[go: up one dir, main page]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash on coercion with throwing __toString() #14969

Closed
iluuu1994 opened this issue Jul 16, 2024 · 0 comments
Closed

Crash on coercion with throwing __toString() #14969

iluuu1994 opened this issue Jul 16, 2024 · 0 comments
Assignees
@iluuu1994
Labels
Bug Category: Engine Status: Verified

Comments

@iluuu1994
Copy link
Member

Description

The following code:

<?php

class C {
    public function __toString() {
        global $c;
        $c = [];
        throw new Exception();
    }
}

class D {
    public string $prop;
}

$c = new C();
$d = new D();
try {
    $d->prop = $c;
} catch (Exception $e) {}
var_dump($d);

Resulted in this output:

=================================================================
==3196108==ERROR: AddressSanitizer: heap-use-after-free on address 0x50300002ab80 at pc 0x00000160753a bp 0x7fff1764ef70 sp 0x7fff1764ef68
READ of size 4 at 0x50300002ab80 thread T0
    #0 0x1607539 in zend_gc_delref /home/ilutov/Developer/php-src/Zend/zend_types.h:1228
    #1 0x1608118 in i_zval_ptr_dtor /home/ilutov/Developer/php-src/Zend/zend_variables.h:43
    #2 0x160874e in zval_ptr_dtor /home/ilutov/Developer/php-src/Zend/zend_variables.c:84
    #3 0x1682c4b in _zend_hash_del_el_ex /home/ilutov/Developer/php-src/Zend/zend_hash.c:1425
    #4 0x16832e5 in _zend_hash_del_el /home/ilutov/Developer/php-src/Zend/zend_hash.c:1452
    #5 0x168c2ae in zend_hash_graceful_reverse_destroy /home/ilutov/Developer/php-src/Zend/zend_hash.c:1977
    #6 0x159fdc5 in zend_shutdown_executor_values /home/ilutov/Developer/php-src/Zend/zend_execute_API.c:284
    #7 0x15a3a81 in shutdown_executor /home/ilutov/Developer/php-src/Zend/zend_execute_API.c:416
    #8 0x1612f80 in zend_deactivate /home/ilutov/Developer/php-src/Zend/zend.c:1266
    #9 0x13b9b13 in php_request_shutdown /home/ilutov/Developer/php-src/main/main.c:1899
    #10 0x1d4c4f1 in do_cli /home/ilutov/Developer/php-src/sapi/cli/php_cli.c:1135
    #11 0x1d4d36e in main %s:%d
    #12 0x7f210ba39087 in __libc_start_call_main (/lib64/libc.so.6+0x2a087) (BuildId: 8f53abaad945a669f2bdcd25f471d80e077568ef)
    #13 0x7f210ba3914a in __libc_start_main_alias_2 (/lib64/libc.so.6+0x2a14a) (BuildId: 8f53abaad945a669f2bdcd25f471d80e077568ef)
    #14 0x604034 in _start (/home/ilutov/Developer/php-src/sapi/cli/php+0x604034) (BuildId: 7f40a5e3d3f7cd5a7175930181626fc3ef5632ee)

0x50300002ab80 is located 0 bytes inside of 32-byte region [0x50300002ab80,0x50300002aba0)
freed by thread T0 here:
    #0 0x7f210c6f6638 in free.part.0 (/lib64/libasan.so.8+0xf6638) (BuildId: c1431025b5d8af781c22c9ceea71f065c547d32d)
    #1 0x1508e99 in tracked_free /home/ilutov/Developer/php-src/Zend/zend_alloc.c:2851
    #2 0x1507107 in _efree_custom /home/ilutov/Developer/php-src/Zend/zend_alloc.c:2486
    #3 0x1507414 in _efree /home/ilutov/Developer/php-src/Zend/zend_alloc.c:2606
    #4 0x1608728 in zend_reference_destroy /home/ilutov/Developer/php-src/Zend/zend_variables.c:75
    #5 0x1608308 in rc_dtor_func /home/ilutov/Developer/php-src/Zend/zend_variables.c:57
    #6 0x1608128 in i_zval_ptr_dtor /home/ilutov/Developer/php-src/Zend/zend_variables.h:44
    #7 0x160874e in zval_ptr_dtor /home/ilutov/Developer/php-src/Zend/zend_variables.c:84
    #8 0x1a8a0d0 in zend_std_write_property /home/ilutov/Developer/php-src/Zend/zend_object_handlers.c:893
    #9 0x1928c40 in ZEND_ASSIGN_OBJ_SPEC_CV_CONST_OP_DATA_CV_HANDLER /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:41614
    #10 0x19ba9db in execute_ex /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:59666
    #11 0x19bf38a in zend_execute /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:60439
    #12 0x16192cf in zend_execute_scripts /home/ilutov/Developer/php-src/Zend/zend.c:1840
    #13 0x13bd096 in php_execute_script /home/ilutov/Developer/php-src/main/main.c:2578
    #14 0x1d4ad18 in do_cli /home/ilutov/Developer/php-src/sapi/cli/php_cli.c:964
    #15 0x1d4d36e in main %s:%d
    #16 0x7f210ba39087 in __libc_start_call_main (/lib64/libc.so.6+0x2a087) (BuildId: 8f53abaad945a669f2bdcd25f471d80e077568ef)
    #17 0x7f210ba3914a in __libc_start_main_alias_2 (/lib64/libc.so.6+0x2a14a) (BuildId: 8f53abaad945a669f2bdcd25f471d80e077568ef)
    #18 0x604034 in _start (/home/ilutov/Developer/php-src/sapi/cli/php+0x604034) (BuildId: 7f40a5e3d3f7cd5a7175930181626fc3ef5632ee)

previously allocated by thread T0 here:
    #0 0x7f210c6f7997 in malloc (/lib64/libasan.so.8+0xf7997) (BuildId: c1431025b5d8af781c22c9ceea71f065c547d32d)
    #1 0x1508bd2 in tracked_malloc /home/ilutov/Developer/php-src/Zend/zend_alloc.c:2832
    #2 0x1506f7d in _malloc_custom /home/ilutov/Developer/php-src/Zend/zend_alloc.c:2477
    #3 0x1507349 in _emalloc /home/ilutov/Developer/php-src/Zend/zend_alloc.c:2596
    #4 0x193da1d in ZEND_BIND_GLOBAL_SPEC_CV_CONST_HANDLER /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:43386
    #5 0x19bb2c0 in execute_ex /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:59758
    #6 0x15acabf in zend_call_function /home/ilutov/Developer/php-src/Zend/zend_execute_API.c:949
    #7 0x15ae3ca in zend_call_known_function /home/ilutov/Developer/php-src/Zend/zend_execute_API.c:1043
    #8 0x1a7f85a in zend_call_known_instance_method /home/ilutov/Developer/php-src/Zend/zend_API.h:753
    #9 0x1a7f894 in zend_call_known_instance_method_with_0_params /home/ilutov/Developer/php-src/Zend/zend_API.h:759
    #10 0x1a99302 in zend_std_cast_object_tostring /home/ilutov/Developer/php-src/Zend/zend_object_handlers.c:1871
    #11 0x1626c5e in zend_parse_arg_str_weak /home/ilutov/Developer/php-src/Zend/zend_API.c:671
    #12 0x16e6343 in zend_verify_weak_scalar_type_hint /home/ilutov/Developer/php-src/Zend/zend_execute.c:745
    #13 0x16e69b4 in zend_verify_scalar_type_hint /home/ilutov/Developer/php-src/Zend/zend_execute.c:812
    #14 0x16e8432 in i_zend_check_property_type /home/ilutov/Developer/php-src/Zend/zend_execute.c:947
    #15 0x16e8464 in i_zend_verify_property_type /home/ilutov/Developer/php-src/Zend/zend_execute.c:952
    #16 0x16e84b5 in zend_verify_property_type /home/ilutov/Developer/php-src/Zend/zend_execute.c:961
    #17 0x1a8a0b6 in zend_std_write_property /home/ilutov/Developer/php-src/Zend/zend_object_handlers.c:892
    #18 0x1928c40 in ZEND_ASSIGN_OBJ_SPEC_CV_CONST_OP_DATA_CV_HANDLER /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:41614
    #19 0x19ba9db in execute_ex /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:59666
    #20 0x19bf38a in zend_execute /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:60439
    #21 0x16192cf in zend_execute_scripts /home/ilutov/Developer/php-src/Zend/zend.c:1840
    #22 0x13bd096 in php_execute_script /home/ilutov/Developer/php-src/main/main.c:2578
    #23 0x1d4ad18 in do_cli /home/ilutov/Developer/php-src/sapi/cli/php_cli.c:964
    #24 0x1d4d36e in main %s:%d
    #25 0x7f210ba39087 in __libc_start_call_main (/lib64/libc.so.6+0x2a087) (BuildId: 8f53abaad945a669f2bdcd25f471d80e077568ef)
    #26 0x7f210ba3914a in __libc_start_main_alias_2 (/lib64/libc.so.6+0x2a14a) (BuildId: 8f53abaad945a669f2bdcd25f471d80e077568ef)
    #27 0x604034 in _start (/home/ilutov/Developer/php-src/sapi/cli/php+0x604034) (BuildId: 7f40a5e3d3f7cd5a7175930181626fc3ef5632ee)

SUMMARY: AddressSanitizer: heap-use-after-free /home/ilutov/Developer/php-src/Zend/zend_types.h:1228 in zend_gc_delref
Shadow bytes around the buggy address:
  0x50300002a900: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
  0x50300002a980: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x50300002aa00: fd fd fd fd fa fa 00 00 00 00 fa fa fd fd fd fd
  0x50300002aa80: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x50300002ab00: fd fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa
=>0x50300002ab80:[fd]fd fd fd fa fa 00 00 00 01 fa fa fa fa fa fa
  0x50300002ac00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50300002ac80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50300002ad00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50300002ad80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50300002ae00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3196108==ABORTING

PHP Version

PHP 8.2+

Operating System

No response
@iluuu1994 iluuu1994 self-assigned this Jul 16, 2024
iluuu1994 added a commit to iluuu1994/php-src that referenced this issue Jul 16, 2024
@iluuu1994
Fix user-after-free in property coercion with __toString()
fc5483a 
This was only partially fixed in PHP-8.3. Backports and fixes the case for both
initialized and uninitialized property writes.

Closes phpGH-14969
@iluuu1994 iluuu1994 mentioned this issue Jul 16, 2024
Closed
iluuu1994 added a commit to iluuu1994/php-src that referenced this issue Jul 16, 2024
@iluuu1994
Fix user-after-free in property coercion with __toString()
18556e7 
This was only partially fixed in PHP-8.3. Backports and fixes the case for both
initialized and uninitialized property writes.

Fixes phpGH-14969
Closes phpGH-14971
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iluuu1994 iluuu1994

Labels
Bug Category: Engine Status: Verified
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@iluuu1994