uaf in jit

[chongwick]

Description

The following code:

<?php
$o = new stdClass();
$data = "Testing openssl_sign()";
for ($i_0 = 0; $i_0 < 10; $i_0++) {
    $src_tc = imagecreate(19,19);
    $white = imagecolorallocate($src_tc, 255,255,255);
    $n = gc_collect_cycles();
    $test_string = str_repeat('Eins zwei drei', 2000);
    $replaced = preg_replace('/\s/', '-', $test_string);
}
$doubles = array(
    290000000000000000,
    290000000000000,
    29000000000000,
    29000000000000.123123,
    29000000000000.7123123,
    29000.7123123,
    239234242.7123123,
    0.12345678901234567890,
    10000000000000,
    100000000000000,
    1000000000000000001,
    100000000000001,
    10000000000,
    999999999999999,
    9999999999999999,
    (float)0
    );
foreach ($doubles as $d) {
    var_dump((string)$d);
}

Resulted in this output:

=================================================================
==813799==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200001fcd0 at pc 0x00000250c741 bp 0x7fffebc8e1c0 sp 0x7fffebc8e1b8
READ of size 8 at 0x60200001fcd0 thread T0
    #0 0x250c740 in ir_bitset_incl /home/w023dtc/nightly_php/php-src/ext/opcache/jit/ir/ir_private.h:332:26
    #1 0x250c740 in ir_cfg_remove_dead_inputs /home/w023dtc/nightly_php/php-src/ext/opcache/jit/ir/ir_cfg.c:178:7
    #2 0x25055e5 in ir_build_cfg /home/w023dtc/nightly_php/php-src/ext/opcache/jit/ir/ir_cfg.c:384:11
    #3 0x3177832 in zend_jit_ir_compile /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_ir.c:2884:2
    #4 0x3014474 in zend_jit_finish /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_ir.c:16751:10
    #5 0x2e50017 in zend_jit_trace /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:7317:12
    #6 0x2c10bb9 in zend_jit_compile_root_trace /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:7532:14
    #7 0x2c02e80 in zend_jit_trace_hot_root /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:8226:10
    #8 0x2bc8b43 in zend_jit_trace_counter_helper /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:472:7
    #9 0x2bc83da in zend_jit_func_trace_helper /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:508:2
    #10 0x5c5c79b in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:110065:12
    #11 0x5c5ed2c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:115483:2
    #12 0x696ab09 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1979:3
    #13 0x51a5a1a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2648:13
    #14 0x51a6b58 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2688:9
    #15 0x697fa1a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:949:5
    #16 0x6979dff in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1360:18
    #17 0x14d3be9f4d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #18 0x14d3be9f4e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #19 0x607b54 in _start (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x607b54)

0x60200001fcd0 is located 0 bytes inside of 8-byte region [0x60200001fcd0,0x60200001fcd8)
freed by thread T0 here:
    #0 0x6827b2 in free (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x6827b2)
    #1 0x58185b3 in __zend_free /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3572:2
    #2 0x582366b in _efree /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2789:3
    #3 0x250e30f in ir_cfg_remove_dead_inputs /home/w023dtc/nightly_php/php-src/ext/opcache/jit/ir/ir_cfg.c:213:6
    #4 0x25055e5 in ir_build_cfg /home/w023dtc/nightly_php/php-src/ext/opcache/jit/ir/ir_cfg.c:384:11
    #5 0x3177832 in zend_jit_ir_compile /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_ir.c:2884:2
    #6 0x3014474 in zend_jit_finish /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_ir.c:16751:10
    #7 0x2e50017 in zend_jit_trace /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:7317:12
    #8 0x2c10bb9 in zend_jit_compile_root_trace /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:7532:14
    #9 0x2c02e80 in zend_jit_trace_hot_root /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:8226:10
    #10 0x2bc8b43 in zend_jit_trace_counter_helper /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:472:7
    #11 0x2bc83da in zend_jit_func_trace_helper /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:508:2
    #12 0x5c5c79b in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:110065:12
    #13 0x5c5ed2c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:115483:2
    #14 0x696ab09 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1979:3
    #15 0x51a5a1a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2648:13
    #16 0x51a6b58 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2688:9
    #17 0x697fa1a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:949:5
    #18 0x6979dff in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1360:18
    #19 0x14d3be9f4d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T0 here:
    #0 0x682a1d in malloc (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x682a1d)
    #1 0x5824923 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3544:14
    #2 0x5823089 in _emalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2779:10
    #3 0x5824b4b in _ecalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2846:6
    #4 0x250cd22 in ir_bitset_malloc /home/w023dtc/nightly_php/php-src/ext/opcache/jit/ir/ir_private.h:327:9
    #5 0x250cd22 in ir_cfg_remove_dead_inputs /home/w023dtc/nightly_php/php-src/ext/opcache/jit/ir/ir_cfg.c:189:22
    #6 0x25055e5 in ir_build_cfg /home/w023dtc/nightly_php/php-src/ext/opcache/jit/ir/ir_cfg.c:384:11
    #7 0x3177832 in zend_jit_ir_compile /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_ir.c:2884:2
    #8 0x3014474 in zend_jit_finish /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_ir.c:16751:10
    #9 0x2e50017 in zend_jit_trace /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:7317:12
    #10 0x2c10bb9 in zend_jit_compile_root_trace /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:7532:14
    #11 0x2c02e80 in zend_jit_trace_hot_root /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:8226:10
    #12 0x2bc8b43 in zend_jit_trace_counter_helper /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:472:7
    #13 0x2bc83da in zend_jit_func_trace_helper /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:508:2
    #14 0x5c5c79b in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:110065:12
    #15 0x5c5ed2c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:115483:2
    #16 0x696ab09 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1979:3
    #17 0x51a5a1a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2648:13
    #18 0x51a6b58 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2688:9
    #19 0x697fa1a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:949:5
    #20 0x6979dff in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1360:18
    #21 0x14d3be9f4d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/w023dtc/nightly_php/php-src/ext/opcache/jit/ir/ir_private.h:332:26 in ir_bitset_incl
Shadow bytes around the buggy address:
  0x0c047fffbf40: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fffbf50: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047fffbf60: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fffbf70: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fffbf80: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 00 00
=>0x0c047fffbf90: fa fa 00 fa fa fa fd fd fa fa[fd]fa fa fa fa fa
  0x0c047fffbfa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffbfb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffbfc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffbfd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffbfe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==813799==ABORTING

USE_ZEND_ALLOC=0 php -d "memory_limit = -1" -d "zend.assertions = 1" -d "display_errors = On" -d "display_startup_errors = On" -d "opcache.memory_consumption=4096M" -d "opcache.enable=1" -d "opcache.enable_cli=1" -d "opcache.jit=tracing" -d "opcache.validate_timestamps=0" -d "opcache.jit_buffer_size=128M" -d "opcache.file_update_protection=0" -d "opcache.max_accelerated_files=1000000" -d "opcache.interned_strings_buffer=64" -d "opcache.jit_prof_threshold=0.000000001" -d "opcache.jit_max_root_traces=  100000" -d "opcache.jit_max_side_traces=  100000" -d "opcache.jit_max_exit_counters=100000" -d "opcache.jit_hot_loop=1" -d "opcache.jit_hot_func=1" -d "opcache.jit_hot_return=1" -d "opcache.jit_hot_side_exit=1" -d "opcache.jit_blacklist_root_trace=255" -d "opcache.jit_blacklist_side_trace=255" -d "opcache.protect_memory=1" file.php

PHP Version

nightly

Operating System

No response

[devnexen]

triggers even with USE_ZEND_ALLOC=1