Description
We found below stack buffer overflow error by address sanitizer while running Symfony tests. It can be reproduced with PHP master on both x86 and AArch64.
AddressSanitizer: stack-buffer-overflow /tmp/php-src/Zend/zend_alloc.c:1291 in zend_mm_alloc_small_slow
To reproduce, follow below scripts.
- Checkout and build PHP master with address sanitizer
cd /tmp
git clone git@github.com:php/php-src.git
cd php-src
bash buildconf -f
bash configure --enable-address-sanitizer --enable-debug --enable-bcmath \
--enable-calendar --enable-dba --enable-exif --enable-fpm --enable-ftp \
--enable-gd --enable-intl --enable-mbstring --enable-option-checking=fatal \
--enable-pcntl --enable-phpdbg --enable-shmop --enable-soap --enable-sockets \
--enable-sysvmsg --enable-sysvsem --enable-xmlreader --enable-zend-test
make -j 10
- Install Symfony and run the
VarDumper test
cd /tmp
git clone https://github.com/symfony/symfony.git
cd symfony
composer install
php ./phpunit install
/tmp/php-src/sapi/cli/php ./phpunit src/Symfony/Component/VarDumper
Full error message
==703762==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f6c8b1fffa0 at pc 0x558d19e3103e bp 0x7fff5e085710 sp 0x7fff5e085700
WRITE of size 8 at 0x7f6c8b1fffa0 thread T0
#0 0x558d19e3103d in zend_mm_alloc_small_slow /tmp/php-src/Zend/zend_alloc.c:1291
#1 0x558d19e31226 in zend_mm_alloc_small /tmp/php-src/Zend/zend_alloc.c:1315
#2 0x558d19e3164c in zend_mm_alloc_heap /tmp/php-src/Zend/zend_alloc.c:1383
#3 0x558d19e38321 in _emalloc /tmp/php-src/Zend/zend_alloc.c:2615
#4 0x558d19f12c29 in zend_hash_real_init_packed_ex /tmp/php-src/Zend/zend_hash.c:157
#5 0x558d19f1a757 in _zend_hash_index_add_or_update_i /tmp/php-src/Zend/zend_hash.c:1147
#6 0x558d19f1af82 in zend_hash_next_index_insert /tmp/php-src/Zend/zend_hash.c:1221
#7 0x558d19e7d8d4 in zend_try_ct_eval_array /tmp/php-src/Zend/zend_compile.c:8919
#8 0x558d19e8d164 in zend_eval_const_expr /tmp/php-src/Zend/zend_compile.c:10891
#9 0x558d19e7ccbf in zend_try_ct_eval_array /tmp/php-src/Zend/zend_compile.c:8826
#10 0x558d19e84994 in zend_compile_array /tmp/php-src/Zend/zend_compile.c:9700
#11 0x558d19e8af1e in zend_compile_expr_inner /tmp/php-src/Zend/zend_compile.c:10566
#12 0x558d19e8b043 in zend_compile_expr /tmp/php-src/Zend/zend_compile.c:10604
#13 0x558d19e615e9 in zend_compile_return /tmp/php-src/Zend/zend_compile.c:5161
#14 0x558d19e8a619 in zend_compile_stmt /tmp/php-src/Zend/zend_compile.c:10364
#15 0x558d19e8a26e in zend_compile_top_stmt /tmp/php-src/Zend/zend_compile.c:10330
#16 0x558d19e8a053 in zend_compile_top_stmt /tmp/php-src/Zend/zend_compile.c:10316
#17 0x558d19de6f76 in zend_compile Zend/zend_language_scanner.l:618
#18 0x558d19de7417 in compile_file Zend/zend_language_scanner.l:653
#19 0x558d1984dde3 in phar_compile_file /tmp/php-src/ext/phar/phar.c:3349
#20 0x558d19de7b09 in compile_filename Zend/zend_language_scanner.l:704
#21 0x558d19f777b4 in zend_include_or_eval /tmp/php-src/Zend/zend_execute.c:4926
#22 0x558d19fa4026 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER /tmp/php-src/Zend/zend_vm_execute.h:4979
#23 0x558d1a0de617 in execute_ex /tmp/php-src/Zend/zend_vm_execute.h:57626
#24 0x558d1a0f0f51 in zend_execute /tmp/php-src/Zend/zend_vm_execute.h:61605
#25 0x558d19eddbc4 in zend_execute_scripts /tmp/php-src/Zend/zend.c:1881
#26 0x558d19d58da9 in php_execute_script /tmp/php-src/main/main.c:2501
#27 0x558d1a2ccfb8 in do_cli /tmp/php-src/sapi/cli/php_cli.c:966
#28 0x558d1a2cedba in main /tmp/php-src/sapi/cli/php_cli.c:1340
#29 0x7f6c8fe87d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#30 0x7f6c8fe87e3f in __libc_start_main_impl ../csu/libc-start.c:392
#31 0x558d19009e44 in _start (/tmp/php-src/sapi/cli/php+0x609e44)
Address 0x7f6c8b1fffa0 is a wild pointer.
SUMMARY: AddressSanitizer: stack-buffer-overflow /tmp/php-src/Zend/zend_alloc.c:1291 in zend_mm_alloc_small_slow
Shadow bytes around the buggy address:
0x0fee11637fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fee11637fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
0x0fee11637fc0: f1 f1 f1 f1 00 f2 f2 f2 00 00 f2 f2 00 00 00 00
0x0fee11637fd0: 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
0x0fee11637fe0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2
=>0x0fee11637ff0: 00 00 00 00[f3]f3 f3 f3 00 00 00 00 00 00 00 00
0x0fee11638000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fee11638010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fee11638020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fee11638030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fee11638040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==703762==ABORTING
PHP Version
PHP master @ a92c2da
Operating System
Ubuntu 22.04
Description
We found below stack buffer overflow error by address sanitizer while running Symfony tests. It can be reproduced with PHP master on both x86 and AArch64.
To reproduce, follow below scripts.
VarDumpertestFull error message
PHP Version
PHP master @ a92c2da
Operating System
Ubuntu 22.04