php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79919 Stack use-after-scope in define()
Submitted: 2020-07-30 22:03 UTC Modified: 2020-07-31 09:01 UTC
From: srivas41 at purdue dot edu Assigned: cmb (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 7.4.8 OS: Ubuntu 18.04
Private report: No CVE-ID: None
 [2020-07-30 22:03 UTC] srivas41 at purdue dot edu
Description:
------------
A stack use-after-scope vulnerability exists in `ZEND_FUNCTION(define)` located in `Zend/zend_builtin_functions.c:876` is triggered through `zval_get_type` function in `Zend/zend_types.h:441`. This can be triggered on PHP-7.4.8 on Ubuntu 18.04 compiled with clang/clang++ v9.0

# Build instructions

## Download and build PHP-7.4.8
wget https://www.php.net/distributions/php-7.4.8.tar.gz && tar -xf php.7.4.8.tar.gz && cd php-7.4.8

## Setup PHP interpreter
./buildconf --force && CC=clang-9 CXX=clang++-9 CFLAGS="-fsanitize=address -g" ./configure && make -j`nproc`

## Run instructions
./sapi/cli/php -f test_script.php


Test script:
---------------
<?php 
$b=error_log(0);
$b=simplexml_load_string(0,$d,$b);
define(0,$b);
?>


Expected result:
----------------
No stack use-after scope vulnerability should be reported.

Actual result:
--------------
$ ~/build/php-7.4.8/sapi/cli/php -f minimized_input.php
0

Warning: simplexml_load_string(): Entity: line 1: parser error : Start tag expected, '<' not found in /root/php/minimized_input.php on line 3

Warning: simplexml_load_string(): 0 in /root/minimized_input.php on line 3

Warning: simplexml_load_string(): ^ in /root/minimized_input.php on line 3
=================================================================
==13655==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7fffffffa1f8 at pc 0x0000010e16d6 bp 0x7fffffffa130 sp 0x7fffffffa128
READ of size 1 at 0x7fffffffa1f8 thread T0
    #0 0x10e16d5 in zval_get_type /root/build/php-7.4.8/Zend/zend_types.h:441:18
    #1 0x10e16d5 in zif_define /root/build/php-7.4.8/Zend/zend_builtin_functions.c:876:10
    #2 0x12e5ce4 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /root/build/php-7.4.8/Zend/zend_vm_execute.h:1269:2
    #3 0x11b3db7 in execute_ex /root/build/php-7.4.8/Zend/zend_vm_execute.h:53618:7
    #4 0x11b44b8 in zend_execute /root/build/php-7.4.8/Zend/zend_vm_execute.h:57920:2
    #5 0x106db5c in zend_execute_scripts /root/build/php-7.4.8/Zend/zend.c:1678:4
    #6 0xe60581 in php_execute_script /root/build/php-7.4.8/main/main.c:2621:14
    #7 0x137243f in do_cli /root/build/php-7.4.8/sapi/cli/php_cli.c:964:5
    #8 0x136f698 in main /root/build/php-7.4.8/sapi/cli/php_cli.c:1359:18
    #9 0x7ffff6307b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x440909 in _start (/root/build/php-7.4.8/sapi/cli/php+0x440909)

Address 0x7fffffffa1f8 is located in stack of thread T0 at offset 184 in frame
    #0 0x10e095f in zif_define /root/build/php-7.4.8/Zend/zend_builtin_functions.c:850

  This frame has 5 object(s):
    [32, 40) 'name' (line 851)
    [64, 80) 'val_free' (line 852)
    [96, 97) 'non_cs' (line 853)
    [112, 136) 'c' (line 855)
    [176, 192) 'rv' (line 898) <== Memory access at offset 184 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope /root/build/php-7.4.8/Zend/zend_types.h:441:18 in zval_get_type
Shadow bytes around the buggy address:
  0x10007fff73e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff73f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7420: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
=>0x10007fff7430: 00 00 f2 f2 01 f2 00 00 00 f2 f2 f2 f2 f2 f8[f8]
  0x10007fff7440: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7460: f1 f1 f1 f1 00 00 f3 f3 00 00 00 00 00 00 00 00
  0x10007fff7470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==13655==ABORTING

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-07-30 22:11 UTC] stas@php.net
-Type: Security +Type: Bug -Package: *General Issues +Package: Scripting Engine problem
 [2020-07-31 07:13 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #79919: Stack use-after-scope in define
On GitHub:  https://github.com/php/php-src/pull/5912
Patch:      https://github.com/php/php-src/pull/5912.patch
 [2020-07-31 09:00 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1e0bc6e30f9fb327cd06383c8290a8afab1e484d
Log: Fix #79919: Stack use-after-scope in define()
 [2020-07-31 09:00 UTC] cmb@php.net
-Status: Open +Status: Closed
 [2020-07-31 09:01 UTC] cmb@php.net
-Summary: Stack use-after-scope vulnerability in ZEND_FUNCTION(define) +Summary: Stack use-after-scope in define() -Assigned To: +Assigned To: cmb
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Sep 29 15:01:25 2020 UTC