PHP NullPtr dereference - by misuse of the option "-w" or "-s"

[randomssr]

Description

PHP NullPtr dereference - by misuse of the option "-w" or "-s"

When the program input contains the option of "-w" or "-s", the program will dereference null pointer and cause crash.

PHP/Zend/zend_exceptions.c Line 147:152

static zend_always_inline zend_bool is_handle_exception_set() {
	zend_execute_data *execute_data = EG(current_execute_data);
	return !execute_data->func
		|| !ZEND_USER_CODE(execute_data->func->common.type)
		|| execute_data->opline->opcode == ZEND_HANDLE_EXCEPTION;
}

In is_handle_exception_set(),the option of -w or -s will make the program execute the function is_handle_exception_set. And the value of EG(current_execute_data) namely executor_globals.current_execute_data remains 0 from the parse of -w or -s to the is_handle_exception_set call. As a result, nullptr dereference will occur.

Test Environment

Ubuntu 20.04, 64 bit PHP (version: 8.0.23)

How to trigger

1. Compile the program with AddressSanitizer
2. Run command $ ./php -s -w POC

Details

ASAN report

$ ../php  -s -w POC 
<?php
$flor="red"; switch ($favcolo; break; case "blue": echo "2"; ":
    echo "d; break; default� echo "4"; } ?>AddressSanitizer:DEADLYSIGNAL
=================================================================
==805955==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x0000022e4bc5 bp 0x7fffbee259f0 sp 0x7fffbee258d0 T0)
==805955==The signal is caused by a READ memory access.
==805955==Hint: address points to the zero page.
    #0 0x22e4bc5 in is_handle_exception_set /home/root/php/sourcecode/php/Zend/zend_exceptions.c:149:10
    #1 0x22e4bc5 in zend_throw_exception_internal /home/root/php/sourcecode/php/Zend/zend_exceptions.c:177:4
    #2 0x22ffd34 in zend_throw_exception_zstr /home/root/php/sourcecode/php/Zend/zend_exceptions.c:866:2
    #3 0x22e9fdf in zend_throw_exception /home/root/php/sourcecode/php/Zend/zend_exceptions.c:875:20
    #4 0x1a4d23d in report_bad_nesting /home/root/php/sourcecode/php/Zend/zend_language_scanner.l:1270:2
    #5 0x1a4ce37 in check_nesting_at_end /home/root/php/sourcecode/php/Zend/zend_language_scanner.l:1304:3
    #6 0x1a3d45f in lex_scan /home/root/php/sourcecode/php/Zend/zend_language_scanner.l:2195:3
    #7 0x1b93834 in zend_strip /home/root/php/sourcecode/php/Zend/zend_highlight.c:180:21
    #8 0x246f9d0 in do_cli /home/root/php/sourcecode/php/sapi/cli/php_cli.c:964:5
    #9 0x246bac2 in main /home/root/php/sourcecode/php/sapi/cli/php_cli.c:1339:18
    #10 0x7ff2d96e5082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x60289d in _start (/home/root/php/fuzz/php/php_a_s_w_random/php+0x60289d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/root/php/sourcecode/php/Zend/zend_exceptions.c:149:10 in is_handle_exception_set
==805955==ABORTING

POC can be downloaded from https://github.com/randomssr/bugissues/blob/main/php/POC

PHP Version

PHP 8.0.23

Operating System

No response

[randomssr]

Hello, @adsr @devnexen @cmb69 , thanks for your verifivation.
I still have a question. Can I request a CVE with this bug?

[cmb69]

I don't see why this would be security issue. But if it was, it should not have been reported publicly.

[randomssr]

Okay, got it. Thanks for your answer.