Skip to content

Use after free in SplFixedArray #16478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
chibinz opened this issue Oct 17, 2024 · 1 comment
Closed

Use after free in SplFixedArray #16478

chibinz opened this issue Oct 17, 2024 · 1 comment
Labels
Bug Extension: spl Status: Verified

Comments

@chibinz
Copy link

chibinz commented Oct 17, 2024

Description

The following code:

<?php

class C {
    function __destruct() {
        global $arr;
        $arr->setSize(0);
    }
}

$arr = new SplFixedArray(2);
$arr[0] = new C;
unset($arr[0]);

Resulted in this output:

==1479422==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000045d90 at pc 0x560b20d53d29 bp 0x7ffc0a25d2f0 sp 0x7ffc0a25d2e8
READ of size 4 at 0x604000045d90 thread T0
    #0 0x560b20d53d28 in zend_gc_delref /tmp/php-asan/Zend/zend_types.h:1346:2
    #1 0x560b20d54e5b in zend_objects_store_del /tmp/php-asan/Zend/zend_objects_API.c:180:4
    #2 0x560b20dbbb66 in rc_dtor_func /tmp/php-asan/Zend/zend_variables.c:57:2
    #3 0x560b20dbbc54 in i_zval_ptr_dtor /tmp/php-asan/Zend/zend_variables.h:45:4
    #4 0x560b20dbbba4 in zval_ptr_dtor /tmp/php-asan/Zend/zend_variables.c:84:2
    #5 0x560b2023d0fb in spl_fixedarray_object_unset_dimension_helper /tmp/php-asan/ext/spl/spl_fixedarray.c:462:3
    #6 0x560b2023efa6 in spl_fixedarray_object_unset_dimension /tmp/php-asan/ext/spl/spl_fixedarray.c:475:2
    #7 0x560b20abcc6d in ZEND_UNSET_DIM_SPEC_CV_CONST_HANDLER /tmp/php-asan/Zend/zend_vm_execute.h:45268:4
    #8 0x560b209a602d in execute_ex /tmp/php-asan/Zend/zend_vm_execute.h:58565:7
    #9 0x560b209a6857 in zend_execute /tmp/php-asan/Zend/zend_vm_execute.h:64217:2
    #10 0x560b20dda9d0 in zend_execute_script /tmp/php-asan/Zend/zend.c:1928:3
    #11 0x560b205f961b in php_execute_script_ex /tmp/php-asan/main/main.c:2574:13
    #12 0x560b205f9b18 in php_execute_script /tmp/php-asan/main/main.c:2614:9
    #13 0x560b20de2479 in do_cli /tmp/php-asan/sapi/cli/php_cli.c:935:5
    #14 0x560b20ddf49c in main /tmp/php-asan/sapi/cli/php_cli.c:1310:18
    #15 0x7efce7a29d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #16 0x7efce7a29e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #17 0x560b1f802dc4 in _start (/workspaces/TriFuzz/targets/php-asan/bin/php+0x402dc4)

0x604000045d90 is located 0 bytes inside of 40-byte region [0x604000045d90,0x604000045db8)
freed by thread T0 here:
    #0 0x560b1f8876e2 in free /opt/llvm-15-build/llvm-15.x/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
    #1 0x560b20836103 in __zend_free /tmp/php-asan/Zend/zend_alloc.c:3308:2
    #2 0x560b20839fd4 in _efree /tmp/php-asan/Zend/zend_alloc.c:2747:3
    #3 0x560b20d5530a in zend_objects_store_del /tmp/php-asan/Zend/zend_objects_API.c:198:3
    #4 0x560b20d57456 in zend_object_release /tmp/php-asan/Zend/zend_objects_API.h:77:3
    #5 0x560b20d5722f in zend_objects_destroy_object /tmp/php-asan/Zend/zend_objects.c:204:3
    #6 0x560b20d54e52 in zend_objects_store_del /tmp/php-asan/Zend/zend_objects_API.c:179:4
    #7 0x560b20dbbb66 in rc_dtor_func /tmp/php-asan/Zend/zend_variables.c:57:2
    #8 0x560b20dbbc54 in i_zval_ptr_dtor /tmp/php-asan/Zend/zend_variables.h:45:4
    #9 0x560b20dbbba4 in zval_ptr_dtor /tmp/php-asan/Zend/zend_variables.c:84:2
    #10 0x560b2023d0fb in spl_fixedarray_object_unset_dimension_helper /tmp/php-asan/ext/spl/spl_fixedarray.c:462:3
    #11 0x560b2023efa6 in spl_fixedarray_object_unset_dimension /tmp/php-asan/ext/spl/spl_fixedarray.c:475:2
    #12 0x560b20abcc6d in ZEND_UNSET_DIM_SPEC_CV_CONST_HANDLER /tmp/php-asan/Zend/zend_vm_execute.h:45268:4
    #13 0x560b209a602d in execute_ex /tmp/php-asan/Zend/zend_vm_execute.h:58565:7
    #14 0x560b209a6857 in zend_execute /tmp/php-asan/Zend/zend_vm_execute.h:64217:2
    #15 0x560b20dda9d0 in zend_execute_script /tmp/php-asan/Zend/zend.c:1928:3
    #16 0x560b205f961b in php_execute_script_ex /tmp/php-asan/main/main.c:2574:13
    #17 0x560b205f9b18 in php_execute_script /tmp/php-asan/main/main.c:2614:9
    #18 0x560b20de2479 in do_cli /tmp/php-asan/sapi/cli/php_cli.c:935:5
    #19 0x560b20ddf49c in main /tmp/php-asan/sapi/cli/php_cli.c:1310:18
    #20 0x7efce7a29d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)

previously allocated by thread T0 here:
    #0 0x560b1f88798e in malloc /opt/llvm-15-build/llvm-15.x/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x560b2083a543 in __zend_malloc /tmp/php-asan/Zend/zend_alloc.c:3280:14
    #2 0x560b20839ed0 in _emalloc /tmp/php-asan/Zend/zend_alloc.c:2737:10
    #3 0x560b20d57513 in zend_objects_new /tmp/php-asan/Zend/zend_objects.c:210:24
    #4 0x560b2085418d in _object_and_properties_init /tmp/php-asan/Zend/zend_API.c:1823:22
    #5 0x560b20854390 in object_init_ex /tmp/php-asan/Zend/zend_API.c:1846:9
    #6 0x560b20aa3b28 in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER /tmp/php-asan/Zend/zend_vm_execute.h:10923:6
    #7 0x560b209a602d in execute_ex /tmp/php-asan/Zend/zend_vm_execute.h:58565:7
    #8 0x560b209a6857 in zend_execute /tmp/php-asan/Zend/zend_vm_execute.h:64217:2
    #9 0x560b20dda9d0 in zend_execute_script /tmp/php-asan/Zend/zend.c:1928:3
    #10 0x560b205f961b in php_execute_script_ex /tmp/php-asan/main/main.c:2574:13
    #11 0x560b205f9b18 in php_execute_script /tmp/php-asan/main/main.c:2614:9
    #12 0x560b20de2479 in do_cli /tmp/php-asan/sapi/cli/php_cli.c:935:5
    #13 0x560b20ddf49c in main /tmp/php-asan/sapi/cli/php_cli.c:1310:18
    #14 0x7efce7a29d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)

SUMMARY: AddressSanitizer: heap-use-after-free /tmp/php-asan/Zend/zend_types.h:1346:2 in zend_gc_delref
Shadow bytes around the buggy address:
  0x0c0880000b60: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
  0x0c0880000b70: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
  0x0c0880000b80: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
  0x0c0880000b90: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa
  0x0c0880000ba0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
=>0x0c0880000bb0: fa fa[fd]fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c0880000bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0880000bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0880000be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0880000bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0880000c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1479422==ABORTING

PHP Version

PHP 8.5.0-dev

Operating System

No response
@Girgias Girgias mentioned this issue Oct 17, 2024
Closed
@iluuu1994
Copy link
Member

iluuu1994 commented Oct 17, 2024
edited
Loading

This should be fixed in the same way as #16466. I'll create a PR shortly.

iluuu1994 added a commit to iluuu1994/php-src that referenced this issue Oct 17, 2024
@iluuu1994
Fix uaf in SplFixedArray::unset()
bbd3760 
Fixes phpGH-16478
iluuu1994 added a commit to iluuu1994/php-src that referenced this issue Oct 17, 2024
@iluuu1994
Fix uaf in SplFixedArray::unset()
30b69d3 
Fixes phpGH-16478
@iluuu1994 iluuu1994 mentioned this issue Oct 17, 2024
Closed
@cmb69 cmb69 linked a pull request Oct 17, 2024 that will close this issue
Fix uaf in SplFixedArray::unset() #16481
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Extension: spl Status: Verified
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix uaf in SplFixedArray::unset() iluuu1994/php-src
3 participants
@iluuu1994 @cmb69 @chibinz