php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79919 Stack use-after-scope in define()
Submitted: 2020-07-30 22:03 UTC Modified: 2020-07-31 09:01 UTC
From: srivas41 at purdue dot edu Assigned: cmb (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 7.4.8 OS: Ubuntu 18.04
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: srivas41 at purdue dot edu
New email:
PHP Version: OS:

 

 [2020-07-30 22:03 UTC] srivas41 at purdue dot edu
Description:
------------
A stack use-after-scope vulnerability exists in `ZEND_FUNCTION(define)` located in `Zend/zend_builtin_functions.c:876` is triggered through `zval_get_type` function in `Zend/zend_types.h:441`. This can be triggered on PHP-7.4.8 on Ubuntu 18.04 compiled with clang/clang++ v9.0

# Build instructions

## Download and build PHP-7.4.8
wget https://www.php.net/distributions/php-7.4.8.tar.gz && tar -xf php.7.4.8.tar.gz && cd php-7.4.8

## Setup PHP interpreter
./buildconf --force && CC=clang-9 CXX=clang++-9 CFLAGS="-fsanitize=address -g" ./configure && make -j`nproc`

## Run instructions
./sapi/cli/php -f test_script.php


Test script:
---------------
<?php 
$b=error_log(0);
$b=simplexml_load_string(0,$d,$b);
define(0,$b);
?>


Expected result:
----------------
No stack use-after scope vulnerability should be reported.

Actual result:
--------------
$ ~/build/php-7.4.8/sapi/cli/php -f minimized_input.php
0

Warning: simplexml_load_string(): Entity: line 1: parser error : Start tag expected, '<' not found in /root/php/minimized_input.php on line 3

Warning: simplexml_load_string(): 0 in /root/minimized_input.php on line 3

Warning: simplexml_load_string(): ^ in /root/minimized_input.php on line 3
=================================================================
==13655==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7fffffffa1f8 at pc 0x0000010e16d6 bp 0x7fffffffa130 sp 0x7fffffffa128
READ of size 1 at 0x7fffffffa1f8 thread T0
    #0 0x10e16d5 in zval_get_type /root/build/php-7.4.8/Zend/zend_types.h:441:18
    #1 0x10e16d5 in zif_define /root/build/php-7.4.8/Zend/zend_builtin_functions.c:876:10
    #2 0x12e5ce4 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /root/build/php-7.4.8/Zend/zend_vm_execute.h:1269:2
    #3 0x11b3db7 in execute_ex /root/build/php-7.4.8/Zend/zend_vm_execute.h:53618:7
    #4 0x11b44b8 in zend_execute /root/build/php-7.4.8/Zend/zend_vm_execute.h:57920:2
    #5 0x106db5c in zend_execute_scripts /root/build/php-7.4.8/Zend/zend.c:1678:4
    #6 0xe60581 in php_execute_script /root/build/php-7.4.8/main/main.c:2621:14
    #7 0x137243f in do_cli /root/build/php-7.4.8/sapi/cli/php_cli.c:964:5
    #8 0x136f698 in main /root/build/php-7.4.8/sapi/cli/php_cli.c:1359:18
    #9 0x7ffff6307b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x440909 in _start (/root/build/php-7.4.8/sapi/cli/php+0x440909)

Address 0x7fffffffa1f8 is located in stack of thread T0 at offset 184 in frame
    #0 0x10e095f in zif_define /root/build/php-7.4.8/Zend/zend_builtin_functions.c:850

  This frame has 5 object(s):
    [32, 40) 'name' (line 851)
    [64, 80) 'val_free' (line 852)
    [96, 97) 'non_cs' (line 853)
    [112, 136) 'c' (line 855)
    [176, 192) 'rv' (line 898) <== Memory access at offset 184 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope /root/build/php-7.4.8/Zend/zend_types.h:441:18 in zval_get_type
Shadow bytes around the buggy address:
  0x10007fff73e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff73f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7420: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
=>0x10007fff7430: 00 00 f2 f2 01 f2 00 00 00 f2 f2 f2 f2 f2 f8[f8]
  0x10007fff7440: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7460: f1 f1 f1 f1 00 00 f3 f3 00 00 00 00 00 00 00 00
  0x10007fff7470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==13655==ABORTING

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-07-30 22:11 UTC] stas@php.net
-Type: Security +Type: Bug -Package: *General Issues +Package: Scripting Engine problem
 [2020-07-31 07:13 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #79919: Stack use-after-scope in define
On GitHub:  https://github.com/php/php-src/pull/5912
Patch:      https://github.com/php/php-src/pull/5912.patch
 [2020-07-31 09:00 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1e0bc6e30f9fb327cd06383c8290a8afab1e484d
Log: Fix #79919: Stack use-after-scope in define()
 [2020-07-31 09:00 UTC] cmb@php.net
-Status: Open +Status: Closed
 [2020-07-31 09:01 UTC] cmb@php.net
-Summary: Stack use-after-scope vulnerability in ZEND_FUNCTION(define) +Summary: Stack use-after-scope in define() -Assigned To: +Assigned To: cmb
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 15:01:30 2024 UTC