heap use-after-free in URI

[chongwick]

Description

The following code:

<?php
$v_6703 = 'https://username:password@example.com:8080/path?q=r#fragment';
$v_6704 = new Uri\Rfc3986\Uri($v_6703,);
$v_7756 = 4;
$v_7757 = 1086849124;
$v_7758 = 133;
$v_7759 = mhash($v_7756,$v_7757,$v_7758,);
$v_7760 = var_dump($v_7759,);
$v_6705 = var_dump($v_7760,);
$v_7752 = 'hash';
$v_7753 = new ReflectionExtension($v_7752,);
$v_6707 = new Uri\WhatWg\Url($v_7753,);

Resulted in this output:

Deprecated: Function mhash() is deprecated since 8.1 in /home/w023dtc/treebugs/32b2289d47d03dcfa4e5.php.er on line 7
bool(false)
NULL
=================================================================
==2499454==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000016900 at pc 0x000000619c76 bp 0x7fff0d2aad30 sp 0x7fff0d2aa4f0
READ of size 2 at 0x625000016900 thread T0
    #0 0x619c75 in strlen (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x619c75)
    #1 0x58f96d0 in zend_update_property_string /home/w023dtc/nightly_php/php-src/Zend/zend_API.c:5034:2
    #2 0x4803d3c in fill_errors /home/w023dtc/nightly_php/php-src/ext/uri/uri_parser_whatwg.c:77:3
    #3 0x4802d10 in php_uri_parser_whatwg_parse_ex /home/w023dtc/nightly_php/php-src/ext/uri/uri_parser_whatwg.c:566:24
    #4 0x48060a5 in php_uri_parser_whatwg_parse /home/w023dtc/nightly_php/php-src/ext/uri/uri_parser_whatwg.c:584:9
    #5 0x47c9db5 in php_uri_instantiate_uri /home/w023dtc/nightly_php/php-src/ext/uri/php_uri.c:351:14
    #6 0x47d2033 in create_whatwg_uri /home/w023dtc/nightly_php/php-src/ext/uri/php_uri.c:498:2
    #7 0x47d20f1 in zim_Uri_WhatWg_Url___construct /home/w023dtc/nightly_php/php-src/ext/uri/php_uri.c:509:2
    #8 0x5f346db in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:2022:4
    #9 0x5c7732b in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:115754:12
    #10 0x5c798bc in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:121466:2
    #11 0x69ff249 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1977:3
    #12 0x51d758a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2640:13
    #13 0x51d86c8 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2680:9
    #14 0x6a1415a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
    #15 0x6a0e53f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
    #16 0x150f75ee6d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #17 0x150f75ee6e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #18 0x607b04 in _start (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x607b04)

0x625000016900 is located 0 bytes inside of 8990-byte region [0x625000016900,0x625000018c1e)
freed by thread T0 here:
    #0 0x682762 in free (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x682762)
    #1 0x5841023 in __zend_free /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3571:2
    #2 0x584c0db in _efree /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2790:3
    #3 0x1a8a0aa in php_lexbor_free /home/w023dtc/nightly_php/php-src/ext/lexbor/php_lexbor.c:49:2
    #4 0x1d99f59 in lexbor_free /home/w023dtc/nightly_php/php-src/ext/lexbor/lexbor/ports/posix/lexbor/core/memory.c:35:5
    #5 0x1dc7d43 in lxb_url_parse_basic_h /home/w023dtc/nightly_php/php-src/ext/lexbor/lexbor/url/url.c:2430:5
    #6 0x1db8f95 in lxb_url_parse_basic /home/w023dtc/nightly_php/php-src/ext/lexbor/lexbor/url/url.c:1244:14
    #7 0x1db8eba in lxb_url_parse /home/w023dtc/nightly_php/php-src/ext/lexbor/lexbor/url/url.c:1231:12
    #8 0x4802c92 in php_uri_parser_whatwg_parse_ex /home/w023dtc/nightly_php/php-src/ext/uri/uri_parser_whatwg.c:562:19
    #9 0x48060a5 in php_uri_parser_whatwg_parse /home/w023dtc/nightly_php/php-src/ext/uri/uri_parser_whatwg.c:584:9
    #10 0x47c9db5 in php_uri_instantiate_uri /home/w023dtc/nightly_php/php-src/ext/uri/php_uri.c:351:14
    #11 0x47d2033 in create_whatwg_uri /home/w023dtc/nightly_php/php-src/ext/uri/php_uri.c:498:2
    #12 0x47d20f1 in zim_Uri_WhatWg_Url___construct /home/w023dtc/nightly_php/php-src/ext/uri/php_uri.c:509:2
    #13 0x5f346db in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:2022:4
    #14 0x5c7732b in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:115754:12
    #15 0x5c798bc in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:121466:2
    #16 0x69ff249 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1977:3
    #17 0x51d758a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2640:13
    #18 0x51d86c8 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2680:9
    #19 0x6a1415a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
    #20 0x6a0e53f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
    #21 0x150f75ee6d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T0 here:
    #0 0x6829cd in malloc (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x6829cd)
    #1 0x584d393 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3543:14
    #2 0x584baf9 in _emalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2780:10
    #3 0x1a89fea in php_lexbor_malloc /home/w023dtc/nightly_php/php-src/ext/lexbor/php_lexbor.c:34:9
    #4 0x1d99ed9 in lexbor_malloc /home/w023dtc/nightly_php/php-src/ext/lexbor/lexbor/ports/posix/lexbor/core/memory.c:17:12
    #5 0x1ddf025 in lxb_url_remove_tab_newline /home/w023dtc/nightly_php/php-src/ext/lexbor/lexbor/url/url.c:3059:11
    #6 0x1db975b in lxb_url_parse_basic_h /home/w023dtc/nightly_php/php-src/ext/lexbor/lexbor/url/url.c:1297:11
    #7 0x1db8f95 in lxb_url_parse_basic /home/w023dtc/nightly_php/php-src/ext/lexbor/lexbor/url/url.c:1244:14
    #8 0x1db8eba in lxb_url_parse /home/w023dtc/nightly_php/php-src/ext/lexbor/lexbor/url/url.c:1231:12
    #9 0x4802c92 in php_uri_parser_whatwg_parse_ex /home/w023dtc/nightly_php/php-src/ext/uri/uri_parser_whatwg.c:562:19
    #10 0x48060a5 in php_uri_parser_whatwg_parse /home/w023dtc/nightly_php/php-src/ext/uri/uri_parser_whatwg.c:584:9
    #11 0x47c9db5 in php_uri_instantiate_uri /home/w023dtc/nightly_php/php-src/ext/uri/php_uri.c:351:14
    #12 0x47d2033 in create_whatwg_uri /home/w023dtc/nightly_php/php-src/ext/uri/php_uri.c:498:2
    #13 0x47d20f1 in zim_Uri_WhatWg_Url___construct /home/w023dtc/nightly_php/php-src/ext/uri/php_uri.c:509:2
    #14 0x5f346db in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:2022:4
    #15 0x5c7732b in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:115754:12
    #16 0x5c798bc in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:121466:2
    #17 0x69ff249 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1977:3
    #18 0x51d758a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2640:13
    #19 0x51d86c8 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2680:9
    #20 0x6a1415a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
    #21 0x6a0e53f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
    #22 0x150f75ee6d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-use-after-free (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x619c75) in strlen
Shadow bytes around the buggy address:
  0x0c4a7fffacd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7ffface0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffacf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffad00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffad10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fffad20:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffad30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffad40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffad50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffad60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffad70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2499454==ABORTING

USE_ZEND_ALLOC=0 php script.php

PHP Version

nightly

Operating System

ubuntu 22.04

[nielsdos]

Might be related or a duplicate to #20088

[TimWolla]

Might be related or a duplicate

Yes. The stringification of ReflectionExtension contains a newline and this is what triggers the issue. Note the lxb_url_remove_tab_newline() in the stack traces of both issues.