php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #57385 Heap corrupted and segmentation fault when using crack
Submitted: 2006-11-20 13:25 UTC Modified: 2013-02-18 00:35 UTC
From: sheltren at cs dot ucsb dot edu Assigned: skettler (profile)
Status: No Feedback Package: crack (PECL)
PHP Version: HEAD CVS-2006-11-20 OS: Linux - CentOS 4
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2006-11-20 13:25 UTC] sheltren at cs dot ucsb dot edu 
Description:
------------
I am using crack 0.4 and php 5.2.0 (also reproducible with latest CVS snapshot as of today, 11/20/06).  A "heap corrupted" message is output and then php segfaults.  The strange thing is, it crashes when $passwd is set to "jeffpass", but other strings I have tried do not cause the crash.

I reported this as a PHP bug and I was redirected here.  See http://bugs.php.net/bug.php?id=39558

Reproduce code:
---------------
Code to reproduce is located here:
http://www.cs.ucsb.edu/~jeff/crashes.phps

$ php crashes.php
Heap corrupted
Segmentation fault (core dumped)

Expected result:
----------------
Should loop through dictionaries and return from function successfully - this same code works fine in php 5.1.6.

Actual result:
--------------
(gdb) bt
#0  0x00a7e7a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1  0x00abec46 in kill () from /lib/tls/libc.so.6
#2  0x0827b345 in zend_mm_panic (message=0x83a4ea0 "Heap corrupted")
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_alloc.c:61
#3  0x0827b7fa in zend_mm_remove_from_free_list (heap=0xa26c130,
mm_block=0xb7f25a00)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_alloc.c:476
#4  0x0827cfee in _zend_mm_free_int (heap=0xa26c130, p=0xb7f251d4, 
    __zend_filename=0x117048
"/local/jeff/crack-0.4/libcrack/src/packlib.c", __zend_lineno=221, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_alloc.c:1357
#5  0x0827d815 in _efree (ptr=0xb7f251d4, 
    __zend_filename=0x117048
"/local/jeff/crack-0.4/libcrack/src/packlib.c", __zend_lineno=221, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_alloc.c:1653
#6  0x00114a30 in cracklib_pw_close (pwp=0xb7f251d4)
    at /local/jeff/crack-0.4/libcrack/src/packlib.c:221
#7  0x001133cb in php_crack_module_dtor (rsrc=0xb7f22c9c) at
/local/jeff/crack-0.4/crack.c:177
#8  0x082a20d9 in list_entry_destructor (ptr=0xb7f22c9c)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_list.c:184
#9  0x0829ffa8 in zend_hash_del_key_or_index (ht=0x83d9b08, arKey=0x0,
nKeyLength=0, h=3, flag=1)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_hash.c:492
#10 0x082a1dcd in _zend_list_delete (id=3)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_list.c:58
#11 0x082949b2 in _zval_dtor_func (zvalue=0xb7f22b00, 
    __zend_filename=0x83a66cc
"/local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_variables.h", 
    __zend_lineno=35) at
/local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_variables.c:60
#12 0x08288db2 in _zval_dtor (zvalue=0xb7f22b00, 
    __zend_filename=0x83a6644
"/local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_execute_API.c", 
    __zend_lineno=414) at
/local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_variables.h:35
#13 0x08288f65 in _zval_ptr_dtor (zval_ptr=0xb7f22b84, 
    __zend_filename=0x83a77a8
"/local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_variables.c", 
    __zend_lineno=175) at
/local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_execute_API.c:414
#14 0x08294c67 in _zval_ptr_dtor_wrapper (zval_ptr=0xb7f22b84)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_variables.c:175
#15 0x082a01fa in zend_hash_clean (ht=0xb7f22450)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_hash.c:547
#16 0x082b4724 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbffc4bd0)
    at
/local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_vm_execute.h:255
#17 0x082b8edd in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0xbffc4bd0)
    at
/local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_vm_execute.h:1681
#18 0x082b40c2 in execute (op_array=0xb7f21e14)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_vm_execute.h:92
#19 0x082967ec in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend.c:1097
#20 0x08251376 in php_execute_script (primary_file=0xbffc6fa0)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/main/main.c:1758
#21 0x082fa7a1 in main (argc=2, argv=0xbffc7084)
at /local/jeff/rpmbuild/SOURCES/php-5.2.0/sapi/cgi/cgi_main.c:1625

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-11-20 15:19 UTC] skettler@php.net 
Could you please make available the crack dictionaries (and if possible, their source wordlist)?

I will analyse this bug during the next days; if your project deadlines (if any) are close, I will try to prioritise working on this bug.

Thanks for reporting this bug.
 [2006-11-20 15:26 UTC] sheltren at cs dot ucsb dot edu 
Thanks for the quick response.  I no longer have the original word lists, but I've created a tarball of the dictionary files here:
http://www.cs.ucsb.edu/~jeff/dictionaries.tar.gz

If you need any other information, please let me know.
 [2006-11-20 17:26 UTC] skettler@php.net 
There seems to be an internal error (maybe overflowing some buffer) when checking against the "eci-wordlist" dictionary although that dictionary looks fine (unpacking and repacking gives an identical dictionary).

Could you use your script without that (tiny) dictionary until I have investigated the problem further?
 [2006-11-20 18:26 UTC] sheltren at cs dot ucsb dot edu 
Yeah, when I added 15 or so more words to that one word dictionary, I no longer experience the segfault.

Thanks for looking into this.
 [2012-06-07 16:18 UTC] felipe@php.net
-Status: Verified +Status: Feedback
 [2012-06-07 16:18 UTC] felipe@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

Have you experienced this yet?
 [2013-02-18 00:35 UTC] pecl-dev at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 04:01:28 2024 UTC