Segmentation fault (heap-use-after-free) in Zend/zend_object_handlers.c:83:9

[YuanchengJiang]

Description

The following code:

<?php
function test($vars) {}
$a = new CURLFile();
$v2=$definedVars[array_rand($definedVars = get_defined_vars())];
var_dump('random_var:',$v1,$v2,$v3);

Resulted in this output:

string(11) "random_var:"
NULL
=================================================================
==2016956==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000006530 at pc 0x562fc9d9dedb bp 0x7ffe19b48b70 sp 0x7ffe19b48b68
READ of size 4 at 0x607000006530 thread T0
    #0 0x562fc9d9deda in rebuild_object_properties_internal /php-src/Zend/zend_object_handlers.c:83:9
    #1 0x562fc9da095c in zend_std_get_properties_ex /php-src/Zend/zend_object_handlers.h:282:10
    #2 0x562fc9da0874 in zend_std_get_properties /php-src/Zend/zend_object_handlers.c:137:9
    #3 0x562fc9da1cd0 in zend_std_get_debug_info /php-src/Zend/zend_object_handlers.c:196:10
    #4 0x562fc9de292e in zend_std_get_properties_for /php-src/Zend/zend_object_handlers.c:2384:10
    #5 0x562fc9de35b9 in zend_get_properties_for /php-src/Zend/zend_object_handlers.c:2433:9
    #6 0x562fc858f737 in php_var_dump /php-src/ext/standard/var.c:178:11
    #7 0x562fc8593573 in zif_var_dump /php-src/ext/standard/var.c:245:3
    #8 0x562fc970ce36 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /php-src/Zend/zend_vm_execute.h:1299:2
    #9 0x562fc9243713 in execute_ex /php-src/Zend/zend_vm_execute.h:58565:7
    #10 0x562fc9245872 in zend_execute /php-src/Zend/zend_vm_execute.h:64217:2
    #11 0x562fc9f45b01 in zend_execute_script /php-src/Zend/zend.c:1928:3
    #12 0x562fc8856798 in php_execute_script_ex /php-src/main/main.c:2574:13
    #13 0x562fc8857858 in php_execute_script /php-src/main/main.c:2614:9
    #14 0x562fc9f59276 in do_cli /php-src/sapi/cli/php_cli.c:935:5
    #15 0x562fc9f53944 in main /php-src/sapi/cli/php_cli.c:1310:18
    #16 0x7f0a4de88d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #17 0x7f0a4de88e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #18 0x562fc5806db4 in _start (/php-src/sapi/cli/php+0x2606db4) (BuildId: 10f0f1f073ebe7bcaf9944c9da559b10d59463b0)

0x607000006530 is located 0 bytes inside of 72-byte region [0x607000006530,0x607000006578)
freed by thread T0 here:
    #0 0x562fc588c532 in free (/php-src/sapi/cli/php+0x268c532) (BuildId: 10f0f1f073ebe7bcaf9944c9da559b10d59463b0)
    #1 0x562fc8ee9341 in zend_disable_class /php-src/Zend/zend_API.c:3732:4
    #2 0x562fc8853ca3 in php_disable_classes /php-src/main/main.c:381:6
    #3 0x562fc8848615 in php_module_startup /php-src/main/main.c:2304:2
    #4 0x562fc9f5cf48 in php_cli_startup /php-src/sapi/cli/php_cli.c:397:9
    #5 0x562fc9f531a7 in main /php-src/sapi/cli/php_cli.c:1277:6
    #6 0x7f0a4de88d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)

previously allocated by thread T0 here:
    #0 0x562fc588c7de in malloc (/php-src/sapi/cli/php+0x268c7de) (BuildId: 10f0f1f073ebe7bcaf9944c9da559b10d59463b0)
    #1 0x562fc8e738c3 in __zend_malloc /php-src/Zend/zend_alloc.c:3280:14
    #2 0x562fc8f0372f in zend_declare_typed_property /php-src/Zend/zend_API.c:4511:19
    #3 0x562fc61fb8ae in register_class_CURLFile /php-src/ext/curl/curl_file_arginfo.h:63:2
    #4 0x562fc61faee8 in curlfile_register_class /php-src/ext/curl/curl_file.c:148:24
    #5 0x562fc617e545 in zm_startup_curl /php-src/ext/curl/interface.c:413:2
    #6 0x562fc8ec3b94 in zend_startup_module_ex /php-src/Zend/zend_API.c:2431:7
    #7 0x562fc8ec8db1 in zend_startup_module_zval /php-src/Zend/zend_API.c:2446:10
    #8 0x562fc9a63e64 in zend_hash_apply /php-src/Zend/zend_hash.c:2085:13
    #9 0x562fc8ec800f in zend_startup_modules /php-src/Zend/zend_API.c:2569:2
    #10 0x562fc8848154 in php_module_startup /php-src/main/main.c:2286:2
    #11 0x562fc9f5cf48 in php_cli_startup /php-src/sapi/cli/php_cli.c:397:9
    #12 0x562fc9f531a7 in main /php-src/sapi/cli/php_cli.c:1277:6
    #13 0x7f0a4de88d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)

SUMMARY: AddressSanitizer: heap-use-after-free /php-src/Zend/zend_object_handlers.c:83:9 in rebuild_object_properties_internal
Shadow bytes around the buggy address:
  0x0c0e7fff8c50: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0e7fff8c60: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
  0x0c0e7fff8c70: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0e7fff8c80: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e7fff8c90: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c0e7fff8ca0: 00 fa fa fa fa fa[fd]fd fd fd fd fd fd fd fd fa
  0x0c0e7fff8cb0: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c0e7fff8cc0: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e7fff8cd0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
  0x0c0e7fff8ce0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0e7fff8cf0: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2016956==ABORTING

To reproduce (not minimal):

-d "opcache.cache_id=worker15" -d "output_handler=" -d "open_basedir=" -d "disable_functions=" -d "output_buffering=Off" -d "error_reporting=30719" -d "display_errors=1" -d "display_startup_errors=1" -d "log_errors=0" -d "html_errors=0" -d "track_errors=0" -d "report_memleaks=1" -d "report_zend_debug=0" -d "docref_root=" -d "docref_ext=.html" -d "error_prepend_string=" -d "error_append_string=" -d "auto_prepend_file=" -d "auto_append_file=" -d "ignore_repeated_errors=0" -d "precision=14" -d "serialize_precision=-1" -d "memory_limit=128M" -d "opcache.fast_shutdown=0" -d "opcache.file_update_protection=0" -d "opcache.revalidate_freq=60" -d "opcache.jit_hot_loop=1" -d "opcache.jit_hot_func=1" -d "opcache.jit_hot_return=1" -d "opcache.jit_hot_side_exit=1" -d "opcache.jit_max_root_traces=100000" -d "opcache.jit_max_side_traces=100000" -d "opcache.jit_max_exit_counters=100000" -d "opcache.protect_memory=1" -d "zend.assertions=1" -d "zend.exception_ignore_args=0" -d "zend.exception_string_param_max_len=15" -d "short_open_tag=0" -d "extension_dir=/php-src/modules/" -d "zend_extension=/php-src/modules/opcache.so" -d "session.auto_start=0" -d "zlib.output_compression=Off" -d "disable_classes=CURLFile,ErrorException" -d "session.use_cookies=1"

It is not stably reproduced. Might need multiple tries.

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04

[nielsdos]

Duplicate of #11960