heap buffer overflow in optimizer

[chongwick]

Description

The following code:

<?php
function test_64166($v_13005='...',)
{
$v_5497 = $v_5497;
$v_5498 = 'php://temp';
$v_5505 = array('line-break-chars' => $v_5498,'line-length' => $v_5505,);
$v_5500 = fopen($v_5500,$v_5505,);
$v_5504 = STREAM_FILTER_READ;
$v_5501 = fwrite($v_5505,$v_5504,);
$v_5502 = rewind($v_5497,);
$v_5515 = $v_5505 and $v_5502;
$v_5514 = '';
$v_5510 = stream_filter_append($v_5515,$v_5497,$v_5514,$v_5514,);
$v_5511 = '';
$v_5503 = 'convert.quoted-printable-encode';
$v_5513 = fread($v_5503,$v_5498,);

while($v_5515){

}
}

Resulted in this output:

=================================================================
==2279350==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000d43c at pc 0x000005562282 bp 0x7ffebd74d360 sp 0x7ffebd74d358
READ of size 4 at 0x60c00000d43c thread T0
    #0 0x5562281 in zend_build_cfg /home/w023dtc/nightly_php/php-src/Zend/Optimizer/zend_cfg.c:376:5
    #1 0x30624fd in zend_jit_build_cfg /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit.c:1078:2
    #2 0x2c63373 in zend_jit_setup_hot_trace_counters /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:8963:7
    #3 0x2c608d6 in zend_jit_op_array /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit.c:3370:10
    #4 0x2467b2e in zend_persist_op_array /home/w023dtc/nightly_php/php-src/ext/opcache/zend_persist.c:726:4
    #5 0x245d900 in zend_accel_script_persist /home/w023dtc/nightly_php/php-src/ext/opcache/zend_persist.c:1462:3
    #6 0x24c43e3 in cache_script_in_shared_memory /home/w023dtc/nightly_php/php-src/ext/opcache/ZendAccelerator.c:1671:26
    #7 0x24b1874 in persistent_compile_file /home/w023dtc/nightly_php/php-src/ext/opcache/ZendAccelerator.c:2208:24
    #8 0x69fb8c0 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1974:28
    #9 0x51c8d8a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2645:13
    #10 0x51c9ec8 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2685:9
    #11 0x6a109ea in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
    #12 0x6a0adcf in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
    #13 0x15187b01bd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #14 0x15187b01be3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #15 0x607b34 in _start (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x607b34)

0x60c00000d43c is located 0 bytes to the right of 124-byte region [0x60c00000d3c0,0x60c00000d43c)
allocated by thread T0 here:
    #0 0x6829fd in malloc (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x6829fd)
    #1 0x583f3d3 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3543:14
    #2 0x583db39 in _emalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2780:10
    #3 0x557fb0d in zend_arena_alloc /home/w023dtc/nightly_php/php-src/Zend/zend_arena.h:172:25
    #4 0x556f439 in zend_arena_calloc /home/w023dtc/nightly_php/php-src/Zend/zend_arena.h:185:8
    #5 0x555e173 in zend_build_cfg /home/w023dtc/nightly_php/php-src/Zend/Optimizer/zend_cfg.c:286:25
    #6 0x30624fd in zend_jit_build_cfg /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit.c:1078:2
    #7 0x2c63373 in zend_jit_setup_hot_trace_counters /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:8963:7
    #8 0x2c608d6 in zend_jit_op_array /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit.c:3370:10
    #9 0x2467b2e in zend_persist_op_array /home/w023dtc/nightly_php/php-src/ext/opcache/zend_persist.c:726:4
    #10 0x245d900 in zend_accel_script_persist /home/w023dtc/nightly_php/php-src/ext/opcache/zend_persist.c:1462:3
    #11 0x24c43e3 in cache_script_in_shared_memory /home/w023dtc/nightly_php/php-src/ext/opcache/ZendAccelerator.c:1671:26
    #12 0x24b1874 in persistent_compile_file /home/w023dtc/nightly_php/php-src/ext/opcache/ZendAccelerator.c:2208:24
    #13 0x69fb8c0 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1974:28
    #14 0x51c8d8a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2645:13
    #15 0x51c9ec8 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2685:9
    #16 0x6a109ea in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
    #17 0x6a0adcf in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
    #18 0x15187b01bd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/w023dtc/nightly_php/php-src/Zend/Optimizer/zend_cfg.c:376:5 in zend_build_cfg
Shadow bytes around the buggy address:
  0x0c187fff9a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff9a40: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c187fff9a50: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fff9a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c187fff9a70: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c187fff9a80: 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa fa
  0x0c187fff9a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2279350==ABORTING

USE_ZEND_ALLOC=0 php -d "memory_limit = -1" -d "zend.assertions = 1" -d "display_errors = On" -d "display_startup_errors = On" -d "opcache.memory_consumption=4096M" -d "opcache.enable=1" -d "opcache.enable_cli=1" -d "opcache.jit=tracing" -d "opcache.validate_timestamps=0" -d "opcache.jit_buffer_size=128M" -d "opcache.file_update_protection=0" -d "opcache.max_accelerated_files=1000000" -d "opcache.interned_strings_buffer=64" -d "opcache.jit_prof_threshold=0.000000001" -d "opcache.jit_max_root_traces=  100000" -d "opcache.jit_max_side_traces=  100000" -d "opcache.jit_max_exit_counters=100000" -d "opcache.jit_hot_loop=1" -d "opcache.jit_hot_func=1" -d "opcache.jit_hot_return=1" -d "opcache.jit_hot_side_exit=1" -d "opcache.jit_blacklist_root_trace=255" -d "opcache.jit_blacklist_side_trace=255" -d "opcache.protect_memory=1"

PHP Version

nightly

Operating System

ubuntu 22.04

[ndossche]

Reduction:

<?php
function test()
{
    $arr1 = ['line-break-chars' => 'php://temp','line-length' => $undef];
    $arr2 = [];
    $and = $arr1 and $arr2;

    while ($and) {
    }
}

[ndossche]

Probably something like this, more or less?
The problem is that we currently assume JMPZ etc have a jmp target different from its follow address. However, it can be the last instruction of a function and jump to itself. In that case i refers to the last opline and i + 1 is out of bounds.

EDIT: ignore patch below, better (and more correct) patch coming via PR.

Details

```diff diff --git a/Zend/Optimizer/zend_cfg.c b/Zend/Optimizer/zend_cfg.c index 32d5f49ef7d..2e0d0e09a54 100644 --- a/Zend/Optimizer/zend_cfg.c +++ b/Zend/Optimizer/zend_cfg.c @@ -367,13 +367,16 @@ ZEND_API void zend_build_cfg(zend_arena **arena, const zend_op_array *op_array, case ZEND_JMPZ_EX: case ZEND_JMPNZ_EX: case ZEND_JMP_SET: + if (i + 1 < op_array->last) { + BB_START(i + 1); + } + ZEND_FALLTHROUGH; case ZEND_COALESCE: case ZEND_ASSERT_CHECK: case ZEND_JMP_NULL: case ZEND_BIND_INIT_STATIC_OR_JMP: case ZEND_JMP_FRAMELESS: BB_START(OP_JMP_ADDR(opline, opline->op2) - op_array->opcodes); - BB_START(i + 1); break; case ZEND_CATCH: if (!(opline->extended_value & ZEND_LAST_CATCH)) { @@ -521,6 +524,14 @@ ZEND_API void zend_build_cfg(zend_arena **arena, const zend_op_array *op_array, case ZEND_JMPZ_EX: case ZEND_JMPNZ_EX: case ZEND_JMP_SET: + block->successors[0] = block_map[OP_JMP_ADDR(opline, opline->op2) - op_array->opcodes]; + if (j + 1 < blocks_count) { + block->successors_count = 2; + block->successors[1] = j + 1; + } else { + block->successors_count = 1; + } + break; case ZEND_COALESCE: case ZEND_ASSERT_CHECK: case ZEND_JMP_NULL:

</details>