search

php / php-src

The PHP Interpreter
https://www.php.net
Other
38.17k stars 7.75k forks source link

Segmentation fault (zend_mm_heap corrupted) in zend allocator #15836

Open YuanchengJiang opened 1 month ago

YuanchengJiang commented 1 month ago

Description

The following code:

<?php
class CliServerInfo {
}
function php_cli_server_start(
): CliServerInfo {
$descriptorspec = array(
);
$handle = proc_open($cmd, $descriptorspec, $pipes, $doc_root, null, array("suppress_errors" => true));
register_shutdown_function(
function($handle) use($router, $doc_root, $output_file) {
$status = proc_get_status($handle);
},
$handle
);
return new CliServerInfo($doc_root, $handle);
}
php_cli_server_start(
["-d", "enable_post_data_reading=Off"]);
require 'filter_errors.inc';
class test_filter4 extends php_user_filter {
function filter($in, $out, &$consumed, $fusion): int {
if (!$closing) {
$bucket = stream_bucket_new($this->stream, "42");
}
return PSFS_ERR_FATAL;
}
}
for($i = 0; $i < 5; ++$i) {
var_dump(stream_filter_register("test_filter$i", "test_filter$i"));
filter_errors_test("test_filter$i", "42");
}

Resulted in this output:

zend_mm_heap corrupted
AddressSanitizer:DEADLYSIGNAL
=================================================================
==620763==ERROR: AddressSanitizer: SEGV on unknown address 0x03e8000978db (pc 0x7f2de3cf875b bp 0x7fffdfb5f500 sp 0x7fffdfb5f4e8 T0)
==620763==The signal is caused by a READ memory access.
    #0 0x7f2de3cf875b in kill (/lib/x86_64-linux-gnu/libc.so.6+0x4275b) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #1 0x5577baa42b4c in zend_mm_panic /php-src/Zend/zend_alloc.c:396:2
    #2 0x5577baa42e94 in zend_mm_get_next_free_slot /php-src/Zend/zend_alloc.c:1326:4
    #3 0x5577baa5d5ce in zend_mm_alloc_small /php-src/Zend/zend_alloc.c:1410:30
    #4 0x5577baa4d63c in zend_mm_alloc_heap /php-src/Zend/zend_alloc.c:1488:9
    #5 0x5577baa525fd in _emalloc /php-src/Zend/zend_alloc.c:2740:9
    #6 0x5577bb54a76f in zend_string_alloc /php-src/Zend/zend_string.h:176:36
    #7 0x5577bb54a517 in zend_string_init /php-src/Zend/zend_string.h:198:21
    #8 0x5577bb50bd35 in _zend_hash_str_add_or_update_i /php-src/Zend/zend_hash.c:958:17
    #9 0x5577bb50a4dd in zend_hash_str_update /php-src/Zend/zend_hash.c:1035:9
    #10 0x5577baa8f358 in zend_symtable_str_update /php-src/Zend/zend_hash.h:579:10
    #11 0x5577baa8f90d in add_assoc_bool_ex /php-src/Zend/zend_API.c:1947:2
    #12 0x5577ba125fff in add_assoc_bool /php-src/Zend/zend_API.h:569:2
    #13 0x5577ba125579 in zif_proc_get_status /php-src/ext/standard/proc_open.c:448:2
    #14 0x5577bb2297d1 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /php-src/Zend/zend_vm_execute.h:1351:2
    #15 0x5577bada8f47 in execute_ex /php-src/Zend/zend_vm_execute.h:58585:7
    #16 0x5577bad5638b in zend_call_function /php-src/Zend/zend_execute_API.c:996:3
    #17 0x5577b9ec0614 in user_shutdown_function_call /php-src/ext/standard/basic_functions.c:1616:16
    #18 0x5577bb52c762 in zend_hash_apply /php-src/Zend/zend_hash.c:2070:13
    #19 0x5577b9ec024f in php_call_shutdown_functions /php-src/ext/standard/basic_functions.c:1677:4
    #20 0x5577ba46c8a7 in php_request_shutdown /php-src/main/main.c:1911:3
    #21 0x5577bb8d7e30 in do_cli /php-src/sapi/cli/php_cli.c:1105:3
    #22 0x5577bb8d14f2 in main /php-src/sapi/cli/php_cli.c:1309:18
    #23 0x7f2de3cdfd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #24 0x7f2de3cdfe3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #25 0x5577b8603244 in _start (/php-src/sapi/cli/php+0x1c03244) (BuildId: ee1f743275c2fdd0ccef8e16c7fa1c0bff43bbe8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x4275b) (BuildId: 490fef8403240c91833978d494d39e537409b92e) in kill

If USE_ZEND_ALLOC=0, it causes UAF.

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04

cmb69 commented 1 month ago

Tentatively marking as streams issue.

PHP-8.3 is affected as well, and maybe older branches, too.

iluuu1994 commented 1 month ago

The report with USE_ZEND_ALLOC=0 is likely more useful:

==1213945==ERROR: AddressSanitizer: heap-use-after-free on address 0x503000020f58 at pc 0x000001583a4c bp 0x7ffcfd951540 sp 0x7ffcfd951538
READ of size 8 at 0x503000020f58 thread T0
    #0 0x1583a4b in _build_trace_args /home/ilutov/Developer/php-src/Zend/zend_exceptions.c:510
    #1 0x1584c0a in _build_trace_string /home/ilutov/Developer/php-src/Zend/zend_exceptions.c:576
    #2 0x15853e6 in zend_trace_to_string /home/ilutov/Developer/php-src/Zend/zend_exceptions.c:602
    #3 0x1585919 in zim_Exception_getTraceAsString /home/ilutov/Developer/php-src/Zend/zend_exceptions.c:631
    #4 0x15a0070 in zend_call_function /home/ilutov/Developer/php-src/Zend/zend_execute_API.c:1009
    #5 0x158686a in zim_Exception___toString /home/ilutov/Developer/php-src/Zend/zend_exceptions.c:676
    #6 0x15a0070 in zend_call_function /home/ilutov/Developer/php-src/Zend/zend_execute_API.c:1009
    #7 0x15a14b3 in zend_call_known_function /home/ilutov/Developer/php-src/Zend/zend_execute_API.c:1090
    #8 0x15784aa in zend_call_known_instance_method /home/ilutov/Developer/php-src/Zend/zend_API.h:860
    #9 0x15784e4 in zend_call_known_instance_method_with_0_params /home/ilutov/Developer/php-src/Zend/zend_API.h:866
    #10 0x1589be2 in zend_exception_error /home/ilutov/Developer/php-src/Zend/zend_exceptions.c:918
    #11 0x1b11fd4 in zend_execute_script /home/ilutov/Developer/php-src/Zend/zend.c:1935
    #12 0x10e6d7b in php_execute_script_ex /home/ilutov/Developer/php-src/main/main.c:2578
    #13 0x10e72aa in php_execute_script /home/ilutov/Developer/php-src/main/main.c:2618
    #14 0x1b197c5 in do_cli /home/ilutov/Developer/php-src/sapi/cli/php_cli.c:935
    #15 0x1b1c008 in main /home/ilutov/Developer/php-src/sapi/cli/php_cli.c:1309
    #16 0x7fd775e39087 in __libc_start_call_main (/lib64/libc.so.6+0x2a087) (BuildId: 77c77fee058b19c6f001cf2cb0371ce3b8341211)
    #17 0x7fd775e3914a in __libc_start_main_alias_1 (/lib64/libc.so.6+0x2a14a) (BuildId: 77c77fee058b19c6f001cf2cb0371ce3b8341211)
    #18 0x602864 in _start (/home/ilutov/Developer/php-src/sapi/cli/php+0x602864) (BuildId: 9749d43ca5f1fff9b820d72e2c7562054c225a04)

0x503000020f58 is located 8 bytes inside of 32-byte region [0x503000020f50,0x503000020f70)
freed by thread T0 here:
    #0 0x7fd7768f6638 in free.part.0 (/lib64/libasan.so.8+0xf6638) (BuildId: 79824421bd82bb3ef4addf048e1265e2a93cfc64)
    #1 0x140b0e4 in __zend_free /home/ilutov/Developer/php-src/Zend/zend_alloc.c:3308
    #2 0x1406562 in _efree /home/ilutov/Developer/php-src/Zend/zend_alloc.c:2747
    #3 0x1a32ffd in list_entry_destructor /home/ilutov/Developer/php-src/Zend/zend_list.c:182
    #4 0x191bd04 in _zend_hash_packed_del_val /home/ilutov/Developer/php-src/Zend/zend_hash.c:1461
    #5 0x191fdb8 in zend_hash_index_del /home/ilutov/Developer/php-src/Zend/zend_hash.c:1706
    #6 0x1a31fae in zend_list_free /home/ilutov/Developer/php-src/Zend/zend_list.c:58
    #7 0x1aeabb6 in rc_dtor_func /home/ilutov/Developer/php-src/Zend/zend_variables.c:57
    #8 0x15abc24 in i_zval_ptr_dtor /home/ilutov/Developer/php-src/Zend/zend_variables.h:45
    #9 0x15e0e51 in i_free_compiled_variables /home/ilutov/Developer/php-src/Zend/zend_execute.c:4085
    #10 0x18a0c4a in execute_ex /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:58667
    #11 0x18bfed7 in zend_execute /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:64237
    #12 0x1b11ea3 in zend_execute_script /home/ilutov/Developer/php-src/Zend/zend.c:1928
    #13 0x10e6d7b in php_execute_script_ex /home/ilutov/Developer/php-src/main/main.c:2578
    #14 0x10e72aa in php_execute_script /home/ilutov/Developer/php-src/main/main.c:2618
    #15 0x1b197c5 in do_cli /home/ilutov/Developer/php-src/sapi/cli/php_cli.c:935
    #16 0x1b1c008 in main /home/ilutov/Developer/php-src/sapi/cli/php_cli.c:1309
    #17 0x7fd775e39087 in __libc_start_call_main (/lib64/libc.so.6+0x2a087) (BuildId: 77c77fee058b19c6f001cf2cb0371ce3b8341211)
    #18 0x7fd775e3914a in __libc_start_main_alias_1 (/lib64/libc.so.6+0x2a14a) (BuildId: 77c77fee058b19c6f001cf2cb0371ce3b8341211)
    #19 0x602864 in _start (/home/ilutov/Developer/php-src/sapi/cli/php+0x602864) (BuildId: 9749d43ca5f1fff9b820d72e2c7562054c225a04)

previously allocated by thread T0 here:
    #0 0x7fd7768f7997 in malloc (/lib64/libasan.so.8+0xf7997) (BuildId: 79824421bd82bb3ef4addf048e1265e2a93cfc64)
    #1 0x140af92 in __zend_malloc /home/ilutov/Developer/php-src/Zend/zend_alloc.c:3280
    #2 0x1406423 in _emalloc /home/ilutov/Developer/php-src/Zend/zend_alloc.c:2737
    #3 0x1a31a38 in zend_list_insert /home/ilutov/Developer/php-src/Zend/zend_list.c:42
    #4 0x1a324bc in zend_register_resource /home/ilutov/Developer/php-src/Zend/zend_list.c:91
    #5 0x11624bb in _php_stream_alloc /home/ilutov/Developer/php-src/main/streams/streams.c:314
    #6 0x114f1bf in _php_stream_memory_create /home/ilutov/Developer/php-src/main/streams/memory.c:300
    #7 0xf35b9f in php_stream_url_wrap_php /home/ilutov/Developer/php-src/ext/standard/php_fopen_wrapper.c:210
    #8 0x1175c49 in _php_stream_open_wrapper_ex /home/ilutov/Developer/php-src/main/streams/streams.c:2235
    #9 0xe39f3f in zif_fopen /home/ilutov/Developer/php-src/ext/standard/file.c:746
    #10 0x16015d9 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:1351
    #11 0x18a27ef in execute_ex /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:58810
    #12 0x18bfed7 in zend_execute /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:64237
    #13 0x1b11ea3 in zend_execute_script /home/ilutov/Developer/php-src/Zend/zend.c:1928
    #14 0x10e6d7b in php_execute_script_ex /home/ilutov/Developer/php-src/main/main.c:2578
    #15 0x10e72aa in php_execute_script /home/ilutov/Developer/php-src/main/main.c:2618
    #16 0x1b197c5 in do_cli /home/ilutov/Developer/php-src/sapi/cli/php_cli.c:935
    #17 0x1b1c008 in main /home/ilutov/Developer/php-src/sapi/cli/php_cli.c:1309
    #18 0x7fd775e39087 in __libc_start_call_main (/lib64/libc.so.6+0x2a087) (BuildId: 77c77fee058b19c6f001cf2cb0371ce3b8341211)
    #19 0x7fd775e3914a in __libc_start_main_alias_1 (/lib64/libc.so.6+0x2a14a) (BuildId: 77c77fee058b19c6f001cf2cb0371ce3b8341211)
    #20 0x602864 in _start (/home/ilutov/Developer/php-src/sapi/cli/php+0x602864) (BuildId: 9749d43ca5f1fff9b820d72e2c7562054c225a04)

Looks like the resource is released too early.