Segmentation fault (heap-use-after-free) when using disabled ErrorException #16453
Closed as not planned
Description
Description
The following code:
<?php
$b = new ErrorException();
var_dump($b);Resulted in this output:
Warning: ErrorException() has been disabled for security reasons in /tmp/test.php on line 3
=================================================================
==2122908==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000004540 at pc 0x5620151a22db bp 0x7ffcfa2ff6f0 sp 0x7ffcfa2ff6e8
READ of size 4 at 0x607000004540 thread T0
#0 0x5620151a22da in rebuild_object_properties_internal /php-src/Zend/zend_object_handlers.c:83:9
#1 0x5620151a4d5c in zend_std_get_properties_ex /php-src/Zend/zend_object_handlers.h:282:10
#2 0x5620151a4c74 in zend_std_get_properties /php-src/Zend/zend_object_handlers.c:137:9
#3 0x5620151a60d0 in zend_std_get_debug_info /php-src/Zend/zend_object_handlers.c:196:10
#4 0x5620151e6d2e in zend_std_get_properties_for /php-src/Zend/zend_object_handlers.c:2384:10
#5 0x5620151e79b9 in zend_get_properties_for /php-src/Zend/zend_object_handlers.c:2433:9
#6 0x562013993f37 in php_var_dump /php-src/ext/standard/var.c:178:11
#7 0x562013997d73 in zif_var_dump /php-src/ext/standard/var.c:245:3
#8 0x562014b11236 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /php-src/Zend/zend_vm_execute.h:1299:2
#9 0x562014647b13 in execute_ex /php-src/Zend/zend_vm_execute.h:58565:7
#10 0x562014649c72 in zend_execute /php-src/Zend/zend_vm_execute.h:64217:2
#11 0x562015349f01 in zend_execute_script /php-src/Zend/zend.c:1928:3
#12 0x562013c5afd8 in php_execute_script_ex /php-src/main/main.c:2574:13
#13 0x562013c5c098 in php_execute_script /php-src/main/main.c:2614:9
#14 0x56201535d676 in do_cli /php-src/sapi/cli/php_cli.c:935:5
#15 0x562015357d44 in main /php-src/sapi/cli/php_cli.c:1310:18
#16 0x7fae2aabfd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#17 0x7fae2aabfe3f in __libc_start_main csu/../csu/libc-start.c:392:3
#18 0x562010c06dc4 in _start (/php-src/sapi/cli/php+0x2606dc4) (BuildId: 9b163f85408ed47e030a700c2224b749726bf34e)
0x607000004540 is located 0 bytes inside of 72-byte region [0x607000004540,0x607000004588)
freed by thread T0 here:
#0 0x562010c8c542 in free (/php-src/sapi/cli/php+0x268c542) (BuildId: 9b163f85408ed47e030a700c2224b749726bf34e)
#1 0x5620142ed741 in zend_disable_class /php-src/Zend/zend_API.c:3731:4
#2 0x562013c5859d in php_disable_classes /php-src/main/main.c:394:3
#3 0x562013c4ce55 in php_module_startup /php-src/main/main.c:2304:2
#4 0x562015361348 in php_cli_startup /php-src/sapi/cli/php_cli.c:397:9
#5 0x5620153575a7 in main /php-src/sapi/cli/php_cli.c:1277:6
#6 0x7fae2aabfd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
previously allocated by thread T0 here:
#0 0x562010c8c7ee in malloc (/php-src/sapi/cli/php+0x268c7ee) (BuildId: 9b163f85408ed47e030a700c2224b749726bf34e)
#1 0x562014277cf3 in __zend_malloc /php-src/Zend/zend_alloc.c:3280:14
#2 0x562014307b2f in zend_declare_typed_property /php-src/Zend/zend_API.c:4510:19
#3 0x5620145aaa21 in register_class_ErrorException /php-src/Zend/zend_exceptions_arginfo.h:205:2
#4 0x5620145a6941 in zend_register_default_exception /php-src/Zend/zend_exceptions.c:767:28
#5 0x56201456fd6d in zend_register_default_classes /php-src/Zend/zend_default_classes.c:35:2
#6 0x562014386f12 in zm_startup_core /php-src/Zend/zend_builtin_functions.c:38:2
#7 0x5620142c7f94 in zend_startup_module_ex /php-src/Zend/zend_API.c:2430:7
#8 0x5620142cd1b1 in zend_startup_module_zval /php-src/Zend/zend_API.c:2445:10
#9 0x562014e68264 in zend_hash_apply /php-src/Zend/zend_hash.c:2085:13
#10 0x5620142cc40f in zend_startup_modules /php-src/Zend/zend_API.c:2568:2
#11 0x562013c4c994 in php_module_startup /php-src/main/main.c:2286:2
#12 0x562015361348 in php_cli_startup /php-src/sapi/cli/php_cli.c:397:9
#13 0x5620153575a7 in main /php-src/sapi/cli/php_cli.c:1277:6
#14 0x7fae2aabfd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-use-after-free /php-src/Zend/zend_object_handlers.c:83:9 in rebuild_object_properties_internal
Shadow bytes around the buggy address:
0x0c0e7fff8850: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
0x0c0e7fff8860: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0e7fff8870: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fd fd
0x0c0e7fff8880: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
0x0c0e7fff8890: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
=>0x0c0e7fff88a0: 00 00 00 fa fa fa fa fa[fd]fd fd fd fd fd fd fd
0x0c0e7fff88b0: fd fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
0x0c0e7fff88c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
0x0c0e7fff88d0: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0e7fff88e0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
0x0c0e7fff88f0: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2122908==ABORTING
To reproduce:
-d "disable_classes=ErrorException"
PHP Version
nightly
Operating System
ubuntu 22.04