Delay notice emission until end of opcode

This is a prototype for fixing a long-standing source of interrupt
vulnerabilities: A notice is emitted during execution of an opcode,
resulting in an error handling being run. The error handler modifies
some data structure the opcode is working on, resulting in UAF or
other memory corruption.

The idea here is to instead collect notices and only process them
after the opcode. This is implemented similarly to exception
handling, by switching to a ZEND_HANDLE_DELAYED_ERROR opcode,
which will then switch back to the normal opcode stream.

Unfortunately, what this prototype implements is not sufficient.
Opcodes that acquire direct (INDIRECT) references to zvals require
that no interrupts occur between the producing and the consuming
opcode. Chains of W/RW opcodes should be executed without interrupt.
Currently, the notice is only delayed until after the first opcode,
which still results in an illegal interrupt (bug78598.phpt shows
a UAF with this change).

I'm not sure how to best handle that issue.

Author: nikic

Zend/zend.c

@@ -667,6 +667,18 @@ static void zend_init_exception_op(void) /* {{{ */
 }
 /* }}} */
 
+static void zend_init_delayed_error_op(void) /* {{{ */
+{
+	memset(EG(delayed_error_op), 0, sizeof(EG(delayed_error_op)));
+	EG(delayed_error_op)[0].opcode = ZEND_HANDLE_DELAYED_ERROR;
+	ZEND_VM_SET_OPCODE_HANDLER(EG(delayed_error_op));
+	EG(delayed_error_op)[1].opcode = ZEND_HANDLE_DELAYED_ERROR;
+	ZEND_VM_SET_OPCODE_HANDLER(EG(delayed_error_op)+1);
+	EG(delayed_error_op)[2].opcode = ZEND_HANDLE_DELAYED_ERROR;
+	ZEND_VM_SET_OPCODE_HANDLER(EG(delayed_error_op)+2);
+}
+/* }}} */
+
 static void zend_init_call_trampoline_op(void) /* {{{ */
 {
 	memset(&EG(call_trampoline_op), 0, sizeof(EG(call_trampoline_op)));
@@ -781,6 +793,7 @@ static void executor_globals_ctor(zend_executor_globals *executor_globals) /* {{
 	zend_copy_constants(executor_globals->zend_constants, GLOBAL_CONSTANTS_TABLE);
 	zend_init_rsrc_plist();
 	zend_init_exception_op();
+	zend_init_delayed_error_op();
 	zend_init_call_trampoline_op();
 	memset(&executor_globals->trampoline, 0, sizeof(zend_op_array));
 	executor_globals->capture_warnings_during_sccp = 0;
@@ -1020,6 +1033,7 @@ void zend_startup(zend_utility_functions *utility_functions) /* {{{ */
 #ifndef ZTS
 	zend_init_rsrc_plist();
 	zend_init_exception_op();
+	zend_init_delayed_error_op();
 	zend_init_call_trampoline_op();
 #endif
 
@@ -1704,6 +1718,26 @@ ZEND_API void zend_free_recorded_errors(void)
 	EG(num_errors) = 0;
 }
 
+ZEND_API ZEND_COLD void zend_error_delayed(int type, const char *format, ...) {
+	ZEND_ASSERT(!(type & E_FATAL_ERRORS) && "Cannot delay fatal error");
+	zend_error_info *info = emalloc(sizeof(zend_error_info));
+	info->type = type;
+	get_filename_lineno(type, &info->filename, &info->lineno);
+	zend_string_addref(info->filename);
+
+	va_list args;
+	va_start(args, format);
+	info->message = zend_vstrpprintf(0, format, args);
+	va_end(args);
+
+	zend_hash_next_index_insert_ptr(&EG(delayed_errors), info);
+
+	if (EG(current_execute_data)->opline != EG(delayed_error_op)) {
+		EG(opline_before_exception) = EG(current_execute_data)->opline;
+		EG(current_execute_data)->opline = EG(delayed_error_op);
+	}
+}
+
 ZEND_API ZEND_COLD void zend_throw_error(zend_class_entry *exception_ce, const char *format, ...) /* {{{ */
 {
 	va_list va;

Zend/zend.h

@@ -343,6 +343,9 @@ extern ZEND_API zend_string *(*zend_resolve_path)(zend_string *filename);
 extern ZEND_API zend_result (*zend_post_startup_cb)(void);
 extern ZEND_API void (*zend_post_shutdown_cb)(void);
 
+/* Callback for loading of not preloaded part of the script */
+extern ZEND_API zend_result (*zend_preload_autoload)(zend_string *filename);
+
 ZEND_API ZEND_COLD void zend_error(int type, const char *format, ...) ZEND_ATTRIBUTE_FORMAT(printf, 2, 3);
 ZEND_API ZEND_COLD ZEND_NORETURN void zend_error_noreturn(int type, const char *format, ...) ZEND_ATTRIBUTE_FORMAT(printf, 2, 3);
 /* For custom format specifiers like H */
@@ -352,6 +355,7 @@ ZEND_API ZEND_COLD void zend_error_at(int type, zend_string *filename, uint32_t
 ZEND_API ZEND_COLD ZEND_NORETURN void zend_error_at_noreturn(int type, zend_string *filename, uint32_t lineno, const char *format, ...) ZEND_ATTRIBUTE_FORMAT(printf, 4, 5);
 ZEND_API ZEND_COLD void zend_error_zstr(int type, zend_string *message);
 ZEND_API ZEND_COLD void zend_error_zstr_at(int type, zend_string *filename, uint32_t lineno, zend_string *message);
+ZEND_API ZEND_COLD void zend_error_delayed(int type, const char *format, ...) ZEND_ATTRIBUTE_FORMAT(printf, 2, 3);
 
 ZEND_API ZEND_COLD void zend_throw_error(zend_class_entry *exception_ce, const char *format, ...) ZEND_ATTRIBUTE_FORMAT(printf, 2, 3);
 ZEND_API ZEND_COLD void zend_type_error(const char *format, ...) ZEND_ATTRIBUTE_FORMAT(printf, 1, 2);

Zend/zend_execute.c

@@ -2226,6 +2226,11 @@ ZEND_API ZEND_COLD zval* ZEND_FASTCALL zend_undefined_offset_write(HashTable *ht
 	return zend_hash_index_add_new(ht, lval, &EG(uninitialized_zval));
 }
 
+ZEND_API ZEND_COLD void ZEND_FASTCALL zend_undefined_offset_delayed(zend_long lval)
+{
+	zend_error_delayed(E_WARNING, "Undefined array key " ZEND_LONG_FMT, lval);
+}
+
 ZEND_API ZEND_COLD zval* ZEND_FASTCALL zend_undefined_index_write(HashTable *ht, zend_string *offset)
 {
 	zval *retval;
@@ -2495,7 +2500,8 @@ static zend_always_inline zval *zend_fetch_dimension_address_inner(HashTable *ht
 					retval = &EG(uninitialized_zval);
 					break;
 				case BP_VAR_RW:
-					retval = zend_undefined_offset_write(ht, hval);
+					zend_undefined_offset_delayed(hval);
+					retval = zend_hash_index_add_new(ht, hval, &EG(uninitialized_zval));
 					break;
 				}
 		} else {

Zend/zend_execute.h

@@ -89,6 +89,7 @@ ZEND_API ZEND_COLD void ZEND_FASTCALL zend_invalid_class_constant_type_error(uin
 ZEND_API ZEND_COLD void ZEND_FASTCALL zend_object_released_while_assigning_to_property_error(const zend_property_info *info);
 
 ZEND_API ZEND_COLD void ZEND_FASTCALL zend_cannot_add_element(void);
+ZEND_API ZEND_COLD void ZEND_FASTCALL zend_undefined_offset_delayed(zend_long lval);
 
 ZEND_API bool zend_verify_scalar_type_hint(uint32_t type_mask, zval *arg, bool strict, bool is_internal_arg);
 ZEND_API ZEND_COLD void zend_verify_arg_error(

Zend/zend_execute_API.c

@@ -201,6 +201,9 @@ void init_executor(void) /* {{{ */
 
 	zend_max_execution_timer_init();
 	zend_fiber_init();
+
+	zend_hash_init(&EG(delayed_errors), 0, NULL, NULL, 0);
+
 	zend_weakrefs_init();
 
 	EG(active) = 1;

Zend/zend_globals.h

@@ -246,6 +246,7 @@ struct _zend_executor_globals {
 	zend_object *exception, *prev_exception;
 	const zend_op *opline_before_exception;
 	zend_op exception_op[3];
+	zend_op delayed_error_op[3];
 
 	struct _zend_module_entry *current_module;
 
@@ -303,6 +304,7 @@ struct _zend_executor_globals {
 	pid_t pid;
 	struct sigaction oldact;
 #endif
+	HashTable delayed_errors;
 
 	void *reserved[ZEND_MAX_RESERVED_RESOURCES];
 };

Zend/zend_vm_def.h

@@ -8090,6 +8090,31 @@ ZEND_VM_HANDLER(149, ZEND_HANDLE_EXCEPTION, ANY, ANY)
 	ZEND_VM_DISPATCH_TO_HELPER(zend_dispatch_try_catch_finally_helper, try_catch_offset, current_try_catch_offset, op_num, throw_op_num);
 }
 
+ZEND_VM_HANDLER(204, ZEND_HANDLE_DELAYED_ERROR, ANY, ANY)
+{
+	const zend_op *next_op = EG(opline_before_exception) + 1;
+	if (next_op->opcode == ZEND_OP_DATA) {
+		next_op++;
+	}
+
+	/* Clear EG(delayed_errors), as more errors may be delayed while we are handling these. */
+	HashTable ht;
+	memcpy(&ht, &EG(delayed_errors), sizeof(HashTable));
+	zend_hash_init(&EG(delayed_errors), 0, NULL, NULL, 0);
+
+	zend_error_info *info;
+	ZEND_HASH_FOREACH_PTR(&ht, info) {
+		zend_error_zstr_at(info->type, info->filename, info->lineno, info->message);
+		zend_string_release(info->filename);
+		zend_string_release(info->message);
+		efree(info);
+	} ZEND_HASH_FOREACH_END();
+	zend_hash_destroy(&ht);
+
+	ZEND_VM_SET_NEXT_OPCODE(next_op);
+	ZEND_VM_CONTINUE();
+}
+
 ZEND_VM_HANDLER(150, ZEND_USER_OPCODE, ANY, ANY)
 {
 	USE_OPLINE