Segmentation fault in ext/ffi/ffi.c

[YuanchengJiang]

Description

The following code:

<?php
$domain = AF_INET;
$s = socket_create($domain, SOCK_DGRAM, SOL_UDP) or die("err");
$r = socket_set_option($s, $level, IP_MULTICAST_IF, 1);
$r = socket_get_option($s, $level, IP_MULTICAST_IF);
$fusion = $r;
$f = FFI::cdef("typedef struct { char *bar; } other;");
class Container {
function __construct($f) { $this->data = $f->new("other"); }
function &getBar() { return $this->data->bar; } // return by ref to get CData instead of null
}
$container = new Container($f);
FFI::addr($container->getBar())[0] = $f->cast("char*", $fusion); // directly write it
var_dump($container);

Resulted in this output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1233956==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x55f1cd928020 bp 0x7ffe2f253960 sp 0x7ffe2f2533a0 T0)
==1233956==The signal is caused by a READ memory access.
==1233956==Hint: address points to the zero page.
    #0 0x55f1cd928020 in zend_ffi_cdata_to_zval /php-src/ext/ffi/ffi.c:591:5
    #1 0x55f1cd83a371 in zend_ffi_cdata_get_debug_info /php-src/ext/ffi/ffi.c:2088:5
    #2 0x55f1d0de827e in zend_std_get_properties_for /php-src/Zend/zend_object_handlers.c:2384:10
    #3 0x55f1d0de8f09 in zend_get_properties_for /php-src/Zend/zend_object_handlers.c:2433:9
    #4 0x55f1cf595627 in php_var_dump /php-src/ext/standard/var.c:178:11
    #5 0x55f1cf598a71 in php_object_property_dump /php-src/ext/standard/var.c:86:3
    #6 0x55f1cf5967a8 in php_var_dump /php-src/ext/standard/var.c:201:7
    #7 0x55f1cf598a71 in php_object_property_dump /php-src/ext/standard/var.c:86:3
    #8 0x55f1cf5967a8 in php_var_dump /php-src/ext/standard/var.c:201:7
    #9 0x55f1cf599463 in zif_var_dump /php-src/ext/standard/var.c:245:3
    #10 0x55f1d0712776 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /php-src/Zend/zend_vm_execute.h:1299:2
    #11 0x55f1d0249053 in execute_ex /php-src/Zend/zend_vm_execute.h:58565:7
    #12 0x55f1d024b1b2 in zend_execute /php-src/Zend/zend_vm_execute.h:64217:2
    #13 0x55f1d0f4be11 in zend_execute_script /php-src/Zend/zend.c:1928:3
    #14 0x55f1cf85bc18 in php_execute_script_ex /php-src/main/main.c:2574:13
    #15 0x55f1cf85ccd8 in php_execute_script /php-src/main/main.c:2614:9
    #16 0x55f1d0f5f586 in do_cli /php-src/sapi/cli/php_cli.c:935:5
    #17 0x55f1d0f59c54 in main /php-src/sapi/cli/php_cli.c:1310:18
    #18 0x7fb575bf3d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #19 0x7fb575bf3e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #20 0x55f1cc806dc4 in _start (/php-src/sapi/cli/php+0x2606dc4) (BuildId: 624b537b84102d81dc2dffd172661a374438f378)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /php-src/ext/ffi/ffi.c:591:5 in zend_ffi_cdata_to_zval
==1233956==ABORTING

PHP Version

nightly

Operating System

ubuntu 22.04

[dstogov]

I wouldn't consider this like a bug. The reduced test case:

<?php
$f = FFI::cdef("typedef struct { char *bar; } other;");
$data = $f->new("other");
$data->bar = $f->cast("char*", 1); // here you write "1" into the pointer
var_dump($data); // here ext/ffi tries to print the referenced character and crashes dereferencing the pointer with value "1"
?>

FFI gives you a power of C and opens hundred ways to shoot yourself in the foot...

[nielsdos]

Indeed this is not a bug, similar to the other FFI reports the code is just faulty.