Skip to content

UAF detected in zend_hash #17189

New issue
New issue
Closed as not planned
Closed as not planned
UAF detected in zend_hash#17189
Assignees
nielsdos
Labels
BugExtension: xmlStatus: Duplicate
@chongwick

Description

@chongwick
chongwick
opened on Dec 17, 2024

Description

The following code:

<?php
class MaliciousClass {
    private $parser;
    private $immutableData;

    public function __construct() {
        $this->parser = xml_parser_create();
        xml_set_element_handler($this->parser, function ($parser, $name, $attrs) {
            echo "open\n";
            var_dump($name, $attrs);
            $this->immutableData = array();
            $this->immutableData['phpinfo'] = phpinfo();
        }, function ($parser, $name) {
            echo "close\n";
            var_dump($name);
        });
    }

    public function parseXml($xml) {
        $this->immutableData = array();
        xml_parse_into_struct($this->parser, $xml, $this->immutableData, $this->immutableData);
        return $this->immutableData;
    }

    public function triggerCrash() {
        $this->parseXml("<container><child/></container>");
        $data = $this->immutableData['phpinfo'];
        echo json_encode($data). "\n";
    }
}

$maliciousObject = new MaliciousClass();
$maliciousObject->triggerCrash();

?>

Resulted in this output:

==3601905==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600001f3b0 at pc 0x558c69568a9f bp 0x7ffd01e807c0 sp 0x7ffd01e807b0
READ of size 8 at 0x60600001f3b0 thread T0
    #0 0x558c69568a9e in zend_hash_str_find_bucket /home/dan/php-src/Zend/zend_hash.c:781
    #1 0x558c69568a9e in zend_hash_str_find /home/dan/php-src/Zend/zend_hash.c:2697
    #2 0x558c69139d37 in xml_add_to_info /home/dan/php-src/ext/xml/xml.c:561
    #3 0x558c69140d65 in xml_add_to_info /home/dan/php-src/ext/xml/xml.c:637
    #4 0x558c69140d65 in xml_startElementHandler /home/dan/php-src/ext/xml/xml.c:637
    #5 0x558c69140d65 in xml_startElementHandler /home/dan/php-src/ext/xml/xml.c:589
    #6 0x558c6914aa7a in start_element_handler /home/dan/php-src/ext/xml/compat.c:70
    #7 0x15408efa5aeb in xmlParseStartTag (/lib/x86_64-linux-gnu/libxml2.so.2+0x52aeb)
    #8 0x15408f0d37f7  (/lib/x86_64-linux-gnu/libxml2.so.2+0x1807f7)
    #9 0x15408efac3c0 in xmlParseChunk (/lib/x86_64-linux-gnu/libxml2.so.2+0x593c0)
    #10 0x558c6914bf45 in php_XML_Parse /home/dan/php-src/ext/xml/compat.c:546
    #11 0x558c69136215 in xml_parse_helper /home/dan/php-src/ext/xml/xml.c:288
    #12 0x558c6913f146 in zif_xml_parse_into_struct /home/dan/php-src/ext/xml/xml.c:1394
    #13 0x558c6950bee0 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/dan/php-src/Zend/zend_vm_execute.h:1287
    #14 0x558c6950bee0 in execute_ex /home/dan/php-src/Zend/zend_vm_execute.h:58774
    #15 0x558c69526490 in zend_execute /home/dan/php-src/Zend/zend_vm_execute.h:64206
    #16 0x558c69640645 in zend_execute_script /home/dan/php-src/Zend/zend.c:1934
    #17 0x558c691694e6 in php_execute_script_ex /home/dan/php-src/main/main.c:2574
    #18 0x558c69644e36 in do_cli /home/dan/php-src/sapi/cli/php_cli.c:935
    #19 0x558c689b03c2 in main /home/dan/php-src/sapi/cli/php_cli.c:1310
    #20 0x15408ec06d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #21 0x15408ec06e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #22 0x558c689b1634 in _start (/home/w023dtc/php_engines/san_php+0x4c8634)

0x60600001f3b0 is located 16 bytes inside of 56-byte region [0x60600001f3a0,0x60600001f3d8)
freed by thread T0 here:
    #0 0x15408f2d0537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x558c695e0942 in zend_std_write_property /home/dan/php-src/Zend/zend_object_handlers.c:1041
    #2 0x558c694a7390 in ZEND_ASSIGN_OBJ_SPEC_UNUSED_CONST_OP_DATA_CONST_HANDLER /home/dan/php-src/Zend/zend_vm_execute.h:34204
    #3 0x558c694f9e21 in execute_ex /home/dan/php-src/Zend/zend_vm_execute.h:62366
    #4 0x558c6939297c in zend_call_function /home/dan/php-src/Zend/zend_execute_API.c:996
    #5 0x558c69394031 in zend_call_known_function /home/dan/php-src/Zend/zend_execute_API.c:1090
    #6 0x558c69140881 in zend_call_known_fcc /home/dan/php-src/Zend/zend_API.h:852
    #7 0x558c69140881 in xml_startElementHandler /home/dan/php-src/ext/xml/xml.c:623
    #8 0x558c69140881 in xml_startElementHandler /home/dan/php-src/ext/xml/xml.c:589
    #9 0x558c6914aa7a in start_element_handler /home/dan/php-src/ext/xml/compat.c:70
    #10 0x15408efa5aeb in xmlParseStartTag (/lib/x86_64-linux-gnu/libxml2.so.2+0x52aeb)

previously allocated by thread T0 here:
    #0 0x15408f2d0887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x558c692b3644 in __zend_malloc /home/dan/php-src/Zend/zend_alloc.c:3280
    #2 0x558c69545c1c in _zend_new_array_0 /home/dan/php-src/Zend/zend_hash.c:284
    #3 0x558c6913ee49 in zend_try_array_init_size /home/dan/php-src/Zend/zend_API.h:1476
    #4 0x558c6913ee49 in zend_try_array_init /home/dan/php-src/Zend/zend_API.h:1495
    #5 0x558c6913ee49 in zif_xml_parse_into_struct /home/dan/php-src/ext/xml/xml.c:1375
    #6 0x558c6950bee0 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/dan/php-src/Zend/zend_vm_execute.h:1287
    #7 0x558c6950bee0 in execute_ex /home/dan/php-src/Zend/zend_vm_execute.h:58774
    #8 0x558c69526490 in zend_execute /home/dan/php-src/Zend/zend_vm_execute.h:64206
    #9 0x558c69640645 in zend_execute_script /home/dan/php-src/Zend/zend.c:1934
    #10 0x558c691694e6 in php_execute_script_ex /home/dan/php-src/main/main.c:2574
    #11 0x558c69644e36 in do_cli /home/dan/php-src/sapi/cli/php_cli.c:935
    #12 0x558c689b03c2 in main /home/dan/php-src/sapi/cli/php_cli.c:1310
    #13 0x15408ec06d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /home/dan/php-src/Zend/zend_hash.c:781 in zend_hash_str_find_bucket
Shadow bytes around the buggy address:
  0x0c0c7fffbe20: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fffbe30: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fffbe40: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c7fffbe50: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0c7fffbe60: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fa
=>0x0c0c7fffbe70: fa fa fa fa fd fd[fd]fd fd fd fd fa fa fa fa fa
  0x0c0c7fffbe80: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c7fffbe90: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c7fffbea0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c7fffbeb0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c7fffbec0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3601905==ABORTING

PHP Version

PHP 8.4.1

Operating System

Ubuntu 22.04

Metadata

Metadata

Assignees

Labels

BugExtension: xmlStatus: Duplicate

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions