segfault while `__unserialize()`

[staabm]

Description

I had a already started session and let php unserialize a object of the following class:

<?php

namespace ClxProductNet\PriceSwitch\Model;

use ClxProductNet_SessionNS;

final class PriceSwitchSession implements \Serializable
{

    // php 7.x serialization
    public function serialize()
    {
        return serialize($this->__serialize());
    }

    // php 7.x serialization
    public function unserialize($data): void
    {
        $this->__unserialize(unserialize($data));
    }

    // php 8.1+ serialization
    public function __unserialize(string $data): void /* <-- wrong data-type */
    {
    }
}

Resulted in this output:

• segmentation fault

But I expected this output instead:

• regular fatal error

the segfault goes away when I change the type of the parameter given to __unserialize from string to array.
array is of course the correct type, but a wrong type should not lead to a segfault

 php -v
PHP 8.1.18 (cli) (built: Apr 14 2023 04:39:44) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.1.18, Copyright (c) Zend Technologies

PHP Version

8.1.18

Operating System

Ubuntu22

[ndossche]

Does this code reproduce the error as-is for you?
I tried it on 8.0, 8.1, 8.2 and current master and it gives me:

Fatal error: PriceSwitchSession::__unserialize(): Parameter #1 ($data) must be of type array when declared

[staabm]

thanks for the reply.

I took this code out of a real app and it reproduced the segfault. the session which is de-serialized in this case was written using php 7.2 - in case its relevant.

I will have a look if I can narrow the reproducing code

[ndossche]

I took this code out of a real app and it reproduced the segfault. the session which is de-serialized in this case was written using php 7.2 - in case its relevant.

It already fails at compiling the class for me, so I suspect the deserialization is not even called.

I will have a look if I can narrow the reproducing code

Thank you

[staabm]

I was not yet able to narrow down the case, but I now have a backtrace - hope thats helpful:

Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=140260037073408) at ./nptl/pthread_kill.c:44
44      ./nptl/pthread_kill.c: No such file or directory.
(gdb) bt
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140260037073408) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140260037073408) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140260037073408, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007f90d7e32476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007f90d7e187f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007f90d7e796f6 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f90d7fcb943 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
#6  0x00007f90d7f2676a in __GI___fortify_fail (msg=msg@entry=0x7f90d7fcb92b "stack smashing detected") at ./debug/fortify_fail.c:26
#7  0x00007f90d7f26736 in __stack_chk_fail () at ./debug/stack_chk_fail.c:24
#8  0x000055f7253ba85c in convert_to_long (op=0x7f90d5819790) at ./Zend/zend_operators.c:485
#9  0x6a6668701ac13c00 in ?? ()
#10 0x00007f90d5819a20 in ?? ()
#11 0x0000000000000004 in ?? ()
#12 0x00007f90d581a780 in ?? ()
#13 0x000055f7253f884a in zval_get_long (op=0x7f90d5819790) at ./Zend/zend_operators.h:282
#14 ZEND_CAST_SPEC_CV_HANDLER () at ./Zend/zend_vm_execute.h:38647
#15 0x000055f725425a96 in execute_ex (ex=0x104104) at ./Zend/zend_vm_execute.h:59146
#16 0x000055f7253af0d4 in zend_call_function (fci=fci@entry=0x7fff54373ef0, fci_cache=<optimized out>, fci_cache@entry=0x7fff54373ed0) at ./Zend/zend_execute_API.c:929
#17 0x000055f7252ea857 in zif_call_user_func (execute_data=0x7f90d5818eb0, return_value=0x7fff54373fb0) at ./ext/standard/basic_functions.c:1566
#18 0x000055f72542b5c4 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_UNUSED_HANDLER () at ./Zend/zend_vm_execute.h:1463
#19 execute_ex (ex=0x104104) at ./Zend/zend_vm_execute.h:55795
#20 0x000055f7253af0d4 in zend_call_function (fci=fci@entry=0x7fff54374110, fci_cache=<optimized out>, fci_cache@entry=0x7fff543740f0) at ./Zend/zend_execute_API.c:929
#21 0x000055f7252ea857 in zif_call_user_func (execute_data=0x7f90d5818bd0, return_value=0x7fff543741d0) at ./ext/standard/basic_functions.c:1566
#22 0x000055f72542b5c4 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_UNUSED_HANDLER () at ./Zend/zend_vm_execute.h:1463
#23 execute_ex (ex=0x104104) at ./Zend/zend_vm_execute.h:55795
#24 0x000055f7253af0d4 in zend_call_function (fci=fci@entry=0x7fff54374330, fci_cache=<optimized out>, fci_cache@entry=0x7fff54374310) at ./Zend/zend_execute_API.c:929
#25 0x000055f7252ea857 in zif_call_user_func (execute_data=0x7f90d5818910, return_value=0x7fff543743f0) at ./ext/standard/basic_functions.c:1566
#26 0x000055f72542b5c4 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_UNUSED_HANDLER () at ./Zend/zend_vm_execute.h:1463
#27 execute_ex (ex=0x104104) at ./Zend/zend_vm_execute.h:55795
#28 0x000055f7253af0d4 in zend_call_function (fci=fci@entry=0x7fff54374550, fci_cache=<optimized out>, fci_cache@entry=0x7fff54374530) at ./Zend/zend_execute_API.c:929
#29 0x000055f7252ea857 in zif_call_user_func (execute_data=0x7f90d58185a0, return_value=0x7fff54374610) at ./ext/standard/basic_functions.c:1566
#30 0x000055f72542b5c4 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_UNUSED_HANDLER () at ./Zend/zend_vm_execute.h:1463
#31 execute_ex (ex=0x104104) at ./Zend/zend_vm_execute.h:55795
#32 0x000055f7253af0d4 in zend_call_function (fci=<optimized out>, fci_cache=<optimized out>) at ./Zend/zend_execute_API.c:929
#33 0x000055f7252ea76c in user_shutdown_function_call (zv=<optimized out>) at ./ext/standard/basic_functions.c:1710
#34 0x000055f7253cfd2a in zend_hash_apply (ht=0x7f90c2f01a10, apply_func=apply_func@entry=0x55f7252ea740 <user_shutdown_function_call>) at ./Zend/zend_hash.c:1872
#35 0x000055f7252eee0e in php_call_shutdown_functions () at ./ext/standard/basic_functions.c:1771
#36 0x000055f725357855 in php_request_shutdown (dummy=dummy@entry=0x0) at ./main/main.c:1805
#37 0x000055f7251ffbad in main (argc=<optimized out>, argv=<optimized out>) at ./sapi/fpm/fpm/fpm_main.c:1974