Security module for php7 and php8 - Killing bugclasses and virtual-patching the rest! http://git.dustri.org/snuffleupagus/atom?h=85beta2 2025-09-01T11:44:31Z 2025-09-01T11:44:31Z jvoisin 2025-08-31T14:05:44Z urn:sha1:508ebee8aff151f147c69d6fbe3ad35301552983 2025-08-19T18:54:00Z jvoisin 2025-08-19T18:54:00Z urn:sha1:1c7598c432551d0c49c2c57f249ccd5ccabce638 2025-08-17T14:13:51Z jvoisin 2025-08-17T14:13:51Z urn:sha1:c25c8a1f25bf5ed40fbbd8642d72865dd68d054d ``` Program terminated with signal SIGSEGV, Segmentation fault. 20 if (!(func->common.function_name)) { (gdb) info locals func = 0x0 function_name = 0xffb25f6d0190 "SearchByCallback" complete_path_function = 0xffb26c8a0570 "\240\005\212l\262\377" ``` It seems that in some callback shenanigans, there is currently no non-NULL `func` member in execute_data. PHP truly is marvelous. This should close #515 2025-07-15T20:42:18Z jvoisin 2025-07-15T20:42:02Z urn:sha1:5b89706890257dff305b6cafea7ef84a0dd173eb 2025-07-15T20:36:00Z Pierre Tondereau 2025-07-15T18:16:08Z urn:sha1:7e56fe6cbaac489d8449962730f37a025d15cfeb 2025-07-15T20:05:51Z jvoisin 2025-07-15T20:05:51Z urn:sha1:0184ba96d6087c6dca62ef6a996567e6d2e2bb9e 2025-07-15T20:04:58Z jvoisin 2025-07-15T20:04:58Z urn:sha1:87c5fbe30b6d9adce299d261183ccd9f85b4fa1f 2025-06-25T17:39:09Z Christian Göttsche 2025-06-25T09:37:23Z urn:sha1:7e6822a7b470ab5fcda123927357019842cdb957 sp_log_debug() does not take a feature as first argument: src/sp_wrapper.c: In function 'sp_reregister_php_wrapper': src/sp_utils.h:61:53: warning: too many arguments for format [-Wformat-extra-args] 61 | if (sp_debug_stderr > 0) dprintf(sp_debug_stderr, "[snuffleupagus][DEBUG] %s(): " fmt "\n", __FUNCTION__, ##__VA_ARGS__); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ src/sp_wrapper.c:144:3: note: in expansion of macro 'sp_log_debug' 144 | sp_log_debug(LOG_FEATURE, "Stream \"php\" successfully re-registered"); | ^~~~~~~~~~~~ 2025-06-25T17:38:39Z Christian Göttsche 2025-06-25T09:39:44Z urn:sha1:66c711c1b98c0cafa0e4903b862bfbaedd638d7e Please GCC conversion warning: src/sp_upload_validation.c: In function 'sp_rfc1867_callback': src/sp_utils.h:61:53: warning: format '%lld' expects argument of type 'long long int', but argument 7 has type 'zend_long' {aka 'long int'} [-Wformat=] 61 | if (sp_debug_stderr > 0) dprintf(sp_debug_stderr, "[snuffleupagus][DEBUG] %s(): " fmt "\n", __FUNCTION__, ##__VA_ARGS__); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ src/sp_upload_validation.c:48:7: note: in expansion of macro 'sp_log_debug' 48 | sp_log_debug("Filename: %s\nTmpname: %s\nSize: %zd\nError: %lld\nScript: %s", | ^~~~~~~~~~~~ 2025-06-25T17:38:30Z Christian Göttsche 2025-06-25T09:43:58Z urn:sha1:d4e010846d9d8db8bf6e1fec9a2c39ed762e257d Do not dereference the hash key for cookie encryption if it's NULL: Program terminated with signal SIGSEGV, Segmentation fault. #0 zend_string_equal_content (s1=0x79bdb92170f0, s2=0x0) at /usr/include/php/20240924/Zend/zend_string.h:386 No locals. #1 zend_string_equals (s1=0x79bdb92170f0, s2=0x0) at /usr/include/php/20240924/Zend/zend_string.h:391 No locals. #2 sp_match_value (value=0x0, to_match=0x79bdb92170f0, rx=0x0) at ./src/sp_utils.c:273 No locals. #3 0x00007989377b0709 in sp_lookup_cookie_config (key=0x0) at ./src/sp_cookie_encryption.c:8 config = 0x79bdb92158d0 it = 0x79ae80dabd00 it = <optimized out> config = <optimized out> #4 decrypt_cookie (pDest=0x79893b6787c0, num_args=<optimized out>, args=<optimized out>, hash_key=0x7ffe657c3880) at ./src/sp_cookie_encryption.c:19 cookie = <optimized out> #5 0x000061875aac52df in zend_hash_apply_with_arguments () No symbol table info available. #6 0x00007989377ae74b in zm_activate_snuffleupagus (type=<optimized out>, module_number=<optimized out>) at ./src/snuffleupagus.c:228 config_wrapper = 0x7989377c3490 <snuffleupagus_globals+144> #7 0x000061875aa21710 in zend_activate_modules () No symbol table info available. #8 0x000061875a9a7f18 in php_request_startup () No symbol table info available.