Member access within null pointer in ext/standard/basic_functions.c

[YuanchengJiang]

Description

The following code:

<?php
class Logger {
public function __construct() {
register_shutdown_function(function () {
$this->flush();
register_shutdown_function([$this, 'flush'], true);
});
}
public function flush($final = false) {
}
}
for ($i = 0; $i < 200; $script1_dataflow++) {
$a = new Logger();
}
var_fusion($script1_connect, $script2_connect, $random_var);

Resulted in this output:

/php-src/ext/standard/basic_functions.c:1586:55: runtime error: member access within null pointer of type 'php_shutdown_function_entry' (aka 'struct _php_shutdown_function_entry')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /php-src/ext/standard/basic_functions.c:1586:55

Valgrind result:

==789315== Invalid read of size 8
==789315==    at 0x82F69C: zend_fcall_info_args_clear (zend_API.c:4216)
==789315==    by 0x680D12: user_shutdown_function_dtor (basic_functions.c:1586)
==789315==    by 0x83A3AB: zend_hash_destroy (zend_hash.c:1736)
==789315==    by 0x681112: php_free_shutdown_functions (basic_functions.c:1678)
==789315==    by 0x76B949: php_request_shutdown (main.c:1873)
==789315==    by 0x9AA0E3: do_cli (php_cli.c:1136)
==789315==    by 0x9AA5F0: main (php_cli.c:1340)
==789315==  Address 0x20 is not stack'd, malloc'd or (recently) free'd

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04

[petk]

I've also reproduced this on PHP-8.2.

Edit: Correction, on PHP-8.2 there are only warnings due to the PHP code in this script. The segmentation fault happens on current master branch (PHP-8.4-dev) only then.

[devnexen]

Thanks @YuanchengJiang (again), do you think it would be possible to get a simpler/smaller reproducer ?

[YuanchengJiang]

yes. I will update a smaller reproducer later

[devnexen]

even with the actual reproducer, can t trigger the issue, is a relatively recent git pull in your side ?

[petk]

even with the actual reproducer, can t trigger the issue, is a relatively recent git pull in your side ?

I've checked on Ubuntu with the latest Git master branch now and segmentation fault happens. Is this Ubuntu related? And I've also checked if some of those dependencies changes (ZEND_MOD_REQUIRED) order was problematic but doesn't seem to be. I've only run this: ./sapi/cli/php test.php so no -d options are added. If adding -d memory_limit=2M then it works ok I think.

[YuanchengJiang]

I have updated the reproducer. Interestingly, I have to rename this PHP to aaaaaa.php or a longer name in my env to reproduce this issue ;)

Perhaps you need to fuzz the file name length to trigger this bug