Fix stack poisoning

Author: arnaud-lb

Zend/zend_vm_def.h

@@ -2981,8 +2981,14 @@ ZEND_VM_HOT_HELPER(zend_leave_helper, ANY, ANY)
 		} else if (UNEXPECTED(call_info & ZEND_CALL_FAKE_CLOSURE)) {
 			OBJ_RELEASE(ZEND_PARTIAL_OBJECT(EX(func)));
 		}
+
+		zend_execute_data *prev_execute_data = EX(prev_execute_data);
+#ifdef __SANITIZE_ADDRESS__
+		size_t size = (size_t)EG(vm_stack_top) - (size_t)execute_data;
+		__asan_poison_memory_region(execute_data, size);
+#endif
 		EG(vm_stack_top) = (zval*)execute_data;
-		execute_data = EX(prev_execute_data);
+		execute_data = prev_execute_data;
 
 		if (UNEXPECTED(EG(exception) != NULL)) {
 			zend_rethrow_exception(execute_data);
@@ -4154,6 +4160,10 @@ ZEND_VM_HOT_HANDLER(129, ZEND_DO_ICALL, ANY, ANY, SPEC(RETVAL,OBSERVER))
 		}
 		zend_vm_stack_free_call_frame_ex(call_info, call);
 	} else {
+#ifdef __SANITIZE_ADDRESS__
+		size_t size = (size_t)EG(vm_stack_top) - (size_t)call;
+		__asan_poison_memory_region(call, size);
+#endif
 		EG(vm_stack_top) = (zval*)call;
 	}
 
@@ -4290,6 +4300,10 @@ ZEND_VM_C_LABEL(fcall_by_name_end):
 			}
 			zend_vm_stack_free_call_frame_ex(call_info, call);
 		} else {
+#ifdef __SANITIZE_ADDRESS__
+			size_t size = (size_t)EG(vm_stack_top) - (size_t)call;
+			__asan_poison_memory_region(call, size);
+#endif
 			EG(vm_stack_top) = (zval*)call;
 		}
 
@@ -4710,8 +4724,13 @@ ZEND_VM_HANDLER(139, ZEND_GENERATOR_CREATE, ANY, ANY)
 		call_info = EX_CALL_INFO();
 		EG(current_execute_data) = EX(prev_execute_data);
 		if (EXPECTED(!(call_info & (ZEND_CALL_TOP|ZEND_CALL_ALLOCATED)))) {
+			zend_execute_data *prev_execute_data = EX(prev_execute_data);
+#ifdef __SANITIZE_ADDRESS__
+			size_t size = (size_t)EG(vm_stack_top) - (size_t)execute_data;
+			__asan_poison_memory_region(execute_data, size);
+#endif
 			EG(vm_stack_top) = (zval*)execute_data;
-			execute_data = EX(prev_execute_data);
+			execute_data = prev_execute_data;
 			LOAD_NEXT_OPLINE();
 			ZEND_VM_LEAVE();
 		} else if (EXPECTED(!(call_info & ZEND_CALL_TOP))) {

ext/opcache/jit/zend_jit_helpers.c

@@ -306,6 +306,20 @@ static zend_execute_data* ZEND_FASTCALL zend_jit_int_extend_stack_helper(uint32_
 	return call;
 }
 
+static void ZEND_FASTCALL zend_jit_poison_memory_region_helper(void *addr, size_t size)
+{
+#ifdef __SANITIZE_ADDRESS__
+	__asan_poison_memory_region(addr, size);
+#endif
+}
+
+static void ZEND_FASTCALL zend_jit_unpoison_memory_region_helper(void *addr, size_t size)
+{
+#ifdef __SANITIZE_ADDRESS__
+	__asan_unpoison_memory_region(addr, size);
+#endif
+}
+
 static zval* ZEND_FASTCALL zend_jit_symtable_find(HashTable *ht, zend_string *str)
 {
 	zend_ulong idx;

ext/opcache/jit/zend_jit_ir.c

@@ -3112,6 +3112,8 @@ static void zend_jit_setup_disasm(void)
 	REGISTER_HELPER(zend_jit_uninit_static_prop);
 	REGISTER_HELPER(zend_jit_rope_end);
 	REGISTER_HELPER(zend_fcall_interrupt);
+	REGISTER_HELPER(zend_jit_poison_memory_region_helper);
+	REGISTER_HELPER(zend_jit_unpoison_memory_region_helper);
 
 #ifndef ZTS
 	REGISTER_DATA(EG(current_execute_data));
@@ -8632,6 +8634,11 @@ static int zend_jit_push_call_frame(zend_jit_ctx *jit, const zend_op *opline, co
 #endif
 	ir_STORE(ref, ir_ADD_A(top, used_stack_ref));
 
+#ifdef __SANITIZE_ADDRESS__
+	ir_CALL_2(IR_VOID, ir_CONST_FC_FUNC(zend_jit_unpoison_memory_region_helper),
+			rx, used_stack_ref);
+#endif
+
 	// JIT: zend_vm_init_call_frame(call, call_info, func, num_args, called_scope, object);
 	if (JIT_G(trigger) != ZEND_JIT_ON_HOT_TRACE || opline->opcode != ZEND_INIT_METHOD_CALL) {
 		// JIT: ZEND_SET_CALL_INFO(call, 0, call_info);
@@ -11193,6 +11200,11 @@ static int zend_jit_leave_func(zend_jit_ctx         *jit,
 		may_throw = 1;
 	}
 
+#ifdef __SANITIZE_ADDRESS__
+	ir_CALL_2(IR_VOID, ir_CONST_FC_FUNC(zend_jit_poison_memory_region_helper),
+			jit_FP(jit), ir_SUB_A(ir_LOAD_A(jit_EG(vm_stack_top)), jit_FP(jit)));
+#endif
+
 	// JIT: EG(vm_stack_top) = (zval*)execute_data
 	ir_STORE(jit_EG(vm_stack_top), jit_FP(jit));