ASAN UndefinedBehaviorSanitizer when timeout = -1 passed to stream_socket_accept/stream_socket_client #11177

lucasnetau · 2023-05-02T12:55:22Z

Description

The following code with ASAN enabled:

<?php
$socket = stream_socket_server("tcp://0.0.0.0:8080", $errno, $errstr);
$conn = stream_socket_accept($socket, -1);
fclose($conn);
fclose($socket);

Resulted in this output:

/php-debug/php-8.2.5/ext/standard/streamsfuncs.c:278:9: runtime error: -1e+06 is outside the range of representable values of type 'unsigned long long'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /php-debug/php-8.2.5/ext/standard/streamsfuncs.c:278:9 in 
Abort trap: 6

But I expected this output instead:

With the offending line being in stream_socket_accept modifying the timeout value and assigning a negative value to an unsigned long long (php_timeout_ull)

	/* prepare the timeout value for use */
	conv = (php_timeout_ull) (timeout * 1000000.0);

The same code and ASAN error can also be seen in stream_socket_client

PHP Version

PHP 8.2.5

Operating System

No response

The text was updated successfully, but these errors were encountered:

nielsdos · 2023-05-02T20:56:40Z

Reproducible with Clang, not GCC strangely.

…viour A negative value like -1 may overflow and cause incorrect results in the timeout variable, which causes an immediate timeout. As this is caused by undefined behaviour the exact behaviour depends on the compiler, its version, and the platform. A large overflow is also possible, if an extremely large timeout value is passed we also set an indefinite timeout. This is because the timeout value is at least a 64-bit number and waiting for UINT64_MAX/1000000 seconds is waiting about 584K years.

A negative value like -1 may overflow and cause incorrect results in the timeout variable, which causes an immediate timeout. As this is caused by undefined behaviour the exact behaviour depends on the compiler, its version, and the platform. A large overflow is also possible, if an extremely large timeout value is passed we also set an indefinite timeout. This is because the timeout value is at least a 64-bit number and waiting for UINT64_MAX/1000000 seconds is waiting about 584K years. Closes GH-11183.

* PHP-8.1: Fix GH-11178: Segmentation fault in spl_array_it_get_current_data (PHP 8.1.18) Fix GH-11175 and GH-11177: Stream socket timeout undefined behaviour Fix GH-9068: Conditional jump or move depends on uninitialised value(s)

* PHP-8.2: Fix GH-11178: Segmentation fault in spl_array_it_get_current_data (PHP 8.1.18) Fix GH-11175 and GH-11177: Stream socket timeout undefined behaviour Fix GH-9068: Conditional jump or move depends on uninitialised value(s)

lucasnetau added Bug Status: Needs Triage labels May 2, 2023

nielsdos added the Category: Streams label May 2, 2023

nielsdos mentioned this issue May 2, 2023

Stream Socket Timeout #11175

Closed

nielsdos added Status: Verified and removed Status: Needs Triage labels May 2, 2023

nielsdos mentioned this issue May 2, 2023

Fix GH-11175 and GH-11177: Stream socket timeout undefined behaviour #11183

Closed

nielsdos linked a pull request May 2, 2023 that will close this issue

Fix GH-11175 and GH-11177: Stream socket timeout undefined behaviour #11183

Closed

nielsdos closed this as completed May 3, 2023

pronskiy mentioned this issue Jun 6, 2023

Add Roundup #13 ThePHPF/thephp.foundation#90

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ASAN UndefinedBehaviorSanitizer when timeout = -1 passed to stream_socket_accept/stream_socket_client #11177

ASAN UndefinedBehaviorSanitizer when timeout = -1 passed to stream_socket_accept/stream_socket_client #11177

ASAN UndefinedBehaviorSanitizer when timeout = -1 passed to stream_socket_accept/stream_socket_client #11177

ASAN UndefinedBehaviorSanitizer when timeout = -1 passed to stream_socket_accept/stream_socket_client #11177

Comments

Description

PHP Version

Operating System