php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79151 heap use after free caused by spl_dllist_it_helper_move_forward
Submitted: 2020-01-21 17:51 UTC Modified: 2020-01-22 08:22 UTC
From: wxhusst at gmail dot com Assigned:
Status: Closed Package: SPL related
PHP Version: master-Git-2020-01-21 (Git) OS: linux
Private report: No CVE-ID: None
 [2020-01-21 17:51 UTC] wxhusst at gmail dot com
Description:
------------
=================================================================
==130430==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400003c1e0 at pc 0x0000015c22b9 bp 0x7ffc23e33710 sp 0x7ffc23e33708
READ of size 4 at 0x60400003c1e0 thread T0
    #0 0x15c22b8 in spl_dllist_it_helper_move_forward /home/raven/fuzz/php-src-php-7.4.2/ext/spl/spl_dllist.c:977:3
    #1 0x22e3868 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:1618:4
    #2 0x2131c97 in execute_ex /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:53611:7
    #3 0x2132d52 in zend_execute /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:57913:2
    #4 0x1eb6d8c in zend_execute_scripts /home/raven/fuzz/php-src-php-7.4.2/Zend/zend.c:1665:4
    #5 0x1a9b754 in php_execute_script /home/raven/fuzz/php-src-php-7.4.2/main/main.c:2617:14
    #6 0x255f9f0 in do_cli /home/raven/fuzz/php-src-php-7.4.2/sapi/cli/php_cli.c:961:5
    #7 0x255c3a7 in main /home/raven/fuzz/php-src-php-7.4.2/sapi/cli/php_cli.c:1352:18
    #8 0x7fea402fa1e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
    #9 0x602b3d in _start (/home/raven/fuzz/php-src-php-7.4.2/sapi/cli/php+0x602b3d)

0x60400003c1e0 is located 16 bytes inside of 40-byte region [0x60400003c1d0,0x60400003c1f8)
freed by thread T0 here:
    #0 0x6adb42 in free /home/buildnode/jenkins/workspace/oss-swift-5.1-package-linux-ubuntu-18_04/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x15c1b47 in spl_ptr_llist_pop /home/raven/fuzz/php-src-php-7.4.2/ext/spl/spl_dllist.c:266:2
    #2 0x15c1b47 in spl_dllist_it_helper_move_forward /home/raven/fuzz/php-src-php-7.4.2/ext/spl/spl_dllist.c:959
    #3 0x22e3868 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:1618:4
    #4 0x2131c97 in execute_ex /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:53611:7

previously allocated by thread T0 here:
    #0 0x6adec3 in malloc /home/buildnode/jenkins/workspace/oss-swift-5.1-package-linux-ubuntu-18_04/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x1c75540 in __zend_malloc /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_alloc.c:2975:14
    #2 0x22e3868 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:1618:4
    #3 0x2131c97 in execute_ex /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:53611:7

SUMMARY: AddressSanitizer: heap-use-after-free /home/raven/fuzz/php-src-php-7.4.2/ext/spl/spl_dllist.c:977:3 in spl_dllist_it_helper_move_forward
Shadow bytes around the buggy address:
  0x0c087ffff7e0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087ffff7f0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087ffff800: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087ffff810: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087ffff820: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
=>0x0c087ffff830: fa fa fd fd fd fd fd fa fa fa fd fd[fd]fd fd fa
  0x0c087ffff840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087ffff850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087ffff860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087ffff870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087ffff880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==130430==ABORTING

Test script:
---------------
<?php


$a = new SplDoublyLinkedList();

$a->setIteratorMode(-1); 
$a->unshift(array(array("a" => 1, "b" => "2", "c" => 3.0), array("a", "xxxxxx", 2.2250738585072011e-308), 2.2250738585072011e-308)); 
$a->rewind();
$a->unshift(implode(array_map(function($c) {return "\\x" . str_pad(dechex($c), 2, "0");}, range(0, 255)))); 
$a->pop(); 
$a->next(); 

?>


Expected result:
----------------
normal

Actual result:
--------------
crash

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-01-21 19:39 UTC] stas@php.net
-Type: Security +Type: Bug
 [2020-01-21 22:51 UTC] wxhusst at gmail dot com
why this bug is just a normal bug
 [2020-01-22 00:13 UTC] requinix@php.net
@wxhusst: Because this requires running specific and unusual code. See https://wiki.php.net/security
 [2020-01-22 08:22 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2020-01-22 08:22 UTC] nikic@php.net
Reduced a bit:

<?php
$a = new SplDoublyLinkedList();
$a->setIteratorMode(SplDoublyLinkedList::IT_MODE_LIFO | SplDoublyLinkedList::IT_MODE_DELETE);
$a->push(1);
$a->rewind();
$a->unshift(2);
$a->pop();
$a->next();
 [2020-01-23 13:21 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=db9776c53c50d923a26657fa150dfb2a482a6507
Log: Fixed bug #79151
 [2020-01-23 13:21 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 15:01:29 2024 UTC