Closed
Description
Description
The following code:
<?php
class C {
public function __destruct() {
echo __METHOD__, "\n";
}
}
function f() {
Fiber::suspend();
}
$fiber = new Fiber(function () {
$c = new C();
$fiber = Fiber::getCurrent();
// Force symbol table
get_defined_vars();
f();
});
print "1\n";
$fiber->start();
gc_collect_cycles();
print "2\n";
$fiber = null;
gc_collect_cycles();
print "3\n";
$src = __DIR__ . "/bug81145_src.bin";
$dst = __DIR__ . "/bug81145_dst.bin";
define('SIZE_4G', 0x100000000);
$fp = fopen($src, "ab");
fwrite($fp, random_bytes(0x200));
fclose($fp);
copy($src, $dst);
?>Resulted in this output:
==1888107==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7f8c128e4e40 at pc 0x562a5c420398 bp 0x7ffe1d212bb0 sp 0x7ffe1d212388
READ of size 536870912 at 0x7f8c128e4e40 thread T0
#0 0x562a5c420397 in __interceptor_write (/php-src/sapi/cli/php+0x1c20397) (BuildId: 065f1d90bc5cce24727b57028166b78b93cb08d5)
#1 0x562a5e1e122f in php_stdiop_write /php-src/main/streams/plain_wrapper.c:359:27
#2 0x562a5e1aaf11 in _php_stream_write_buffer /php-src/main/streams/streams.c:1175:23
#3 0x562a5e1a50e0 in _php_stream_write /php-src/main/streams/streams.c:1305:11
#4 0x562a5e1b16bf in _php_stream_copy_to_stream_ex /php-src/main/streams/streams.c:1729:16
#5 0x562a5dc7e400 in php_copy_file_ctx /php-src/ext/standard/file.c:1614:9
#6 0x562a5dc7d7e5 in zif_copy /php-src/ext/standard/file.c:1510:6
#7 0x562a5eb90434 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /php-src/Zend/zend_vm_execute.h:1287:2
#8 0x562a5e72f757 in execute_ex /php-src/Zend/zend_vm_execute.h:57144:7
#9 0x562a5e730b22 in zend_execute /php-src/Zend/zend_vm_execute.h:62776:2
#10 0x562a5e57c8c8 in zend_execute_script /php-src/Zend/zend.c:1896:3
#11 0x562a5e0e6586 in php_execute_script_ex /php-src/main/main.c:2499:13
#12 0x562a5e0e6e28 in php_execute_script /php-src/main/main.c:2539:9
#13 0x562a5f4ad293 in do_cli /php-src/sapi/cli/php_cli.c:966:5
#14 0x562a5f4a9822 in main /php-src/sapi/cli/php_cli.c:1340:18
#15 0x7f8c191a9d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#16 0x7f8c191a9e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#17 0x562a5c4031e4 in _start (/php-src/sapi/cli/php+0x1c031e4) (BuildId: 065f1d90bc5cce24727b57028166b78b93cb08d5)
Address 0x7f8c128e4e40 is a wild pointer inside of access range of size 0x000020000000.
SUMMARY: AddressSanitizer: stack-buffer-underflow (/php-src/sapi/cli/php+0x1c20397) (BuildId: 065f1d90bc5cce24727b57028166b78b93cb08d5) in __interceptor_write
Shadow bytes around the buggy address:
0x0ff202514970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff202514980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff202514990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2025149a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2025149b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff2025149c0: 00 00 00 00 00 00 00 00[f1]f1 f1 f1 00 00 f2 f2
0x0ff2025149d0: 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x0ff2025149e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2025149f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff202514a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff202514a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1888107==ABORTING
To reproduce:
/php-src/sapi/cli/php -n -c '/php-src/tmp-php.ini' -d "opcache.cache_id=worker14" -d "output_handler=" -d "open_basedir=" -d "disable_functions=" -d "output_buffering=Off" -d "error_reporting=32767" -d "display_errors=1" -d "display_startup_errors=1" -d "log_errors=0" -d "html_errors=0" -d "track_errors=0" -d "report_memleaks=1" -d "report_zend_debug=0" -d "docref_root=" -d "docref_ext=.html" -d "error_prepend_string=" -d "error_append_string=" -d "auto_prepend_file=" -d "auto_append_file=" -d "ignore_repeated_errors=0" -d "precision=14" -d "serialize_precision=-1" -d "memory_limit=128M" -d "opcache.fast_shutdown=0" -d "opcache.file_update_protection=0" -d "opcache.revalidate_freq=0" -d "opcache.jit_hot_loop=1" -d "opcache.jit_hot_func=1" -d "opcache.jit_hot_return=1" -d "opcache.jit_hot_side_exit=1" -d "opcache.jit_max_root_traces=100000" -d "opcache.jit_max_side_traces=100000" -d "opcache.jit_max_exit_counters=100000" -d "opcache.protect_memory=1" -d "zend.assertions=1" -d "zend.exception_ignore_args=0" -d "zend.exception_string_param_max_len=15" -d "short_open_tag=0" -d "extension_dir=/php-src/modules/" -d "zend_extension=/php-src/modules/opcache.so" -d "session.auto_start=0" -f "./test.php" 2>&1
PHP Version
PHP 8.4.0-dev
Operating System
ubuntu 22.04