PHP segmentation fault

If you are an active reader might have noticed we have been gone for some time for the public, for me the reason was that I was busy with other things but I am back and so are Mathias and Fredrik some time so it's getting cosy again here already.

Some time ago I started a project with a friend of mine which can facilitate secure chat to people who like knowing that there is nobody mitming or harvesting data on them, soon I shall need beta testing, details will follow once it is further developped.
I have been busy over the past couple of days auditing the Pligg CMS - it's always fun to target a random CMS and shall post a full report on the security of Pligg soon.
Now I shall publish a segmentation fault in PHP! Here it is:

<?php
function f(){call_user_func_array(__function__,array());}
f();
?>

Here is a partial backtrace:

$ gdb /usr/bin/php
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /usr/bin/php...
Reading symbols from /usr/lib/debug/usr/bin/php5...
done.
done.
(gdb) r segf.php
Starting program: /usr/bin/php segf.php
[Thread debugging using libthread_db enabled]
[New Thread 0xb7d70b70 (LWP 11986)]
[Thread 0xb7d70b70 (LWP 11986) exited]

Program received signal SIGSEGV, Segmentation fault.
0x08316db6 in zend_parse_va_args (num_args=2, type_spec=0x872172f "fa/", va=0xbf6000ec, flags=0)
at /build/buildd/php5-5.3.3/Zend/zend_API.c:588
588	/build/buildd/php5-5.3.3/Zend/zend_API.c: No such file or directory.
	in /build/buildd/php5-5.3.3/Zend/zend_API.c
(gdb) bt
#0  0x08316db6 in zend_parse_va_args (num_args=2, type_spec=0x872172f "fa/", va=0xbf6000ec, flags=0)
    at /build/buildd/php5-5.3.3/Zend/zend_API.c:588
#1  0x08317c30 in zend_parse_parameters (num_args=2, type_spec=0x872172f "fa/")
    at /build/buildd/php5-5.3.3/Zend/zend_API.c:871
#2  0x0822f76b in zif_call_user_func_array (ht=2, return_value=0x8f3a99c,
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /build/buildd/php5-5.3.3/ext/standard/basic_functions.c:4781
#3  0x0836051a in zend_do_fcall_common_helper_SPEC (execute_data=0x2) at
    /build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:316
#4  0x08336fde in execute (op_array=0x8966358) at /build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:107
#5  0x08302c3b in zend_call_function (fci=0xbf600400, fci_cache=0xbf600424) at
    /build/buildd/php5-5.3.3/Zend/zend_execute_API.c:963
#6  0x0822f795 in zif_call_user_func_array (ht=2, return_value=0x8f3a868, return_value_ptr=0x0,
    this_ptr=0x0, return_value_used=0)
    at /build/buildd/php5-5.3.3/ext/standard/basic_functions.c:4788
...

Here is some info on the registers:

eax            0xbf600154	-1084227244
ecx            0xbf600130	-1084227280
edx            0x8efb884	149928068
ebx            0x8789970	142121328
esp            0xbf5ffff0	0xbf5ffff0
ebp            0xbf6000b8	0xbf6000b8
esi            0x0	0
edi            0xbf6000ec	-1084227348
eip            0x8316db6	0x8316db6

Hello, I am Jelmer born in 1991 and I live in Holland. I met Fredrik and Mathias through the internet. You can contact me via email jelmerdehen [ at ] hotmail [d0t] com Or you can chat with me in the IRC.

1 Comment

  1. RT @HackAck: New Post: PHP seg… | Xanda's Twitter Archive says:

    [...] @HackAck: New Post: PHP segmentation fault ( http://h.ackack.net/php-segmentation-fault.html ): If you are an active reader mi [...]

Leave a Comment