use after free in zend_test_class_free_obj

[chongwick]

Description

The following code:

<?php
#[AllowDynamicProperties]
class A
{
    public    $a = 1;
    protected $b = 2;
    private   $c = 3;

    public    $empty;
    public    $init = 1;

    function __toString()
    {
        return 'obj(' . get_class($this) . ')';
    }

    static function test($oc, $props)
    {
        echo '===' . __CLASS__ . "===\n";
        foreach($props as $p2) {
            echo $oc, '::$' , $p2, "\n";
            var_dump(property_exists($oc, $p2));
        }
    }
}
class Test extends _ZendTestClass {
}
class B extends A {
    function print42() {
        echo "forty two\n";
    }
}
$oA = new A;
$string = "string12345";
$offset = -0x100000000 + 2;
$obj = new Test;
$obj->classProp = new stdClass;
$test = clone new Test;
$test->foo = 42;
$dom = Dom\XMLDocument::createFromString(<<<XML
    <!DOCTYPE foo [
    <!ENTITY foo "bar">
    ]>
    <foo>&foo;</foo>
    XML);
$ref = $dom->documentElement->firstChild;
$b = new B;
$nan = fdiv(0, 0);
$testClass = TestClass::createInstance();
$db = new PDO('sqlite::memory:');
$attr = new DOMAttr("attribute", "my value");
var_dump($test['tag'] === $tag);
define("MIN_64Bit", -9223372036854775807 - 1);
$arr = [1 => [1 => 42]];
$ao = new MyArrayObject3($arr);
var_dump(isset($ao[0][1]));
ob_start();
$cfg = <<<EOT
[global]
error_log = {{FILE:LOG}}
[unconfined]
listen = {{ADDR}}
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
EOT;

Resulted in this output:

Fatal error: Uncaught Error: Class "Test" not found in /home/w023dtc/treebugs/fuzz_unicode-test_73559b6018.php.er:153
Stack trace:
#0 {main}
  thrown in /home/w023dtc/treebugs/fuzz_unicode-test_73559b6018.php.er on line 153
Singularity> vim fuzz_unicode-test_73559b6018.php.er
Singularity> ~/nightly_php/php-src/sapi/cli/php fuzz_unicode-test_73559b6018.php.er

Fatal error: Uncaught Error: Class "A" not found in /home/w023dtc/treebugs/fuzz_unicode-test_73559b6018.php.er:28
Stack trace:
#0 {main}
  thrown in /home/w023dtc/treebugs/fuzz_unicode-test_73559b6018.php.er on line 28
Singularity> vim fuzz_unicode-test_73559b6018.php.er
Singularity> USE_ZEND_ALLOC=0 ~/nightly_php/php-src/sapi/cli/php fuzz_unicode-test_73559b6018.php.er

Deprecated: Creation of dynamic property Test::$foo is deprecated in /home/w023dtc/treebugs/fuzz_unicode-test_73559b6018.php.er on line 156

Fatal error: Uncaught Error: Class "TestClass" not found in /home/w023dtc/treebugs/fuzz_unicode-test_73559b6018.php.er:166
Stack trace:
#0 {main}
  thrown in /home/w023dtc/treebugs/fuzz_unicode-test_73559b6018.php.er on line 166
=================================================================
==3823760==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e00017c878 at pc 0x00000498caa3 bp 0x7ffd11a9e1e0 sp 0x7ffd11a9e1d8
READ of size 8 at 0x60e00017c878 thread T0
    #0 0x498caa2 in zend_test_class_free_obj /home/w023dtc/nightly_php/php-src/ext/zend_test/test.c:1052:14
    #1 0x67e6571 in zend_objects_store_del /home/w023dtc/nightly_php/php-src/Zend/zend_objects_API.c:196:4
    #2 0x68fcbf7 in rc_dtor_func /home/w023dtc/nightly_php/php-src/Zend/zend_variables.c:57:2
    #3 0x68fce7e in i_zval_ptr_dtor /home/w023dtc/nightly_php/php-src/Zend/zend_variables.h:45:4
    #4 0x68fcc34 in zval_ptr_dtor /home/w023dtc/nightly_php/php-src/Zend/zend_variables.c:84:2
    #5 0x641a031 in _zend_hash_del_el_ex /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:1500:3
    #6 0x64177ad in _zend_hash_del_el /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:1527:2
    #7 0x64310f4 in zend_hash_reverse_apply /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:2243:5
    #8 0x5bb71bc in shutdown_destructors /home/w023dtc/nightly_php/php-src/Zend/zend_execute_API.c:261:4
    #9 0x694547b in zend_call_destructors /home/w023dtc/nightly_php/php-src/Zend/zend.c:1340:3
    #10 0x517f203 in php_request_shutdown /home/w023dtc/nightly_php/php-src/main/main.c:1985:3
    #11 0x6972b01 in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1156:3
    #12 0x6967adf in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1360:18
    #13 0x148024cc8d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #14 0x148024cc8e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #15 0x607b44 in _start (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x607b44)

0x60e00017c878 is located 8 bytes to the left of 152-byte region [0x60e00017c880,0x60e00017c918)
allocated by thread T0 here:
    #0 0x682a0d in malloc (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x682a0d)
    #1 0x58127b3 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3544:14
    #2 0x5810f19 in _emalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2779:10
    #3 0x67ef136 in zend_objects_new /home/w023dtc/nightly_php/php-src/Zend/zend_objects.c:191:24
    #4 0x67f5541 in zend_objects_clone_obj /home/w023dtc/nightly_php/php-src/Zend/zend_objects.c:340:15
    #5 0x5fe9779 in ZEND_CLONE_SPEC_TMP_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:17392:2
    #6 0x5c4a6fb in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:110065:12
    #7 0x5c4cc8c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:115483:2
    #8 0x69587e9 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1979:3
    #9 0x5193dca in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2648:13
    #10 0x5194f08 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2688:9
    #11 0x696d6fa in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:949:5
    #12 0x6967adf in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1360:18
    #13 0x148024cc8d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/w023dtc/nightly_php/php-src/ext/zend_test/test.c:1052:14 in zend_test_class_free_obj
Shadow bytes around the buggy address:
  0x0c1c800278b0: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c1c800278c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c800278d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1c800278e0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c1c800278f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c1c80027900: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa[fa]
  0x0c1c80027910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c80027920: 00 00 00 fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1c80027930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1c80027940: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1c80027950: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3823760==ABORTING

USE_ZEND_ALLOC=0

PHP Version

nightly

Operating System

No response

[chongwick]

I assume this one isn't useful since it's zend_test.

[iluuu1994]

Yes, zend_test fuzzing is generally not interesting/useful.