Skip to content

UAF when serializing exception #17784

New issue
New issue
Closed as not planned
Closed as not planned
UAF when serializing exception#17784
Labels
BugStatus: Duplicate
@YuanchengJiang

Description

@YuanchengJiang
YuanchengJiang
opened on Feb 13, 2025

Description

The following code:

<?php
$b = new ErrorException();
$fusion = $b;
serialize($fusion);

Resulted in this output:

=================================================================
==1603663==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000004850 at pc 0x00000326aff4 bp 0x7ffdf321f6d0 sp 0x7ffdf321f6c8
READ of size 4 at 0x607000004850 thread T0
    #0 0x326aff3 in php_var_serialize_intern /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/var.c:1258:14
    #1 0x3264c24 in php_var_serialize /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/var.c:1321:2
    #2 0x326edb1 in zif_serialize /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/var.c:1367:2
    #3 0x44ac2b9 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:1299:2
    #4 0x3fa1717 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58595:7
    #5 0x3fa399c in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64247:2
    #6 0x4d42aa9 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1943:3
    #7 0x353ea5a in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2584:13
    #8 0x353fb98 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2624:9
    #9 0x4d56f9b in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:948:5
    #10 0x4d5147f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1348:18
    #11 0x7f1d4b2c0d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x7f1d4b2c0e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #13 0x605954 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x605954)

0x607000004850 is located 0 bytes inside of 72-byte region [0x607000004850,0x607000004898)
freed by thread T0 here:
    #0 0x6805b2 in free (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x6805b2)
    #1 0x3c1bb73 in zend_disable_class /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.c:3738:4
    #2 0x353bf17 in php_disable_classes /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:396:3
    #3 0x352f719 in php_module_startup /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2314:2
    #4 0x4d5cc78 in php_cli_startup /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:399:9
    #5 0x4d50c99 in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1315:6
    #6 0x7f1d4b2c0d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T0 here:
    #0 0x68081d in malloc (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x68081d)
    #1 0x3ba0673 in __zend_malloc /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_alloc.c:3280:14
    #2 0x3c37b3c in zend_declare_typed_property /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.c:4517:19
    #3 0x3efc0a9 in register_class_ErrorException /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions_arginfo.h:205:2
    #4 0x3ef7cfa in zend_register_default_exception /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:766:28
    #5 0x3ebe4dd in zend_register_default_classes /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_default_classes.c:35:2
    #6 0x3cbe1b2 in zm_startup_core /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_builtin_functions.c:38:2
    #7 0x3bf47ea in zend_startup_module_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.c:2430:7
    #8 0x3bf9d5e in zend_startup_module_zval /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.c:2445:10
    #9 0x48316d3 in zend_hash_apply /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_hash.c:2085:13
    #10 0x3bf8f8b in zend_startup_modules /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.c:2568:2
    #11 0x352f242 in php_module_startup /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2296:2
    #12 0x4d5cc78 in php_cli_startup /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:399:9
    #13 0x4d50c99 in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1315:6
    #14 0x7f1d4b2c0d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/var.c:1258:14 in php_var_serialize_intern
Shadow bytes around the buggy address:
  0x0c0e7fff88b0: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x0c0e7fff88c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c0e7fff88d0: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0e7fff88e0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa 00 00
  0x0c0e7fff88f0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
=>0x0c0e7fff8900: 00 00 00 00 00 fa fa fa fa fa[fd]fd fd fd fd fd
  0x0c0e7fff8910: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff8920: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x0c0e7fff8930: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c0e7fff8940: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0e7fff8950: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1603663==ABORTING

To reproduce:

 -d "disable_classes=CURLFile,ErrorException"

Commit:

commit 5acff0e61dd9a62ddff52bea25d552db45fb32e6
Author: Niels Dossche <[email protected]>
Date:   Tue Feb 11 21:57:50 2025 +0100

    Update NEWS and UPGRADING for zlib flock() support
    
    [ci skip]
    
    Closes GH-17752.

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This report is automatically generated by FlowFusion

PHP Version

5acff0e

Operating System

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugStatus: Duplicate

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions