php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72162 use-after-free - error_reporting
Submitted: 2016-05-04 21:10 UTC Modified: 2016-05-04 21:49 UTC
From: shm@php.net Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.0.6 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: shm@php.net
New email:
PHP Version: OS:

 

 [2016-05-04 21:10 UTC] shm@php.net
Description:
------------
Use after free condition can be triggered by simple script attached below. It's caused by call zend_string_release():

    #1 0xea66f0 in _efree /home/shm/src/php-7.0.6/Zend/zend_alloc.c:2461
    #2 0xf72839 in zend_string_release /home/shm/src/php-7.0.6/Zend/zend_string.h:271
    #3 0xf773cc in zif_error_reporting /home/shm/src/php-7.0.6/Zend/zend_builtin_functions.c:730

 in error_reporting function in case when DateTimeImmutable is supplied to the function. This can be turned in code execution.

Test script:
---------------
<?php

error_reporting(1);
$var11 = date_create_immutable();
$var16 = error_reporting($var11);

Expected result:
----------------
Use-After-Free condition is avoided.

Actual result:
--------------
$ ./php error_reporting.php
=================================================================
==15187== ERROR: AddressSanitizer: heap-use-after-free on address 0x600600023235 at pc 0xf89a78 bp 0x7fff001c2ec0 sp 0x7fff001c2eb8
READ of size 1 at 0x600600023235 thread T0
    #0 0xf89a77 in zend_string_release /home/shm/src/php-7.0.6/Zend/zend_string.h:269
    #1 0xf8a1e5 in zend_restore_ini_entry_cb /home/shm/src/php-7.0.6/Zend/zend_ini.c:67
    #2 0xf8a3b2 in zend_restore_ini_entry_wrapper /home/shm/src/php-7.0.6/Zend/zend_ini.c:82
    #3 0xf697b9 in zend_hash_apply /home/shm/src/php-7.0.6/Zend/zend_hash.c:1534
    #4 0xf8a6bf in zend_ini_deactivate /home/shm/src/php-7.0.6/Zend/zend_ini.c:142
    #5 0xf2ed59 in zend_deactivate /home/shm/src/php-7.0.6/Zend/zend.c:970
    #6 0xdbe28b in php_request_shutdown /home/shm/src/php-7.0.6/main/main.c:1833
    #7 0x1149049 in do_cli /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1141
    #8 0x114a6ed in main /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344
    #9 0x7fe19e111ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #10 0x4247a8 in _start (/home/shm/src/php-7.0.6/sapi/cli/php+0x4247a8)
0x600600023235 is located 5 bytes inside of 32-byte region [0x600600023230,0x600600023250)
freed by thread T0 here:
    #0 0x7fe19ef6533a (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1533a)
    #1 0xea66f0 in _efree /home/shm/src/php-7.0.6/Zend/zend_alloc.c:2461
    #2 0xf72839 in zend_string_release /home/shm/src/php-7.0.6/Zend/zend_string.h:271
    #3 0xf773cc in zif_error_reporting /home/shm/src/php-7.0.6/Zend/zend_builtin_functions.c:730
    #4 0x101ced6 in ZEND_DO_ICALL_SPEC_HANDLER /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:586
    #5 0x101bf4f in execute_ex /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:414
    #6 0x101c1aa in zend_execute /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:458
    #7 0xf31538 in zend_execute_scripts /home/shm/src/php-7.0.6/Zend/zend.c:1427
    #8 0xdc0d02 in php_execute_script /home/shm/src/php-7.0.6/main/main.c:2494
    #9 0x1148111 in do_cli /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:974
    #10 0x114a6ed in main /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344
    #11 0x7fe19e111ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
previously allocated by thread T0 here:
    #0 0x7fe19ef6541a (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1541a)
    #1 0xea6520 in _emalloc /home/shm/src/php-7.0.6/Zend/zend_alloc.c:2446
    #2 0xf04758 in zend_string_alloc /home/shm/src/php-7.0.6/Zend/zend_string.h:121
    #3 0xf04859 in zend_string_init /home/shm/src/php-7.0.6/Zend/zend_string.h:157
    #4 0xf249e3 in zend_long_to_str /home/shm/src/php-7.0.6/Zend/zend_operators.c:2746
    #5 0xf0c4a2 in _zval_get_string_func /home/shm/src/php-7.0.6/Zend/zend_operators.c:830
    #6 0xf73187 in _zval_get_string /home/shm/src/php-7.0.6/Zend/zend_operators.h:266
    #7 0xf773d8 in zif_error_reporting /home/shm/src/php-7.0.6/Zend/zend_builtin_functions.c:733
    #8 0x101ced6 in ZEND_DO_ICALL_SPEC_HANDLER /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:586
    #9 0x101bf4f in execute_ex /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:414
    #10 0x101c1aa in zend_execute /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:458
    #11 0xf31538 in zend_execute_scripts /home/shm/src/php-7.0.6/Zend/zend.c:1427
    #12 0xdc0d02 in php_execute_script /home/shm/src/php-7.0.6/main/main.c:2494
    #13 0x1148111 in do_cli /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:974
    #14 0x114a6ed in main /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344
    #15 0x7fe19e111ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
SUMMARY: AddressSanitizer: heap-use-after-free /home/shm/src/php-7.0.6/Zend/zend_string.h:269 zend_string_release
Shadow bytes around the buggy address:
  0x0c013fffc5f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c013fffc600: fa fa fa fa fa fa fa fa fa fa 00 00 00 01 fa fa
  0x0c013fffc610: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c013fffc620: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c013fffc630: fd fd fa fa fd fd fd fd fa fa fd fd fd fa fa fa
=>0x0c013fffc640: fd fd fd fa fa fa[fd]fd fd fd fa fa 00 00 00 fa
  0x0c013fffc650: fa fa fd fd fd fd fa fa 00 00 00 00 fa fa 00 00
  0x0c013fffc660: 00 00 fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c013fffc670: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c013fffc680: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
  0x0c013fffc690: fd fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==15187== ABORTING
Aborted

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-04 21:49 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-05-05 03:02 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9191862121411858036b0d2a06c3a99229c8bd24
Log: Fixed bug #72162 (use-after-free - error_reporting)
 [2016-05-05 03:02 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-05-05 15:32 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8e5b38100411d3b8fa4486c7c41dec7dedb4b474
Log: Fix bug #72162 (again)
 [2016-05-06 02:53 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=441d1b8ef07c5dc7f5a7fada46d829eed21ed4bc
Log: Revert &quot;Fix bug #72162 (again)&quot;
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=441d1b8ef07c5dc7f5a7fada46d829eed21ed4bc
Log: Revert &quot;Fix bug #72162 (again)&quot;
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8e5b38100411d3b8fa4486c7c41dec7dedb4b474
Log: Fix bug #72162 (again)
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9191862121411858036b0d2a06c3a99229c8bd24
Log: Fixed bug #72162 (use-after-free - error_reporting)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Nov 06 03:01:29 2024 UTC