PHP :: Bug #74843 :: Use-after-free Cycle GC in combination with Reflection API

Bug #74843

Use-after-free Cycle GC in combination with Reflection API

Submitted:

2017-07-02 08:28 UTC

Modified:

2021-09-05 04:22 UTC

Votes:	2
Avg. Score:	4.5 ± 0.5
Reproduced:	2 of 2 (100.0%)
Same Version:	1 (50.0%)
Same OS:	1 (50.0%)

From:

stesie@php.net

Assigned:

cmb (profile)

Status:

No Feedback

Package:

Reproducible crash

PHP Version:

7.0.20

OS:

Linux Ubuntu/16.04

Private report:

CVE-ID:

None

View Developer Edit

[2017-07-02 08:28 UTC] stesie@php.net

Description:
------------
Hello,

unfortunately I cannot reduce this down to a simple test script; yet the problem is reproducible on multiple machines.  The problem is triggered by the integration test suite of Symfony CMF Sandbox, (Travis log here: https://travis-ci.org/symfony-cmf/cmf-sandbox/builds/248151096)

Things I already found out

-> affects PHP versions from 7.0.x branch (tested 7.0.1 and 7.0.20)
-> 7.1.x not affected
-> ZTS must be *enabled*
-> PHP does not crash with -d zend.enable_gc=0

PHP with ASAN compiled with

./configure --enable-maintainer-zts --prefix=/testing-7.1.0 --with-readline --with-openssl --with-curl CFLAGS="-fsanitize=address -fno-omit-frame-pointer -fno-optimize-sibling-calls -O0 -ggdb"  LDFLAGS="-fsanitize=address -ggdb"


Actual result:
--------------
root@0dbebda4d8b8:~/cmf-sandbox# /testing/bin/php  -d memory_limit=-1  vendor/bin/simple-phpunit -vvv --debug  tests/Functional/StaticPageTest.php 
PHPUnit 5.7.21 by Sebastian Bergmann and contributors.

Runtime:       PHP 7.0.20
Configuration: /root/cmf-sandbox/phpunit.xml.dist

Testing Tests\Functional\StaticPageTest

Starting test 'Tests\Functional\StaticPageTest::testContent with data set #0 ('/en', 'Homepage')'.
.
Starting test 'Tests\Functional\StaticPageTest::testContent with data set #1 ('/en/projects', 'The projects')'.
=================================================================
==1994==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000181950 at pc 0x000000fe1834 bp 0x7fff64d34bc0 sp 0x7fff64d34bb0
READ of size 4 at 0x607000181950 thread T0
    #0 0xfe1833 in zval_refcount_p /tmp/php-7.0.20/Zend/zend_types.h:812
    #1 0xfe1833 in zval_update_constant_ex /tmp/php-7.0.20/Zend/zend_execute_API.c:563
    #2 0xabfecc in zim_reflection_parameter_getDefaultValue /tmp/php-7.0.20/ext/reflection/php_reflection.c:2872
    #3 0x11d2ef5 in ZEND_DO_FCALL_SPEC_HANDLER /tmp/php-7.0.20/Zend/zend_vm_execute.h:842
    #4 0x11c5546 in execute_ex /tmp/php-7.0.20/Zend/zend_vm_execute.h:414
    #5 0xfe7e79 in zend_call_function /tmp/php-7.0.20/Zend/zend_execute_API.c:867
    #6 0xc5397b in zif_call_user_func /tmp/php-7.0.20/ext/standard/basic_functions.c:4786
    #7 0x11cf78a in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER /tmp/php-7.0.20/Zend/zend_vm_execute.h:714
    #8 0x11c5546 in execute_ex /tmp/php-7.0.20/Zend/zend_vm_execute.h:414
    #9 0xfe7e79 in zend_call_function /tmp/php-7.0.20/Zend/zend_execute_API.c:867
    #10 0xc5397b in zif_call_user_func /tmp/php-7.0.20/ext/standard/basic_functions.c:4786
    #11 0x11cf78a in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER /tmp/php-7.0.20/Zend/zend_vm_execute.h:714
    #12 0x11c5546 in execute_ex /tmp/php-7.0.20/Zend/zend_vm_execute.h:414
    #13 0xfe7e79 in zend_call_function /tmp/php-7.0.20/Zend/zend_execute_API.c:867
    #14 0xac7258 in zim_reflection_method_invokeArgs /tmp/php-7.0.20/ext/reflection/php_reflection.c:3355
    #15 0x11d2ef5 in ZEND_DO_FCALL_SPEC_HANDLER /tmp/php-7.0.20/Zend/zend_vm_execute.h:842
    #16 0x11c5546 in execute_ex /tmp/php-7.0.20/Zend/zend_vm_execute.h:414
    #17 0x11c72d1 in zend_execute /tmp/php-7.0.20/Zend/zend_vm_execute.h:458
    #18 0x104226f in zend_execute_scripts /tmp/php-7.0.20/Zend/zend.c:1443
    #19 0xe2ce69 in php_execute_script /tmp/php-7.0.20/main/main.c:2492
    #20 0x147143b in do_cli /tmp/php-7.0.20/sapi/cli/php_cli.c:977
    #21 0x14740c1 in main /tmp/php-7.0.20/sapi/cli/php_cli.c:1347
    #22 0x7f3afd69082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #23 0x42c678 in _start (/testing/bin/php+0x42c678)

0x607000181950 is located 0 bytes inside of 72-byte region [0x607000181950,0x607000181998)
freed by thread T0 here:
    #0 0x7f3aff3342ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0xf6f6ef in _efree /tmp/php-7.0.20/Zend/zend_alloc.c:2472
    #2 0x103396d in zend_string_free /tmp/php-7.0.20/Zend/zend_string.h:263
    #3 0x103396d in _zval_dtor_func_for_ptr /tmp/php-7.0.20/Zend/zend_variables.c:89
    #4 0x116b19c in i_zval_ptr_dtor /tmp/php-7.0.20/Zend/zend_variables.h:58
    #5 0x116b19c in zend_object_std_dtor /tmp/php-7.0.20/Zend/zend_objects.c:69
    #6 0x112591d in zend_gc_collect_cycles /tmp/php-7.0.20/Zend/zend_gc.c:1128
    #7 0x111b5fc in gc_possible_root /tmp/php-7.0.20/Zend/zend_gc.c:236
    #8 0x11c7be1 in gc_check_possible_root /tmp/php-7.0.20/Zend/zend_gc.h:149
    #9 0x11c7be1 in i_free_compiled_variables /tmp/php-7.0.20/Zend/zend_execute.c:2080
    #10 0x11c7be1 in zend_leave_helper_SPEC /tmp/php-7.0.20/Zend/zend_vm_execute.h:470
    #11 0x11fa6bd in ZEND_RETURN_SPEC_CONST_HANDLER /tmp/php-7.0.20/Zend/zend_vm_execute.h:3136
    #12 0x11c5546 in execute_ex /tmp/php-7.0.20/Zend/zend_vm_execute.h:414
    #13 0x11c72d1 in zend_execute /tmp/php-7.0.20/Zend/zend_vm_execute.h:458
    #14 0x104226f in zend_execute_scripts /tmp/php-7.0.20/Zend/zend.c:1443
    #15 0xe2ce69 in php_execute_script /tmp/php-7.0.20/main/main.c:2492
    #16 0x147143b in do_cli /tmp/php-7.0.20/sapi/cli/php_cli.c:977
    #17 0x14740c1 in main /tmp/php-7.0.20/sapi/cli/php_cli.c:1347
    #18 0x7f3afd69082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7f3aff334602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0xf726d1 in __zend_malloc /tmp/php-7.0.20/Zend/zend_alloc.c:2864
    #2 0xf6f166 in _emalloc /tmp/php-7.0.20/Zend/zend_alloc.c:2457
    #3 0xf7c25e in zend_string_alloc Zend/zend_string.h:121
    #4 0xf7c25e in zend_concat3 /tmp/php-7.0.20/Zend/zend_compile.c:731
    #5 0xf7c466 in zend_concat_names /tmp/php-7.0.20/Zend/zend_compile.c:742
    #6 0xf7c668 in zend_prefix_with_ns /tmp/php-7.0.20/Zend/zend_compile.c:748
    #7 0xf7d295 in zend_resolve_non_class_name /tmp/php-7.0.20/Zend/zend_compile.c:821
    #8 0xf7d4a7 in zend_resolve_const_name /tmp/php-7.0.20/Zend/zend_compile.c:833
    #9 0xfcd01b in zend_compile_const_expr_const /tmp/php-7.0.20/Zend/zend_compile.c:6965
    #10 0xfcdb07 in zend_compile_const_expr /tmp/php-7.0.20/Zend/zend_compile.c:7021
    #11 0xfcdb60 in zend_const_expr_to_zval /tmp/php-7.0.20/Zend/zend_compile.c:7037
    #12 0xfabe01 in zend_compile_params /tmp/php-7.0.20/Zend/zend_compile.c:4571
    #13 0xfb0d91 in zend_compile_func_decl /tmp/php-7.0.20/Zend/zend_compile.c:4968
    #14 0xfce75f in zend_compile_stmt /tmp/php-7.0.20/Zend/zend_compile.c:7151
    #15 0xfaa532 in zend_compile_stmt_list /tmp/php-7.0.20/Zend/zend_compile.c:4429
    #16 0xfce5f2 in zend_compile_stmt /tmp/php-7.0.20/Zend/zend_compile.c:7095
    #17 0xfb680f in zend_compile_class_decl /tmp/php-7.0.20/Zend/zend_compile.c:5376
    #18 0xfce7af in zend_compile_stmt /tmp/php-7.0.20/Zend/zend_compile.c:7163
    #19 0xfcdfb7 in zend_compile_top_stmt /tmp/php-7.0.20/Zend/zend_compile.c:7069
    #20 0xfcdf5f in zend_compile_top_stmt /tmp/php-7.0.20/Zend/zend_compile.c:7064
    #21 0xed1af9 in compile_file Zend/zend_language_scanner.l:608
    #22 0xa4b394 in phar_compile_file /tmp/php-7.0.20/ext/phar/phar.c:3337
    #23 0xed25dd in compile_filename Zend/zend_language_scanner.l:649
    #24 0x136aec8 in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER /tmp/php-7.0.20/Zend/zend_vm_execute.h:29518
    #25 0x11c5546 in execute_ex /tmp/php-7.0.20/Zend/zend_vm_execute.h:414
    #26 0xfe7e79 in zend_call_function /tmp/php-7.0.20/Zend/zend_execute_API.c:867
    #27 0x10f7df2 in zend_call_method /tmp/php-7.0.20/Zend/zend_interfaces.c:104
    #28 0xb4da85 in zif_spl_autoload_call /tmp/php-7.0.20/ext/spl/php_spl.c:421
    #29 0xfe8486 in zend_call_function /tmp/php-7.0.20/Zend/zend_execute_API.c:887
    #30 0xfeb72b in zend_lookup_class_ex /tmp/php-7.0.20/Zend/zend_execute_API.c:1049

SUMMARY: AddressSanitizer: heap-use-after-free /tmp/php-7.0.20/Zend/zend_types.h:812 zval_refcount_p
Shadow bytes around the buggy address:
  0x0c0e800282d0: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x0c0e800282e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c0e800282f0: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0e80028300: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
  0x0c0e80028310: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
=>0x0c0e80028320: 00 00 00 00 00 fa fa fa fa fa[fd]fd fd fd fd fd
  0x0c0e80028330: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e80028340: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c0e80028350: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c0e80028360: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0e80028370: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==1994==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-08-24 14:02 UTC] cmb@php.net

-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb

[2021-08-24 14:02 UTC] cmb@php.net

Is this still an issue with any of the actively supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions.php>

[2021-09-05 04:22 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Jul 03 02:01:34 2025 UTC