Heap use after free at zend_is_smaller_helper_SPEC

[Changochen]

Description

The following code:

<?php
class Test
{
    function __construct()
    {
        $GLOBALS["a"] = &$this > var_dump($S);
    }
    function __destruct()
    {
        unset($GLOBALS["a"]);
    }
}
new Test();
new Test();

Resulted in this output:

USE_TRACKED_ALLOC=1 USE_ZEND_ALLOC=0 ../php-src/asan/sapi/cli/php -f ./poc.php
=================================================================
==26946==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000002230 at pc 0x5555557e07fc bp 0x7fffffff9cc0 sp 0x7fffffff9cb0
READ of size 8 at 0x602000002230 thread T0
    #0 0x5555557e07fb in zval_undefined_cv  php-src/Zend/zend_execute.c:271
    #1 0x555555e61284 in zend_is_smaller_helper_SPEC  php-src/Zend/zend_vm_execute.h:625
    #2 0x555555f5eccb in execute_ex  php-src/Zend/zend_vm_execute.h:57996
    #3 0x555555f91637 in zend_execute  php-src/Zend/zend_vm_execute.h:61087
    #4 0x555555d85b89 in zend_execute_scripts  php-src/Zend/zend.c:1845
    #5 0x555555c56db8 in php_execute_script  php-src/main/main.c:2481
    #6 0x5555561111b0 in do_cli  php-src/sapi/cli/php_cli.c:964
    #7 0x555555811756 in main  php-src/sapi/cli/php_cli.c:1333
    #8 0x7ffff6089c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #9 0x555555811f49 in _start ( php-src/asan/sapi/cli/php+0x2bdf49)

Without USE_TRACKED_ALLOC=1 USE_ZEND_ALLOC=0 php won't crash.

Additionally, if we remove the last line and run again, we will see a memory leak:

<?php
class Test
{
    function __construct()
    {
        $GLOBALS["a"] = &$this > var_dump($S);
    }
    function __destruct()
    {
        unset($GLOBALS["a"]);
    }
}
new Test();

=================================================================
==27616==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 40 byte(s) in 1 object(s) allocated from:
    #0 0x7ffff6ef6b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x555555cf5965 in tracked_malloc  php-src/Zend/zend_alloc.c:2827
    #2 0x555555fec6e8 in zend_objects_new  php-src/Zend/zend_objects.c:187
    #3 0x555555d8e280 in _object_and_properties_init  php-src/Zend/zend_API.c:1723
    #4 0x555555d8e280 in object_init_ex  php-src/Zend/zend_API.c:1746
    #5 0x555555e92d78 in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER  php-src/Zend/zend_vm_execute.h:10472
    #6 0x555555f6376a in execute_ex  php-src/Zend/zend_vm_execute.h:57620
    #7 0x555555f91637 in zend_execute  php-src/Zend/zend_vm_execute.h:61087
    #8 0x555555d85b89 in zend_execute_scripts  php-src/Zend/zend.c:1845
    #9 0x555555c56db8 in php_execute_script  php-src/main/main.c:2481
    #10 0x5555561111b0 in do_cli  php-src/sapi/cli/php_cli.c:964
    #11 0x555555811756 in main  php-src/sapi/cli/php_cli.c:1333
    #12 0x7ffff6089c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

PHP Version

PHP 8.3.0-dev

Operating System

No response

[nielsdos]

Another variant of the class of issues handled in #10546

[nielsdos]

Just checked this. This was also fixed by #10606.