assertion failure leads to heap buffer overflow in zend_variables.c

[chongwick]

Description

The following code:

<?php
try{
$v_99774 = __DIR__;
$v_99779 = '333';
$v_99780 = zend_create_unterminated_string($v_99779,);
$v_99776 = $v_99774 . $v_99780;
$v_99777 = new PharData($v_99776,);
}
catch (Exception $e){
$v_99771 = $e->getMessage();
$v_99781 = '333 ';
$v_99782 = zend_create_unterminated_string($v_99781,);
$v_99787 = zend_terminate_string($v_99782,);
$v_99773 = $v_99782 . $v_99787;
}

Resulted in this output:

=================================================================
==68==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000d4138 at pc 0x000000618366 bp 0x7fffd9f44c70 sp 0x7fffd9f44430
READ of size 17 at 0x6040000d4138 thread T0
    #0 0x618365 in strlen (/home/php+0x618365)
    #1 0x57c008b in zend_str_has_nul_byte /home/w023dtc/nightly_php/php-src/Zend/zend_API.h:947:26
    #2 0x57be66a in zend_parse_arg_path_str /home/w023dtc/nightly_php/php-src/Zend/zend_API.h:2328:16
    #3 0x57be13c in zend_parse_arg_path /home/w023dtc/nightly_php/php-src/Zend/zend_API.h:2338:7
    #4 0x57b9cf9 in zend_parse_arg_impl /home/w023dtc/nightly_php/php-src/Zend/zend_API.c:895:10
    #5 0x5734220 in zend_parse_arg /home/w023dtc/nightly_php/php-src/Zend/zend_API.c:1103:18
    #6 0x57366ff in zend_parse_va_args /home/w023dtc/nightly_php/php-src/Zend/zend_API.c:1280:7
    #7 0x5736ac3 in zend_parse_parameters /home/w023dtc/nightly_php/php-src/Zend/zend_API.c:1314:11
    #8 0x346ec05 in zim_Phar___construct /home/w023dtc/nightly_php/php-src/ext/phar/phar_object.c:1132:7
    #9 0x5de708b in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:2018:4
    #10 0x2afda1a in zend_jit_trace_execute /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:1074:12
    #11 0x2b240a5 in zend_jit_trace_hot_root /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:8156:9
    #12 0x2aec343 in zend_jit_trace_counter_helper /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:472:7
    #13 0x2aebbda in zend_jit_func_trace_helper /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:508:2
    #14 0x5b29ce3 in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:115598:12
    #15 0x5b2c26c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:121310:2
    #16 0x68ac8c9 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1977:3
    #17 0x508e39a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2638:13
    #18 0x508f4d8 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2678:9
    #19 0x68c17da in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
    #20 0x68bbbbf in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
    #21 0x1507fa93ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #22 0x1507fa93ee3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #23 0x6061f4 in _start (/home/php+0x6061f4)

0x6040000d4138 is located 0 bytes to the right of 40-byte region [0x6040000d4110,0x6040000d4138)
allocated by thread T0 here:
    #0 0x6810bd in malloc (/home/php+0x6810bd)
    #1 0x5702aa3 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3543:14
    #2 0x5701209 in _emalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2780:10
    #3 0x6221cc8 in zend_string_alloc /home/w023dtc/nightly_php/php-src/Zend/zend_string.h:167:36
    #4 0x5b629c0 in ZEND_CONCAT_SPEC_CV_CV_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:52594:10
    #5 0x2afda1a in zend_jit_trace_execute /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:1074:12
    #6 0x2b240a5 in zend_jit_trace_hot_root /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:8156:9
    #7 0x2aec343 in zend_jit_trace_counter_helper /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:472:7
    #8 0x2aebbda in zend_jit_func_trace_helper /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:508:2
    #9 0x5b29ce3 in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:115598:12
    #10 0x5b2c26c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:121310:2
    #11 0x68ac8c9 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1977:3
    #12 0x508e39a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2638:13
    #13 0x508f4d8 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2678:9
    #14 0x68c17da in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
    #15 0x68bbbbf in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
    #16 0x1507fa93ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/php+0x618365) in strlen
Shadow bytes around the buggy address:
  0x0c08800127d0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c08800127e0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c08800127f0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c0880012800: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c0880012810: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
=>0x0c0880012820: fa fa 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa
  0x0c0880012830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0880012840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0880012850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0880012860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0880012870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==68==ABORTING

 USE_ZEND_ALLOC=0 ./php -d "opcache.enable=1" -d "opcache.enable_cli=1" -d "opcache.jit_buffer_size=256M" -d "opcache.jit=1254" -d "opcache.jit_hot_func=1" -d "opcache.jit_hot_loop=1" -d "opcache.jit_hot_return=1" -d "opcache.jit_hot_side_exit=1" script.php

PHP Version

nightly

Operating System

ubuntu 22.04

[chongwick]

Without JIT options

/home/w023dtc/nightly_php/php-src/Zend/zend_variables.c:63: void zend_string_destroy(zend_string *): Assertion `(str)->val[(str)->len] == '\0' && "String is not null-terminated"' failed.
Aborted (core dumped)

[devnexen]

That definitely makes crash a lot of parts as long there is string parsing involved :). Not sure it is really relevant, can t protect against every misusage.

[nielsdos]

@chongwick to expand on this: zend_test is an internal testing extension used in php engine debugging and development. It is possible to break engine constraints with it, like what happens here. Zend_test is not used outside of testing, certainly not by production users.

[chongwick]

I understand. Thank you for the clarification.