Skip to content

UAF in Observer->serialize #16588

New issue
New issue
Closed
Closed
UAF in Observer->serialize#16588
Labels
BugExtension: splStatus: Verified
@chibinz

Description

@chibinz
chibinz
opened on Oct 25, 2024

Description

The following code:

<?php

class C {
    function __serialize(): array {
        global $store;
        $store->removeAll($store);
        return [];
    }
}

$store = new SplObjectStorage;
$store[new C] = 1;
$store->serialize();

Resulted in this output:

==954476==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300002a740 at pc 0x55fc12b608a9 bp 0x7ffec6f67c80 sp 0x7ffec6f67c78
READ of size 1 at 0x60300002a740 thread T0
    #0 0x55fc12b608a8 in zval_get_type /tmp/php-asan/Zend/zend_types.h:650:18
    #1 0x55fc12b6fbba in php_add_var_hash /tmp/php-asan/ext/standard/var.c:730:16
    #2 0x55fc12b677ce in php_var_serialize_intern /tmp/php-asan/ext/standard/var.c:1060:33
    #3 0x55fc12b67501 in php_var_serialize /tmp/php-asan/ext/standard/var.c:1321:2
    #4 0x55fc128893b5 in zim_SplObjectStorage_serialize /tmp/php-asan/ext/spl/spl_observer.c:838:3
    #5 0x55fc1309f2d2 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /tmp/php-asan/Zend/zend_vm_execute.h:1919:4
    #6 0x55fc12fb183d in execute_ex /tmp/php-asan/Zend/zend_vm_execute.h:58565:7
    #7 0x55fc12fb2067 in zend_execute /tmp/php-asan/Zend/zend_vm_execute.h:64217:2
    #8 0x55fc133e6860 in zend_execute_script /tmp/php-asan/Zend/zend.c:1932:3
    #9 0x55fc12c04d2b in php_execute_script_ex /tmp/php-asan/main/main.c:2574:13
    #10 0x55fc12c05228 in php_execute_script /tmp/php-asan/main/main.c:2614:9
    #11 0x55fc133ee309 in do_cli /tmp/php-asan/sapi/cli/php_cli.c:935:5
    #12 0x55fc133eb32c in main /tmp/php-asan/sapi/cli/php_cli.c:1310:18
    #13 0x7f3d54629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #14 0x7f3d54629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #15 0x55fc11e02de4 in _start (/workspaces/TriFuzz/targets/php-asan/bin/php+0x402de4)

0x60300002a740 is located 16 bytes inside of 24-byte region [0x60300002a730,0x60300002a748)
freed by thread T0 here:
    #0 0x55fc11e87702 in free /opt/llvm-15-build/llvm-15.x/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
    #1 0x55fc12e418a3 in __zend_free /tmp/php-asan/Zend/zend_alloc.c:3308:2
    #2 0x55fc12e45774 in _efree /tmp/php-asan/Zend/zend_alloc.c:2747:3
    #3 0x55fc128958aa in spl_object_storage_dtor /tmp/php-asan/ext/spl/spl_observer.c:121:3
    #4 0x55fc1325c479 in _zend_hash_packed_del_val /tmp/php-asan/Zend/zend_hash.c:1461:3
    #5 0x55fc1325f7b0 in zend_hash_index_del /tmp/php-asan/Zend/zend_hash.c:1706:5
    #6 0x55fc12883948 in spl_object_storage_detach /tmp/php-asan/ext/spl/spl_observer.c:225:10
    #7 0x55fc128859f7 in zim_SplObjectStorage_removeAll /tmp/php-asan/ext/spl/spl_observer.c:591:7
    #8 0x55fc1309f2d2 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /tmp/php-asan/Zend/zend_vm_execute.h:1919:4
    #9 0x55fc12fb183d in execute_ex /tmp/php-asan/Zend/zend_vm_execute.h:58565:7
    #10 0x55fc12f8d1ac in zend_call_function /tmp/php-asan/Zend/zend_execute_API.c:996:3
    #11 0x55fc12f8f3b2 in zend_call_known_function /tmp/php-asan/Zend/zend_execute_API.c:1090:23
    #12 0x55fc12b7219a in zend_call_known_instance_method /tmp/php-asan/Zend/zend_API.h:860:2
    #13 0x55fc12b7210b in zend_call_known_instance_method_with_0_params /tmp/php-asan/Zend/zend_API.h:866:2
    #14 0x55fc12b70778 in php_var_serialize_call_magic_serialize /tmp/php-asan/ext/standard/var.c:850:2
    #15 0x55fc12b6833d in php_var_serialize_intern /tmp/php-asan/ext/standard/var.c:1147:10
    #16 0x55fc12b67501 in php_var_serialize /tmp/php-asan/ext/standard/var.c:1321:2
    #17 0x55fc12889386 in zim_SplObjectStorage_serialize /tmp/php-asan/ext/spl/spl_observer.c:836:3
    #18 0x55fc1309f2d2 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /tmp/php-asan/Zend/zend_vm_execute.h:1919:4
    #19 0x55fc12fb183d in execute_ex /tmp/php-asan/Zend/zend_vm_execute.h:58565:7
    #20 0x55fc12fb2067 in zend_execute /tmp/php-asan/Zend/zend_vm_execute.h:64217:2
    #21 0x55fc133e6860 in zend_execute_script /tmp/php-asan/Zend/zend.c:1932:3
    #22 0x55fc12c04d2b in php_execute_script_ex /tmp/php-asan/main/main.c:2574:13
    #23 0x55fc12c05228 in php_execute_script /tmp/php-asan/main/main.c:2614:9
    #24 0x55fc133ee309 in do_cli /tmp/php-asan/sapi/cli/php_cli.c:935:5
    #25 0x55fc133eb32c in main /tmp/php-asan/sapi/cli/php_cli.c:1310:18
    #26 0x7f3d54629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T0 here:
    #0 0x55fc11e879ae in malloc /opt/llvm-15-build/llvm-15.x/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x55fc12e45ce3 in __zend_malloc /tmp/php-asan/Zend/zend_alloc.c:3280:14
    #2 0x55fc12e45670 in _emalloc /tmp/php-asan/Zend/zend_alloc.c:2737:10
    #3 0x55fc1289313f in spl_object_storage_create_element /tmp/php-asan/ext/spl/spl_observer.c:136:42
    #4 0x55fc12892e61 in spl_object_storage_attach_handle /tmp/php-asan/ext/spl/spl_observer.c:172:13
    #5 0x55fc12891678 in spl_object_storage_write_dimension /tmp/php-asan/ext/spl/spl_observer.c:490:2
    #6 0x55fc131f7222 in zend_assign_to_object_dim /tmp/php-asan/Zend/zend_execute.c:1575:2
    #7 0x55fc13009fdf in ZEND_ASSIGN_DIM_SPEC_CV_TMPVAR_OP_DATA_CONST_HANDLER /tmp/php-asan/Zend/zend_vm_execute.h:47961:4
    #8 0x55fc12fb183d in execute_ex /tmp/php-asan/Zend/zend_vm_execute.h:58565:7
    #9 0x55fc12fb2067 in zend_execute /tmp/php-asan/Zend/zend_vm_execute.h:64217:2
    #10 0x55fc133e6860 in zend_execute_script /tmp/php-asan/Zend/zend.c:1932:3
    #11 0x55fc12c04d2b in php_execute_script_ex /tmp/php-asan/main/main.c:2574:13
    #12 0x55fc12c05228 in php_execute_script /tmp/php-asan/main/main.c:2614:9
    #13 0x55fc133ee309 in do_cli /tmp/php-asan/sapi/cli/php_cli.c:935:5
    #14 0x55fc133eb32c in main /tmp/php-asan/sapi/cli/php_cli.c:1310:18
    #15 0x7f3d54629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-use-after-free /tmp/php-asan/Zend/zend_types.h:650:18 in zval_get_type
Shadow bytes around the buggy address:
  0x0c067fffd490: fa fa 00 00 00 fa fa fa fd fd fd fd fa fa fd fd
  0x0c067fffd4a0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fffd4b0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fffd4c0: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd
  0x0c067fffd4d0: fd fd fa fa fd fd fd fd fa fa 00 00 00 fa fa fa
=>0x0c067fffd4e0: 00 00 00 00 fa fa fd fd[fd]fa fa fa 00 00 00 00
  0x0c067fffd4f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==954476==ABORTING

PHP Version

PHP 8.5.0-dev

Operating System

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugExtension: splStatus: Verified

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions