Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Engine UAF with reference assign and dtor #17442

Closed
YuanchengJiang opened this issue Jan 11, 2025 · 1 comment
Closed

Engine UAF with reference assign and dtor #17442

YuanchengJiang opened this issue Jan 11, 2025 · 1 comment
Labels
Bug Category: Engine Status: Verified

Comments

@YuanchengJiang
Copy link

Description

The following code:

<?php
$map = new WeakMap;
$obj = new stdClass;
$map[$obj] = new class {
function __destruct() {
throw new Exception("Test");
}
};
headers_sent($obj,$generator);

Resulted in this output:

=================================================================
==3449000==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000002c (pc 0x000004ca3d7b bp 0x7ffe4c5aed40 sp 0x7ffe4c5aec80 T0)
==3449000==The signal is caused by a READ memory access.
==3449000==Hint: address points to the zero page.
    #0 0x4ca3d7b in smart_str_append_zval /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_smart_str.c:230:64
    #1 0x3f014e2 in _build_trace_args /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:507:6
    #2 0x3eec6e4 in _build_trace_string /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:579:5
    #3 0x3eea657 in zend_trace_to_string /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:605:3
    #4 0x3eeda95 in zim_Exception_getTraceAsString /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:635:2
    #5 0x3f30cff in zend_call_function /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute_API.c:1016:4
    #6 0x3ef05a6 in zim_Exception___toString /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:680:3
    #7 0x3f30cff in zend_call_function /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute_API.c:1016:4
    #8 0x3f3678e in zend_call_known_function /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute_API.c:1097:23
    #9 0x3f05494 in zend_call_known_instance_method /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.h:860:2
    #10 0x3efebdb in zend_call_known_instance_method_with_0_params /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.h:866:2
    #11 0x3edd5db in zend_exception_error /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:923:3
    #12 0x4d3bf7f in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1941:11
    #13 0x353f1da in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2577:13
    #14 0x3540318 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2617:9
    #15 0x4d4fd8a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:938:5
    #16 0x4d4a26f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1313:18
    #17 0x7f5a24057d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #18 0x7f5a24057e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #19 0x605934 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x605934)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_smart_str.c:230:64 in smart_str_append_zval
==3449000==ABORTING

PHP Version

nightly

Operating System

No response
@nielsdos
Copy link
Member

nielsdos commented Jan 11, 2025
edited
Loading

Needs some good old garbage zval:

diff --git a/Zend/zend_API.h b/Zend/zend_API.h
index 59d489f7aee..b1237dfc155 100644
--- a/Zend/zend_API.h
+++ b/Zend/zend_API.h
@@ -1298,8 +1298,10 @@ ZEND_API zend_result zend_try_assign_typed_ref_zval_ex(zend_reference *ref, zval
 		} \
 		_zv = &ref->val; \
 	} \
-	zval_ptr_dtor(_zv); \
+	zval garbage; \
+	ZVAL_COPY_VALUE(&garbage, _zv); \
 	ZVAL_STRING(_zv, string); \
+	zval_ptr_dtor(&garbage); \
 } while (0)
 
 #define ZEND_TRY_ASSIGN_STRING(zv, string) \

And the others need this too, hm :/

@nielsdos nielsdos changed the title SEGV Zend/zend_smart_str.c:230 Engine UAF with reference assign and dtor Jan 11, 2025
nielsdos added a commit to nielsdos/php-src that referenced this issue Jan 11, 2025
@nielsdos
Fix phpGH-17442: Engine UAF with reference assign and dtor
9ab9dc2
@nielsdos nielsdos linked a pull request Jan 11, 2025 that will close this issue
Fix GH-17442: Engine UAF with reference assign and dtor #17443
Closed
@YuanchengJiang YuanchengJiang mentioned this issue Jan 11, 2025
Closed
nielsdos added a commit to nielsdos/php-src that referenced this issue Jan 26, 2025
@nielsdos
Fix phpGH-17442: Engine UAF with reference assign and dtor
6852055
nielsdos added a commit to nielsdos/php-src that referenced this issue Jan 26, 2025
@nielsdos
Fix phpGH-17442: Engine UAF with reference assign and dtor
65ae09b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Category: Engine Status: Verified
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix GH-17442: Engine UAF with reference assign and dtor nielsdos/php-src
3 participants
@devnexen @nielsdos @YuanchengJiang