SCCP causes UAF for return value if both warning and exception are triggered #19792
Description
Description
The following code:
<?php
function stringAsHex($v_37384=5,)
{
$v_37279 = $v_37279;
$col = 0;
$v_37369 = NULL;
$v_37281 = unpack($col,$v_37369,);
}Resulted in this output:
==35==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000064700 at pc 0x00000685075f bp 0x7fff8cde2f70 sp 0x7fff8cde2f68
READ of size 4 at 0x606000064700 thread T0
#0 0x685075e in zend_gc_delref /home/w023dtc/nightly_php/php-src/Zend/zend_types.h:1383:2
#1 0x685032c in i_zval_ptr_dtor /home/w023dtc/nightly_php/php-src/Zend/zend_variables.h:44:8
#2 0x68500f4 in zval_ptr_dtor /home/w023dtc/nightly_php/php-src/Zend/zend_variables.c:84:2
#3 0x53f10ba in ct_eval_func_call_ex /home/w023dtc/nightly_php/php-src/Zend/Optimizer/sccp.c:844:3
#4 0x53ef192 in ct_eval_func_call /home/w023dtc/nightly_php/php-src/Zend/Optimizer/sccp.c:860:9
#5 0x53d5a07 in sccp_visit_instr /home/w023dtc/nightly_php/php-src/Zend/Optimizer/sccp.c:1697:8
#6 0x540e3a8 in scdf_solve /home/w023dtc/nightly_php/php-src/Zend/Optimizer/scdf.c:166:7
#7 0x53b59b4 in sccp_optimize_op_array /home/w023dtc/nightly_php/php-src/Zend/Optimizer/sccp.c:2482:2
#8 0x530a659 in zend_dfa_optimize_op_array /home/w023dtc/nightly_php/php-src/Zend/Optimizer/dfa_pass.c:1056:8
#9 0x5687033 in zend_optimize_script /home/w023dtc/nightly_php/php-src/Zend/Optimizer/zend_optimizer.c:1644:5
#10 0x23ff960 in cache_script_in_shared_memory /home/w023dtc/nightly_php/php-src/ext/opcache/ZendAccelerator.c:1582:2
#11 0x23ee754 in persistent_compile_file /home/w023dtc/nightly_php/php-src/ext/opcache/ZendAccelerator.c:2186:24
#12 0x68ab6c0 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1970:28
#13 0x508da3a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2638:13
#14 0x508eb78 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2678:9
#15 0x68c07ea in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
#16 0x68babcf in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
#17 0x14719485dd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#18 0x14719485de3f in __libc_start_main csu/../csu/libc-start.c:392:3
#19 0x6061f4 in _start (/home/php+0x6061f4)
0x606000064700 is located 0 bytes inside of 56-byte region [0x606000064700,0x606000064738)
freed by thread T0 here:
#0 0x680e52 in free (/home/php+0x680e52)
#1 0x56f5dc3 in __zend_free /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3571:2
#2 0x5700e7b in _efree /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2790:3
#3 0x637d327 in zend_array_destroy /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:1872:2
#4 0x68500b7 in rc_dtor_func /home/w023dtc/nightly_php/php-src/Zend/zend_variables.c:57:2
#5 0x685033e in i_zval_ptr_dtor /home/w023dtc/nightly_php/php-src/Zend/zend_variables.h:45:4
#6 0x68500f4 in zval_ptr_dtor /home/w023dtc/nightly_php/php-src/Zend/zend_variables.c:84:2
#7 0x53f0ef7 in ct_eval_func_call_ex /home/w023dtc/nightly_php/php-src/Zend/Optimizer/sccp.c:838:3
#8 0x53ef192 in ct_eval_func_call /home/w023dtc/nightly_php/php-src/Zend/Optimizer/sccp.c:860:9
#9 0x53d5a07 in sccp_visit_instr /home/w023dtc/nightly_php/php-src/Zend/Optimizer/sccp.c:1697:8
#10 0x540e3a8 in scdf_solve /home/w023dtc/nightly_php/php-src/Zend/Optimizer/scdf.c:166:7
#11 0x53b59b4 in sccp_optimize_op_array /home/w023dtc/nightly_php/php-src/Zend/Optimizer/sccp.c:2482:2
#12 0x530a659 in zend_dfa_optimize_op_array /home/w023dtc/nightly_php/php-src/Zend/Optimizer/dfa_pass.c:1056:8
#13 0x5687033 in zend_optimize_script /home/w023dtc/nightly_php/php-src/Zend/Optimizer/zend_optimizer.c:1644:5
#14 0x23ff960 in cache_script_in_shared_memory /home/w023dtc/nightly_php/php-src/ext/opcache/ZendAccelerator.c:1582:2
#15 0x23ee754 in persistent_compile_file /home/w023dtc/nightly_php/php-src/ext/opcache/ZendAccelerator.c:2186:24
#16 0x68ab6c0 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1970:28
#17 0x508da3a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2638:13
#18 0x508eb78 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2678:9
#19 0x68c07ea in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
#20 0x68babcf in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
#21 0x14719485dd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
previously allocated by thread T0 here:
#0 0x6810bd in malloc (/home/php+0x6810bd)
#1 0x5702133 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3543:14
#2 0x5700899 in _emalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2780:10
#3 0x633a46a in _zend_new_array /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:290:18
#4 0x43a4d75 in zif_unpack /home/w023dtc/nightly_php/php-src/ext/standard/pack.c:707:2
#5 0x53f0c22 in ct_eval_func_call_ex /home/w023dtc/nightly_php/php-src/Zend/Optimizer/sccp.c:831:2
#6 0x53ef192 in ct_eval_func_call /home/w023dtc/nightly_php/php-src/Zend/Optimizer/sccp.c:860:9
#7 0x53d5a07 in sccp_visit_instr /home/w023dtc/nightly_php/php-src/Zend/Optimizer/sccp.c:1697:8
#8 0x540e3a8 in scdf_solve /home/w023dtc/nightly_php/php-src/Zend/Optimizer/scdf.c:166:7
#9 0x53b59b4 in sccp_optimize_op_array /home/w023dtc/nightly_php/php-src/Zend/Optimizer/sccp.c:2482:2
#10 0x530a659 in zend_dfa_optimize_op_array /home/w023dtc/nightly_php/php-src/Zend/Optimizer/dfa_pass.c:1056:8
#11 0x5687033 in zend_optimize_script /home/w023dtc/nightly_php/php-src/Zend/Optimizer/zend_optimizer.c:1644:5
#12 0x23ff960 in cache_script_in_shared_memory /home/w023dtc/nightly_php/php-src/ext/opcache/ZendAccelerator.c:1582:2
#13 0x23ee754 in persistent_compile_file /home/w023dtc/nightly_php/php-src/ext/opcache/ZendAccelerator.c:2186:24
#14 0x68ab6c0 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1970:28
#15 0x508da3a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2638:13
#16 0x508eb78 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2678:9
#17 0x68c07ea in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
#18 0x68babcf in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
#19 0x14719485dd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-use-after-free /home/w023dtc/nightly_php/php-src/Zend/zend_types.h:1383:2 in zend_gc_delref
Shadow bytes around the buggy address:
0x0c0c80004890: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c800048a0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c800048b0: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
0x0c0c800048c0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c800048d0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c0c800048e0:[fd]fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c800048f0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c80004900: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c80004910: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c0c80004920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80004930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==35==ABORTING
USE_ZEND_ALLOC=0 ./php -d "opcache.enable=1" -d "opcache.enable_cli=1" -d "opcache.jit_buffer_size=256M" -d "opcache.jit=1254" -d "opcache.jit_hot_func=1" -d "opcache.jit_hot_loop=1" -d "opcache.jit_hot_return=1" -d "opcache.jit_hot_side_exit=1" script.php
PHP Version
nightly
Operating System
ubuntu 22.04