php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74843 Use-after-free Cycle GC in combination with Reflection API
Submitted: 2017-07-02 08:28 UTC Modified: -
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: stesie@php.net Assigned:
Status: Open Package: Reproducible crash
PHP Version: 7.0.20 OS: Linux Ubuntu/16.04
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-07-02 08:28 UTC] stesie@php.net
Description:
------------
Hello,

unfortunately I cannot reduce this down to a simple test script; yet the problem is reproducible on multiple machines.  The problem is triggered by the integration test suite of Symfony CMF Sandbox, (Travis log here: https://travis-ci.org/symfony-cmf/cmf-sandbox/builds/248151096)

Things I already found out

-> affects PHP versions from 7.0.x branch (tested 7.0.1 and 7.0.20)
-> 7.1.x not affected
-> ZTS must be *enabled*
-> PHP does not crash with -d zend.enable_gc=0

PHP with ASAN compiled with

./configure --enable-maintainer-zts --prefix=/testing-7.1.0 --with-readline --with-openssl --with-curl CFLAGS="-fsanitize=address -fno-omit-frame-pointer -fno-optimize-sibling-calls -O0 -ggdb"  LDFLAGS="-fsanitize=address -ggdb"


Actual result:
--------------
root@0dbebda4d8b8:~/cmf-sandbox# /testing/bin/php  -d memory_limit=-1  vendor/bin/simple-phpunit -vvv --debug  tests/Functional/StaticPageTest.php 
PHPUnit 5.7.21 by Sebastian Bergmann and contributors.

Runtime:       PHP 7.0.20
Configuration: /root/cmf-sandbox/phpunit.xml.dist

Testing Tests\Functional\StaticPageTest

Starting test 'Tests\Functional\StaticPageTest::testContent with data set #0 ('/en', 'Homepage')'.
.
Starting test 'Tests\Functional\StaticPageTest::testContent with data set #1 ('/en/projects', 'The projects')'.
=================================================================
==1994==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000181950 at pc 0x000000fe1834 bp 0x7fff64d34bc0 sp 0x7fff64d34bb0
READ of size 4 at 0x607000181950 thread T0
    #0 0xfe1833 in zval_refcount_p /tmp/php-7.0.20/Zend/zend_types.h:812
    #1 0xfe1833 in zval_update_constant_ex /tmp/php-7.0.20/Zend/zend_execute_API.c:563
    #2 0xabfecc in zim_reflection_parameter_getDefaultValue /tmp/php-7.0.20/ext/reflection/php_reflection.c:2872
    #3 0x11d2ef5 in ZEND_DO_FCALL_SPEC_HANDLER /tmp/php-7.0.20/Zend/zend_vm_execute.h:842
    #4 0x11c5546 in execute_ex /tmp/php-7.0.20/Zend/zend_vm_execute.h:414
    #5 0xfe7e79 in zend_call_function /tmp/php-7.0.20/Zend/zend_execute_API.c:867
    #6 0xc5397b in zif_call_user_func /tmp/php-7.0.20/ext/standard/basic_functions.c:4786
    #7 0x11cf78a in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER /tmp/php-7.0.20/Zend/zend_vm_execute.h:714
    #8 0x11c5546 in execute_ex /tmp/php-7.0.20/Zend/zend_vm_execute.h:414
    #9 0xfe7e79 in zend_call_function /tmp/php-7.0.20/Zend/zend_execute_API.c:867
    #10 0xc5397b in zif_call_user_func /tmp/php-7.0.20/ext/standard/basic_functions.c:4786
    #11 0x11cf78a in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER /tmp/php-7.0.20/Zend/zend_vm_execute.h:714
    #12 0x11c5546 in execute_ex /tmp/php-7.0.20/Zend/zend_vm_execute.h:414
    #13 0xfe7e79 in zend_call_function /tmp/php-7.0.20/Zend/zend_execute_API.c:867
    #14 0xac7258 in zim_reflection_method_invokeArgs /tmp/php-7.0.20/ext/reflection/php_reflection.c:3355
    #15 0x11d2ef5 in ZEND_DO_FCALL_SPEC_HANDLER /tmp/php-7.0.20/Zend/zend_vm_execute.h:842
    #16 0x11c5546 in execute_ex /tmp/php-7.0.20/Zend/zend_vm_execute.h:414
    #17 0x11c72d1 in zend_execute /tmp/php-7.0.20/Zend/zend_vm_execute.h:458
    #18 0x104226f in zend_execute_scripts /tmp/php-7.0.20/Zend/zend.c:1443
    #19 0xe2ce69 in php_execute_script /tmp/php-7.0.20/main/main.c:2492
    #20 0x147143b in do_cli /tmp/php-7.0.20/sapi/cli/php_cli.c:977
    #21 0x14740c1 in main /tmp/php-7.0.20/sapi/cli/php_cli.c:1347
    #22 0x7f3afd69082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #23 0x42c678 in _start (/testing/bin/php+0x42c678)

0x607000181950 is located 0 bytes inside of 72-byte region [0x607000181950,0x607000181998)
freed by thread T0 here:
    #0 0x7f3aff3342ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0xf6f6ef in _efree /tmp/php-7.0.20/Zend/zend_alloc.c:2472
    #2 0x103396d in zend_string_free /tmp/php-7.0.20/Zend/zend_string.h:263
    #3 0x103396d in _zval_dtor_func_for_ptr /tmp/php-7.0.20/Zend/zend_variables.c:89
    #4 0x116b19c in i_zval_ptr_dtor /tmp/php-7.0.20/Zend/zend_variables.h:58
    #5 0x116b19c in zend_object_std_dtor /tmp/php-7.0.20/Zend/zend_objects.c:69
    #6 0x112591d in zend_gc_collect_cycles /tmp/php-7.0.20/Zend/zend_gc.c:1128
    #7 0x111b5fc in gc_possible_root /tmp/php-7.0.20/Zend/zend_gc.c:236
    #8 0x11c7be1 in gc_check_possible_root /tmp/php-7.0.20/Zend/zend_gc.h:149
    #9 0x11c7be1 in i_free_compiled_variables /tmp/php-7.0.20/Zend/zend_execute.c:2080
    #10 0x11c7be1 in zend_leave_helper_SPEC /tmp/php-7.0.20/Zend/zend_vm_execute.h:470
    #11 0x11fa6bd in ZEND_RETURN_SPEC_CONST_HANDLER /tmp/php-7.0.20/Zend/zend_vm_execute.h:3136
    #12 0x11c5546 in execute_ex /tmp/php-7.0.20/Zend/zend_vm_execute.h:414
    #13 0x11c72d1 in zend_execute /tmp/php-7.0.20/Zend/zend_vm_execute.h:458
    #14 0x104226f in zend_execute_scripts /tmp/php-7.0.20/Zend/zend.c:1443
    #15 0xe2ce69 in php_execute_script /tmp/php-7.0.20/main/main.c:2492
    #16 0x147143b in do_cli /tmp/php-7.0.20/sapi/cli/php_cli.c:977
    #17 0x14740c1 in main /tmp/php-7.0.20/sapi/cli/php_cli.c:1347
    #18 0x7f3afd69082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7f3aff334602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0xf726d1 in __zend_malloc /tmp/php-7.0.20/Zend/zend_alloc.c:2864
    #2 0xf6f166 in _emalloc /tmp/php-7.0.20/Zend/zend_alloc.c:2457
    #3 0xf7c25e in zend_string_alloc Zend/zend_string.h:121
    #4 0xf7c25e in zend_concat3 /tmp/php-7.0.20/Zend/zend_compile.c:731
    #5 0xf7c466 in zend_concat_names /tmp/php-7.0.20/Zend/zend_compile.c:742
    #6 0xf7c668 in zend_prefix_with_ns /tmp/php-7.0.20/Zend/zend_compile.c:748
    #7 0xf7d295 in zend_resolve_non_class_name /tmp/php-7.0.20/Zend/zend_compile.c:821
    #8 0xf7d4a7 in zend_resolve_const_name /tmp/php-7.0.20/Zend/zend_compile.c:833
    #9 0xfcd01b in zend_compile_const_expr_const /tmp/php-7.0.20/Zend/zend_compile.c:6965
    #10 0xfcdb07 in zend_compile_const_expr /tmp/php-7.0.20/Zend/zend_compile.c:7021
    #11 0xfcdb60 in zend_const_expr_to_zval /tmp/php-7.0.20/Zend/zend_compile.c:7037
    #12 0xfabe01 in zend_compile_params /tmp/php-7.0.20/Zend/zend_compile.c:4571
    #13 0xfb0d91 in zend_compile_func_decl /tmp/php-7.0.20/Zend/zend_compile.c:4968
    #14 0xfce75f in zend_compile_stmt /tmp/php-7.0.20/Zend/zend_compile.c:7151
    #15 0xfaa532 in zend_compile_stmt_list /tmp/php-7.0.20/Zend/zend_compile.c:4429
    #16 0xfce5f2 in zend_compile_stmt /tmp/php-7.0.20/Zend/zend_compile.c:7095
    #17 0xfb680f in zend_compile_class_decl /tmp/php-7.0.20/Zend/zend_compile.c:5376
    #18 0xfce7af in zend_compile_stmt /tmp/php-7.0.20/Zend/zend_compile.c:7163
    #19 0xfcdfb7 in zend_compile_top_stmt /tmp/php-7.0.20/Zend/zend_compile.c:7069
    #20 0xfcdf5f in zend_compile_top_stmt /tmp/php-7.0.20/Zend/zend_compile.c:7064
    #21 0xed1af9 in compile_file Zend/zend_language_scanner.l:608
    #22 0xa4b394 in phar_compile_file /tmp/php-7.0.20/ext/phar/phar.c:3337
    #23 0xed25dd in compile_filename Zend/zend_language_scanner.l:649
    #24 0x136aec8 in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER /tmp/php-7.0.20/Zend/zend_vm_execute.h:29518
    #25 0x11c5546 in execute_ex /tmp/php-7.0.20/Zend/zend_vm_execute.h:414
    #26 0xfe7e79 in zend_call_function /tmp/php-7.0.20/Zend/zend_execute_API.c:867
    #27 0x10f7df2 in zend_call_method /tmp/php-7.0.20/Zend/zend_interfaces.c:104
    #28 0xb4da85 in zif_spl_autoload_call /tmp/php-7.0.20/ext/spl/php_spl.c:421
    #29 0xfe8486 in zend_call_function /tmp/php-7.0.20/Zend/zend_execute_API.c:887
    #30 0xfeb72b in zend_lookup_class_ex /tmp/php-7.0.20/Zend/zend_execute_API.c:1049

SUMMARY: AddressSanitizer: heap-use-after-free /tmp/php-7.0.20/Zend/zend_types.h:812 zval_refcount_p
Shadow bytes around the buggy address:
  0x0c0e800282d0: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x0c0e800282e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c0e800282f0: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0e80028300: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
  0x0c0e80028310: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
=>0x0c0e80028320: 00 00 00 00 00 fa fa fa fa fa[fd]fd fd fd fd fd
  0x0c0e80028330: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e80028340: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c0e80028350: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c0e80028360: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0e80028370: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==1994==ABORTING


Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC