php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72162 use-after-free - error_reporting
Submitted: 2016-05-04 21:10 UTC Modified: 2016-05-04 21:49 UTC
From: shm@php.net Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.0.6 OS:
Private report: No CVE-ID:
 [2016-05-04 21:10 UTC] shm@php.net
Description:
------------
Use after free condition can be triggered by simple script attached below. It's caused by call zend_string_release():

    #1 0xea66f0 in _efree /home/shm/src/php-7.0.6/Zend/zend_alloc.c:2461
    #2 0xf72839 in zend_string_release /home/shm/src/php-7.0.6/Zend/zend_string.h:271
    #3 0xf773cc in zif_error_reporting /home/shm/src/php-7.0.6/Zend/zend_builtin_functions.c:730

 in error_reporting function in case when DateTimeImmutable is supplied to the function. This can be turned in code execution.

Test script:
---------------
<?php

error_reporting(1);
$var11 = date_create_immutable();
$var16 = error_reporting($var11);

Expected result:
----------------
Use-After-Free condition is avoided.

Actual result:
--------------
$ ./php error_reporting.php
=================================================================
==15187== ERROR: AddressSanitizer: heap-use-after-free on address 0x600600023235 at pc 0xf89a78 bp 0x7fff001c2ec0 sp 0x7fff001c2eb8
READ of size 1 at 0x600600023235 thread T0
    #0 0xf89a77 in zend_string_release /home/shm/src/php-7.0.6/Zend/zend_string.h:269
    #1 0xf8a1e5 in zend_restore_ini_entry_cb /home/shm/src/php-7.0.6/Zend/zend_ini.c:67
    #2 0xf8a3b2 in zend_restore_ini_entry_wrapper /home/shm/src/php-7.0.6/Zend/zend_ini.c:82
    #3 0xf697b9 in zend_hash_apply /home/shm/src/php-7.0.6/Zend/zend_hash.c:1534
    #4 0xf8a6bf in zend_ini_deactivate /home/shm/src/php-7.0.6/Zend/zend_ini.c:142
    #5 0xf2ed59 in zend_deactivate /home/shm/src/php-7.0.6/Zend/zend.c:970
    #6 0xdbe28b in php_request_shutdown /home/shm/src/php-7.0.6/main/main.c:1833
    #7 0x1149049 in do_cli /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1141
    #8 0x114a6ed in main /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344
    #9 0x7fe19e111ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #10 0x4247a8 in _start (/home/shm/src/php-7.0.6/sapi/cli/php+0x4247a8)
0x600600023235 is located 5 bytes inside of 32-byte region [0x600600023230,0x600600023250)
freed by thread T0 here:
    #0 0x7fe19ef6533a (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1533a)
    #1 0xea66f0 in _efree /home/shm/src/php-7.0.6/Zend/zend_alloc.c:2461
    #2 0xf72839 in zend_string_release /home/shm/src/php-7.0.6/Zend/zend_string.h:271
    #3 0xf773cc in zif_error_reporting /home/shm/src/php-7.0.6/Zend/zend_builtin_functions.c:730
    #4 0x101ced6 in ZEND_DO_ICALL_SPEC_HANDLER /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:586
    #5 0x101bf4f in execute_ex /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:414
    #6 0x101c1aa in zend_execute /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:458
    #7 0xf31538 in zend_execute_scripts /home/shm/src/php-7.0.6/Zend/zend.c:1427
    #8 0xdc0d02 in php_execute_script /home/shm/src/php-7.0.6/main/main.c:2494
    #9 0x1148111 in do_cli /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:974
    #10 0x114a6ed in main /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344
    #11 0x7fe19e111ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
previously allocated by thread T0 here:
    #0 0x7fe19ef6541a (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1541a)
    #1 0xea6520 in _emalloc /home/shm/src/php-7.0.6/Zend/zend_alloc.c:2446
    #2 0xf04758 in zend_string_alloc /home/shm/src/php-7.0.6/Zend/zend_string.h:121
    #3 0xf04859 in zend_string_init /home/shm/src/php-7.0.6/Zend/zend_string.h:157
    #4 0xf249e3 in zend_long_to_str /home/shm/src/php-7.0.6/Zend/zend_operators.c:2746
    #5 0xf0c4a2 in _zval_get_string_func /home/shm/src/php-7.0.6/Zend/zend_operators.c:830
    #6 0xf73187 in _zval_get_string /home/shm/src/php-7.0.6/Zend/zend_operators.h:266
    #7 0xf773d8 in zif_error_reporting /home/shm/src/php-7.0.6/Zend/zend_builtin_functions.c:733
    #8 0x101ced6 in ZEND_DO_ICALL_SPEC_HANDLER /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:586
    #9 0x101bf4f in execute_ex /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:414
    #10 0x101c1aa in zend_execute /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:458
    #11 0xf31538 in zend_execute_scripts /home/shm/src/php-7.0.6/Zend/zend.c:1427
    #12 0xdc0d02 in php_execute_script /home/shm/src/php-7.0.6/main/main.c:2494
    #13 0x1148111 in do_cli /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:974
    #14 0x114a6ed in main /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344
    #15 0x7fe19e111ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
SUMMARY: AddressSanitizer: heap-use-after-free /home/shm/src/php-7.0.6/Zend/zend_string.h:269 zend_string_release
Shadow bytes around the buggy address:
  0x0c013fffc5f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c013fffc600: fa fa fa fa fa fa fa fa fa fa 00 00 00 01 fa fa
  0x0c013fffc610: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c013fffc620: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c013fffc630: fd fd fa fa fd fd fd fd fa fa fd fd fd fa fa fa
=>0x0c013fffc640: fd fd fd fa fa fa[fd]fd fd fd fa fa 00 00 00 fa
  0x0c013fffc650: fa fa fd fd fd fd fa fa 00 00 00 00 fa fa 00 00
  0x0c013fffc660: 00 00 fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c013fffc670: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c013fffc680: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
  0x0c013fffc690: fd fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==15187== ABORTING
Aborted

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-04 21:49 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-05-05 03:02 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9191862121411858036b0d2a06c3a99229c8bd24
Log: Fixed bug #72162 (use-after-free - error_reporting)
 [2016-05-05 03:02 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-05-05 15:32 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8e5b38100411d3b8fa4486c7c41dec7dedb4b474
Log: Fix bug #72162 (again)
 [2016-05-06 02:53 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=441d1b8ef07c5dc7f5a7fada46d829eed21ed4bc
Log: Revert &quot;Fix bug #72162 (again)&quot;
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=441d1b8ef07c5dc7f5a7fada46d829eed21ed4bc
Log: Revert &quot;Fix bug #72162 (again)&quot;
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8e5b38100411d3b8fa4486c7c41dec7dedb4b474
Log: Fix bug #72162 (again)
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9191862121411858036b0d2a06c3a99229c8bd24
Log: Fixed bug #72162 (use-after-free - error_reporting)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Wed Feb 22 15:01:37 2017 UTC