dba stream resource mismanagement #19706
Description
Description
The following code:
<?php
$v_268461 = '*** Testing strripos() function: with double quoted strings ***\n';
$v_268462 = 'Hello,\t\n\x00\n $&!#%()*<=>?@hello123456he #4 A ';
$v_268464 = 'l';
$v_268465 = 'L';
$v_268466 = 'HELLO';
$v_268467 = 'hEllo';
$v_268468 = '\t';
$v_268469 = '\\T';
$v_268470 = ' ';
$v_268471 = '\n';
$v_268472 = '\\N';
$v_268473 = '\n';
$v_268474 = '\x00';
$v_268475 = FALSE;
$v_268476 = False;
$v_268477 = '';
$v_268478 = ' ';
$v_268479 = '$';
$v_268480 = ' $';
$v_268481 = '&';
$v_268482 = '!#';
$v_268483 = '()';
$v_268484 = '<=>';
$v_268485 = '>';
$v_268486 = '=>';
$v_268487 = '?';
$v_268488 = '@';
$v_268521 = __DIR__;
$v_268522 = '/129php.cdb';
$v_268523 = $v_268521 . $v_268522;
$v_268524 = 'n';
$v_268525 = 'cdb_make';
$v_268526 = dba_open($v_268523,$v_268524,$v_268525,);
$v_268490 = '12345';
$v_268491 = '#';
$v_268492 = '#';
$v_268493 = 'A';
$v_268494 = 'A';
$v_268495 = '456HEE';
$v_268463 = array(0 => $v_268464,1 => $v_268465,2 => $v_268466,3 => $v_268467,4 => $v_268468,5 => $v_268469,6 => $v_268470,7 => $v_268471,8 => $v_268472,9 => $v_268473,10 => $v_268474,11 => $v_268475,12 => $v_268476,13 => $v_268477,14 => $v_268478,15 => $v_268479,16 => $v_268480,17 => $v_268481,18 => $v_268482,19 => $v_268483,20 => $v_268484,21 => $v_268485,22 => $v_268486,23 => $v_268487,24 => $v_268488,25 => $v_268526,26 => $v_268490,27 => $v_268491,28 => $v_268492,29 => $v_268493,30 => $v_268494,31 => $v_268495,32 => $v_268462,);
$v_268496 = 1;
$v_268463 = array(0 => $v_268464,1 => $v_268465,2 => $v_268466,3 => $v_268467,4 => $v_268468,5 => $v_268469,6 => $v_268470,7 => $v_268471,8 => $v_268472,9 => $v_268473,10 => $v_268474,11 => $v_268475,12 => $v_268476,13 => $v_268477,14 => $v_268478,15 => $v_268479,16 => $v_268480,17 => $v_268481,18 => $v_268482,19 => $v_268483,20 => $v_268484,21 => $v_268485,22 => $v_268486,23 => $v_268487,24 => $v_268488,25 => $v_268526,26 => $v_268490,27 => $v_268491,28 => $v_268492,29 => $v_268493,30 => $v_268494,31 => $v_268495,32 => $v_268462,);
foreach ($v_268463 as $needle){
$v_268498 = $needle;
$v_268499 = "-- Iteration $v_268496 --\n";
$v_268500 = strripos($v_268462,$v_268498,);
$v_268502 = 1;
$v_268503 = strripos($v_268462,$v_268498,$v_268502,);
$v_268505 = 20;
$v_268506 = strripos($v_268462,$v_268498,$v_268505,);
$v_268508 = 1;
$v_268509 = -($v_268508);
$v_268510 = strripos($v_268462,$v_268525,$v_268509,);
$v_268515 = 'S';
$v_268516 = 255;
$v_268517 = pack($v_268515,$v_268516,);
$v_268512 = $v_268517;
$v_268512++;
}
$v_268497 = $needle;Resulted in this output:
==2637210==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000021b28 at pc 0x0000051851c9 bp 0x7ffd67245370 sp 0x7ffd67245368
READ of size 8 at 0x611000021b28 thread T0
#0 0x51851c8 in _php_stream_flush /home/w023dtc/nightly_php/php-src/main/streams/streams.c:1284:27
#1 0xfc0ece in cdb_make_finish /home/w023dtc/nightly_php/php-src/ext/dba/libcdb/cdb_make.c:227:6
#2 0xf8b3ad in dba_close_cdb /home/w023dtc/nightly_php/php-src/ext/dba/dba_cdb.c:124:3
#3 0xfb4c21 in dba_close_info /home/w023dtc/nightly_php/php-src/ext/dba/dba.c:248:3
#4 0xfa2bff in dba_close_connection /home/w023dtc/nightly_php/php-src/ext/dba/dba.c:299:3
#5 0xf96587 in dba_connection_free_obj /home/w023dtc/nightly_php/php-src/ext/dba/dba.c:353:3
#6 0x6704171 in zend_objects_store_del /home/w023dtc/nightly_php/php-src/Zend/zend_objects_API.c:196:4
#7 0x68192f7 in rc_dtor_func /home/w023dtc/nightly_php/php-src/Zend/zend_variables.c:57:2
#8 0x681957e in i_zval_ptr_dtor /home/w023dtc/nightly_php/php-src/Zend/zend_variables.h:45:4
#9 0x6819334 in zval_ptr_dtor /home/w023dtc/nightly_php/php-src/Zend/zend_variables.c:84:2
#10 0x633b561 in _zend_hash_del_el_ex /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:1486:3
#11 0x6338cdd in _zend_hash_del_el /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:1513:2
#12 0x634e076 in zend_hash_graceful_reverse_destroy /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:2038:4
#13 0x5a60e92 in zend_shutdown_executor_values /home/w023dtc/nightly_php/php-src/Zend/zend_execute_API.c:285:3
#14 0x5a6d57e in shutdown_executor /home/w023dtc/nightly_php/php-src/Zend/zend_execute_API.c:455:2
#15 0x686202b in zend_deactivate /home/w023dtc/nightly_php/php-src/Zend/zend.c:1351:2
#16 0x5047055 in php_request_shutdown /home/w023dtc/nightly_php/php-src/main/main.c:1988:2
#17 0x688ee31 in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1159:3
#18 0x6883e0f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1363:18
#19 0x14991b8a7d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#20 0x14991b8a7e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#21 0x6061f4 in _start (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x6061f4)
0x611000021b28 is located 40 bytes inside of 224-byte region [0x611000021b00,0x611000021be0)
freed by thread T0 here:
#0 0x680e52 in free (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x680e52)
#1 0x56c1803 in __zend_free /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3589:2
#2 0x56cc8bb in _efree /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2808:3
#3 0x518500d in _php_stream_free /home/w023dtc/nightly_php/php-src/main/streams/streams.c:529:3
#4 0x519f8b4 in stream_resource_regular_dtor /home/w023dtc/nightly_php/php-src/main/streams/streams.c:1841:19
#5 0x669f059 in zend_resource_dtor /home/w023dtc/nightly_php/php-src/Zend/zend_list.c:73:3
#6 0x66a14e5 in zend_close_rsrc_list /home/w023dtc/nightly_php/php-src/Zend/zend_list.c:225:5
#7 0x5a6094b in zend_shutdown_executor_values /home/w023dtc/nightly_php/php-src/Zend/zend_execute_API.c:278:3
#8 0x5a6d57e in shutdown_executor /home/w023dtc/nightly_php/php-src/Zend/zend_execute_API.c:455:2
#9 0x686202b in zend_deactivate /home/w023dtc/nightly_php/php-src/Zend/zend.c:1351:2
#10 0x5047055 in php_request_shutdown /home/w023dtc/nightly_php/php-src/main/main.c:1988:2
#11 0x688ee31 in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1159:3
#12 0x6883e0f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1363:18
#13 0x14991b8a7d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
previously allocated by thread T0 here:
#0 0x6810bd in malloc (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x6810bd)
#1 0x56cdb73 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3561:14
#2 0x56cc2d9 in _emalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2798:10
#3 0x518013d in _php_stream_alloc /home/w023dtc/nightly_php/php-src/main/streams/streams.c:283:22
#4 0x516b8d2 in _php_stream_fopen_from_fd_int /home/w023dtc/nightly_php/php-src/main/streams/plain_wrapper.c:194:9
#5 0x516ba2b in _php_stream_fopen_from_fd /home/w023dtc/nightly_php/php-src/main/streams/plain_wrapper.c:280:23
#6 0x51748c6 in _php_stream_fopen /home/w023dtc/nightly_php/php-src/main/streams/plain_wrapper.c:1174:10
#7 0x517879e in php_plain_files_stream_opener /home/w023dtc/nightly_php/php-src/main/streams/plain_wrapper.c:1240:9
#8 0x51a8585 in _php_stream_open_wrapper_ex /home/w023dtc/nightly_php/php-src/main/streams/streams.c:2256:13
#9 0xf9ebd2 in php_dba_open /home/w023dtc/nightly_php/php-src/ext/dba/dba.c:838:32
#10 0xfa1d5e in zif_dba_open /home/w023dtc/nightly_php/php-src/ext/dba/dba.c:959:2
#11 0x5fd774f in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:1410:2
#12 0x5af34e3 in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:113454:12
#13 0x5af5a6c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:119146:2
#14 0x6874b19 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1977:3
#15 0x5059daa in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2608:13
#16 0x505aee8 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2648:9
#17 0x6889a2a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:952:5
#18 0x6883e0f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1363:18
#19 0x14991b8a7d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-use-after-free /home/w023dtc/nightly_php/php-src/main/streams/streams.c:1284:27 in _php_stream_flush
Shadow bytes around the buggy address:
0x0c227fffc310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fffc320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fffc330: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c227fffc340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fffc350: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c227fffc360: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
0x0c227fffc370: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c227fffc380: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c227fffc390: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fffc3a0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fffc3b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2637210==ABORTING
USE_ZEND_ALLOC=0 php script.php
PHP Version
nightly
Operating System
Ubuntu 20.04