni

Description

@todeveni

Description

The following code:

<?php
var_dump(stripslashes("1234567890abcde\\"));

Resulted in this output:

Segmentation fault (core dumped)

But I expected this output instead:

string(15) "1234567890abcde"

Backtrace from current php-src:

Starting program: /home/ubuntu/php-src/sapi/cli/php -a
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/aarch64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000aaaaaaf55e40 in vld1q_u8 (__a=0xfffff57ffff9 "") at /usr/lib/gcc/aarch64-linux-gnu/11/include/arm_neon.h:16132
16132       __builtin_aarch64_ld1v16qi ((const __builtin_aarch64_simd_qi *) __a);
#0  0x0000aaaaaaf55e40 in vld1q_u8 (__a=0xfffff57ffff9 "")
    at /usr/lib/gcc/aarch64-linux-gnu/11/include/arm_neon.h:16132
No locals.
#1  php_stripslashes_impl (str=0xfffff57ffff9 "", out=0xfffff57ffff3 "", len=18446744073707838319)
    at /home/ubuntu/php-src/ext/standard/string.c:3820
        x = {0 <repeats 16 times>}
        q = {mem = '\000' <repeats 15 times>, dw = {0, 0}}
#2  0x0000aaaaaaf560f8 in php_stripslashes (str=0xfffff565db40) at /home/ubuntu/php-src/ext/standard/string.c:3936
        t = 0xfffff565db40 "\001"
#3  0x0000aaaaaaf54fb8 in zif_stripslashes (execute_data=0xfffff5613080, return_value=0xffffffffd7d8)
    at /home/ubuntu/php-src/ext/standard/string.c:3346
        str = 0xfffff565dbe0
        __PRETTY_FUNCTION__ = "zif_stripslashes"
#4  0x0000aaaaab0cb298 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER ()
    at /home/ubuntu/php-src/Zend/zend_vm_execute.h:1250
        call = 0xfffff5613080
        fbc = 0xaaaaabd2e5f0
        ret = 0xffffffffd7d8
        retval = {value = {lval = 281474798836544, dval = 1.3906702827521206e-309, counted = 0xfffff565db40,
            str = 0xfffff565db40, arr = 0xfffff565db40, obj = 0xfffff565db40, res = 0xfffff565db40,
            ref = 0xfffff565db40, ast = 0xfffff565db40, zv = 0xfffff565db40, ptr = 0xfffff565db40,
            ce = 0xfffff565db40, func = 0xfffff565db40, ww = {w1 = 4117093184, w2 = 65535}}, u1 = {type_info = 262,
            v = {type = 6 '\006', type_flags = 1 '\001', u = {extra = 0}}}, u2 = {next = 65535, cache_slot = 65535,
            opline_num = 65535, lineno = 65535, num_args = 65535, fe_pos = 65535, fe_iter_idx = 65535,
            property_guard = 65535, constant_flags = 65535, extra = 65535}}
        should_throw = false
        __PRETTY_FUNCTION__ = "ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER"
        call_info = 6
#5  0x0000aaaaab153a98 in execute_ex (ex=0xfffff5613020) at /home/ubuntu/php-src/Zend/zend_vm_execute.h:56013
        vm_stack_data = {orig_opline = 0x0, orig_execute_data = 0xaaaaabb9e918}
        __PRETTY_FUNCTION__ = "execute_ex"
#6  0x0000aaaaab158250 in zend_execute (op_array=0xfffff5689000, return_value=0xffffffffdaa0)
    at /home/ubuntu/php-src/Zend/zend_vm_execute.h:60381
        execute_data = 0xfffff5613020
        object_or_called_scope = 0x0
        call_info = 1245184
#7  0x0000aaaaab068f10 in zend_eval_stringl (str=0xfffff567c000 "pslashes(\"1234567890abcde\\\");\n", str_len=35,
    retval_ptr=0x0, string_name=0xaaaaaba7ac40 "php shell code") at /home/ubuntu/php-src/Zend/zend_execute_API.c:1287
        __orig_bailout = 0xffffffffdcb0
        __bailout = {{__jmpbuf = {281474976707768, 2, 187650002250008, 281474842484800, 187649992307172,
              281474837557248, 0, 281474976707792, 187650002250008, 0, 281474976700976, 12975520107903850929,
              187650002250008, 12975463846716460405, 0, 0, 0, 0, 0, 0, 0, 0}, __mask_was_saved = 0, __saved_mask = {
              __val = {2049, 543139, 4295000448, 4299262264297, 0, 0, 1191, 4096, 8, 1672388012, 315971238,
                1672387996, 675971238, 281474976701424, 187649988072524, 281474976707768}}}}
        local_retval = {value = {lval = -1148435428713435121, dval = -6.1979905163444638e+231,
            counted = 0xf00ff00ff00ff00f, str = 0xf00ff00ff00ff00f, arr = 0xf00ff00ff00ff00f,
            obj = 0xf00ff00ff00ff00f, res = 0xf00ff00ff00ff00f, ref = 0xf00ff00ff00ff00f, ast = 0xf00ff00ff00ff00f,
            zv = 0xf00ff00ff00ff00f, ptr = 0xf00ff00ff00ff00f, ce = 0xf00ff00ff00ff00f, func = 0xf00ff00ff00ff00f,
            ww = {w1 = 4027576335, w2 = 4027576335}}, u1 = {type_info = 0, v = {type = 0 '\000',
              type_flags = 0 '\000', u = {extra = 0}}}, u2 = {next = 1326149266, cache_slot = 1326149266,
            opline_num = 1326149266, lineno = 1326149266, num_args = 1326149266, fe_pos = 1326149266,
            fe_iter_idx = 1326149266, property_guard = 1326149266, constant_flags = 1326149266, extra = 1326149266}}
        new_op_array = 0xfffff5689000
        original_compiler_options = 4
        retval = SUCCESS
        code_str = 0xfffff56593c0
#8  0x0000aaaaaae1946c in readline_shell_run () at /home/ubuntu/php-src/ext/readline/readline_cli.c:700
        __orig_bailout = 0xffffffffe050
        __bailout = {{__jmpbuf = {281474976707768, 2, 187650002250008, 281474842484800, 187649992307172,
              281474837557248, 0, 281474976707792, 187650002250008, 0, 281474976701424, 12975520107884905225,
              187650001338216, 12975463846716460213, 0, 0, 0, 0, 0, 0, 0, 0}, __mask_was_saved = 0, __saved_mask = {
              __val = {187649989951672, 187650003402288, 187650003239016, 281474976701888, 187649990352168,
                281474976701888, 187650003402288, 281474798822048, 281474798822016, 4294958576, 187650004630912,
                281474976701936, 187649992304688, 281474976707768, 187650003402288, 281474798833744}}}}
        line = 0xaaaaabe746d0 "d\362M\001\240\252"
        size = 4096
        pos = 35
        len = 34
        code = 0xfffff567c000 "pslashes(\"1234567890abcde\\\");\n"
        prompt = 0xfffff567e000
        history_file = 0xaaaaabe5af20 "/home/ubuntu/.php_history"
        history_lines_to_write = 0
#9  0x0000aaaaab222944 in do_cli (argc=2, argv=0xaaaaabca9aa0) at /home/ubuntu/php-src/sapi/cli/php_cli.c:962
        __orig_bailout = 0xfffffffff200
        __bailout = {{__jmpbuf = {281474976707768, 2, 187650002250008, 281474842484800, 187649992307172,
              281474837557248, 0, 281474976707792, 187650002250008, 0, 281474976701936, 12975520107905714537,
              281474976702832, 12975463846716459701, 0, 0, 0, 0, 0, 0, 0, 0}, __mask_was_saved = 0, __saved_mask = {
              __val = {0, 187647121162261, 281474837564176, 281474976702832, 5, 281474976702960, 281474836453380,
                281474837564176, 1280, 281474842219968, 88, 281474842220056, 281474837557248, 0, 281474976707792,
                187650002250008}}}}
        c = -1
        file_handle = {handle = {fp = 0xffffffffdfe0, stream = {handle = 0xffffffffdfe0, isatty = -1425433344,
              reader = 0xaaaaabb9e918, fsizer = 0x88, closer = 0xffff00000004}}, filename = 0x0,
          opened_path = 0xffffffffe010, type = 88 'X', primary_script = 210, in_list = 9,
          buf = 0x31ffffe0b0 <error: Cannot access memory at address 0x31ffffe0b0>, len = 187650004703440}
        behavior = 1
        reflection_what = 0x0
        request_started = 1
        php_optarg = 0x0
        orig_optarg = 0x0
        php_optind = 2
        orig_optind = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        arg_free = 0xaaaaabca9af0 "-a"
        arg_excp = 0xaaaaabca9aa8
        script_file = 0x0
        translated_path = 0x0
        interactive = true
        param_error = 0x0
        hide_argv = false
        num_repeats = 1
        pid = 769201
#10 0x0000aaaaab2235a4 in main (argc=2, argv=0xaaaaabca9aa0) at /home/ubuntu/php-src/sapi/cli/php_cli.c:1333
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {281474976707768, 2, 187650002250008, 281474842484800, 187649992307172,
              281474837557248, 0, 281474976707792, 187650002250008, 0, 281474976706960, 12975520107905720889, 0,
              12975463846716466901, 0, 0, 0, 0, 0, 0, 0, 0}, __mask_was_saved = 0, __saved_mask = {__val = {
                281474842241056, 281474842487688, 2, 281474976707768, 281474976707792, 281474803275592, 0,
                281474976707664, 281474842313132, 281474976707768, 2, 187650002250008, 281474842484800,
                281474976707392, 281474836034496, 281474976707768}}}}
        c = -1
        exit_status = 0
        module_started = 1
        sapi_started = 1
        php_optarg = 0x0
        php_optind = 2
        use_extended_info = 0
        ini_path_override = 0x0
        ini_builder = {
          value = 0xaaaaabca9d50 "html_errors=0\nregister_argc_argv=1\nimplicit_flush=1\noutput_buffering=0\nmax_execution_time=0\nmax_input_time=-1\n", length = 110}
        ini_ignore = 0
        sapi_module = 0xaaaaabc78f80 <cli_sapi_module>

Downstream bugreport oerdnj/deb.sury.org#1894 reported originally by @martymcguire

PHP Version

Any

Operating System

No response

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions