Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

stack-buffer-overflow ext/opcache/jit/ir/ir_sccp.c #18113

Closed
YuanchengJiang opened this issue Mar 19, 2025 · 2 comments
Closed

stack-buffer-overflow ext/opcache/jit/ir/ir_sccp.c #18113

YuanchengJiang opened this issue Mar 19, 2025 · 2 comments
Assignees
@nielsdos
Labels
Bug Category: JIT Extension: opcache Status: Verified

Comments

@YuanchengJiang
Copy link

Description

The following code:

<?php
function lookup($s){
switch($fusion){
case 1: return 1;
case 4: return 4;
case 5: return 5;
case 14: return 14;
case 15: return 15;
case 488: return 488;
case 489: return 489;
case 490: return 490;
case 491: return 491;
case 492: return 492;
case 493: return 493;
case 494: return 494;
case 495: return 495;
case 496: return 496;
case 497: return 497;
case 498: return 498;
case 499: return 499;
case 500: return 500;
case 501: return 501;
case 502: return 502;
case 503: return 503;
case 504: return 504;
case 505: return 505;
case 506: return 506;
case 507: return 507;
case 508: return 508;
case 509: return 509;
case 510: return 510;
case 511: return 511;
case 512: return 512;
case 513: return 513;
};
}

Resulted in this output:

=================================================================
==3191893==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd1dc92e88 at pc 0x72c8aab38879 bp 0x7ffd1dc92e50 sp 0x7ffd1dc92e48
READ of size 8 at 0x7ffd1dc92e88 thread T0
    #0 0x72c8aab38878 in ir_bitset_incl /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/ir/ir_private.h:331:26
    #1 0x72c8aab38878 in ir_sccp_remove_unfeasible_merge_inputs /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/ir/ir_sccp.c:940:4
    #2 0x72c8aaaa3a57 in ir_sccp_transform /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/ir/ir_sccp.c:1103:3
    #3 0x72c8aaa8341a in ir_sccp /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/ir/ir_sccp.c:3642:2
    #4 0x72c8ab1cdee9 in zend_jit_ir_compile /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/zend_jit_ir.c:2801:2
    #5 0x72c8ab073fe4 in zend_jit_finish /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/zend_jit_ir.c:16764:10
    #6 0x72c8aad281ef in zend_jit /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/zend_jit.c:2938:12
    #7 0x72c8aacbf90a in zend_jit_script /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/zend_jit.c:3418:9
    #8 0x72c8aa561326 in zend_accel_script_persist /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/zend_persist.c:1439:4
    #9 0x72c8aa5cdf22 in cache_script_in_shared_memory /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/ZendAccelerator.c:1646:26
    #10 0x72c8aa5b9cf4 in persistent_compile_file /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/ZendAccelerator.c:2182:24
    #11 0x57a7970 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1936:28
    #12 0x3f9909a in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2584:13
    #13 0x3f9a1d8 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2624:9
    #14 0x57bca9a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:952:5
    #15 0x57b6e7f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1355:18
    #16 0x72c8b21cad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #17 0x72c8b21cae3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #18 0x606174 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x606174)

Address 0x7ffd1dc92e88 is located in stack of thread T0 at offset 40 in frame
    #0 0x72c8aab37b1f in ir_sccp_remove_unfeasible_merge_inputs /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/ir/ir_sccp.c:921

  This frame has 1 object(s):
    [32, 40) 'holder' (line 925) <== Memory access at offset 40 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/ir/ir_private.h:331:26 in ir_bitset_incl
Shadow bytes around the buggy address:
  0x100023b8a580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023b8a590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023b8a5a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023b8a5b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023b8a5c0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x100023b8a5d0: 00[f3]f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023b8a5e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023b8a5f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023b8a600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023b8a610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023b8a620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3191893==ABORTING

To reproduce:

./php-src/sapi/cli/php  -d "zend_extension=/home/phpfuzz/WorkSpace/flowfusion/php-src/modules/opcache.so" -d "opcache.enable_cli=1" -d "opcache.jit=1205" ./test.php

Commit:

aa9d140a2abb5b2d795d688b6c6afe0a886640d6

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This report is automatically generated by FlowFusion

PHP Version

aa9d140

Operating System

No response
@nielsdos
Copy link
Member

The computation for when to use the local variable for life_inputs seems off, I'll have a look after work.

@nielsdos
Copy link
Member

Filed dstogov/ir#110

@nielsdos nielsdos self-assigned this Mar 19, 2025
nielsdos added a commit that referenced this issue Mar 19, 2025
@nielsdos
Merge branch 'PHP-8.4'
8598e55 
* PHP-8.4:
  Add test for GH-18113
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nielsdos nielsdos

Labels
Bug Category: JIT Extension: opcache Status: Verified
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@devnexen @nielsdos @YuanchengJiang