UAF in importNode

[YuanchengJiang]

Description

The following code:

<?php
$aDOM = new DOMDocument();
$fromdom = new DOMDocument();
$fromdom->loadXML('<data xmlns:ai="http://test.org" ai:attr="namespaced" />');
$attr= $fromdom->firstChild->attributes->item(0);
$att = $aDOM->importNode($attr);
$fusion = $fromdom;
$doc = new DOMDocument;
$fusion->load(__DIR__."/book.xml");
$doc->strictErrorChecking = false;
try {
$attr = $doc->createAttribute(0);
} catch (DOMException $e) {
}
var_dump(get_defined_vars());

Resulted in this output:

==4004110==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400006e6a8 at pc 0x000001061359 bp 0x7ffcdd528c30 sp 0x7ffcdd528c28
READ of size 8 at 0x60400006e6a8 thread T0
    #0 0x1061358 in dom_node_get_node_name_attribute_or_element /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/dom/node.c:51:38
    #1 0x1061fd5 in dom_node_node_name_read /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/dom/node.c:91:4
    #2 0x1124dfb in dom_get_debug_info_helper /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/dom/php_dom.c:513:7
    #3 0x10cf92c in dom_get_debug_info /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/dom/php_dom.c:536:9
    #4 0x4baabaa in zend_std_get_properties_for /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_object_handlers.c:2388:10
    #5 0x4bab8c1 in zend_get_properties_for /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_object_handlers.c:2437:9
    #6 0x324a8fa in php_var_dump /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/var.c:178:11
    #7 0x324cb4e in php_array_element_dump /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/var.c:51:2
    #8 0x3249676 in php_var_dump /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/var.c:152:5
    #9 0x324ea6a in zif_var_dump /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/var.c:245:3
    #10 0x448f009 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:1299:2
    #11 0x3f86727 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58595:7
    #12 0x3f889ac in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64247:2
    #13 0x4d1fd59 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1934:3
    #14 0x3531e8a in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2577:13
    #15 0x3532fc8 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2617:9
    #16 0x4d3406a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:938:5
    #17 0x4d2e54f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1313:18
    #18 0x7fb68871ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #19 0x7fb68871ee3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #20 0x605934 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x605934)

0x60400006e6a8 is located 24 bytes inside of 48-byte region [0x60400006e690,0x60400006e6c0)
freed by thread T0 here:
    #0 0x680592 in free (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x680592)
    #1 0x7fb688efdc86 in xmlFreeDoc (/lib/x86_64-linux-gnu/libxml2.so.2+0x64c86)

previously allocated by thread T0 here:
    #0 0x6807fd in malloc (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x6807fd)
    #1 0x7fb688efab0d in xmlNewNs (/lib/x86_64-linux-gnu/libxml2.so.2+0x61b0d)

SUMMARY: AddressSanitizer: heap-use-after-free /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/dom/node.c:51:38 in dom_node_get_node_name_attribute_or_element
Shadow bytes around the buggy address:
  0x0c0880005c80: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c0880005c90: fa fa 00 00 00 00 07 fa fa fa fd fd fd fd fd fa
  0x0c0880005ca0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c0880005cb0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c0880005cc0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
=>0x0c0880005cd0: fa fa fd fd fd[fd]fd fd fa fa fd fd fd fd fd fd
  0x0c0880005ce0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c0880005cf0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c0880005d00: fa fa 00 00 00 00 04 fa fa fa 00 00 00 00 04 fa
  0x0c0880005d10: fa fa 00 00 00 00 04 fa fa fa 00 00 00 00 04 fa
  0x0c0880005d20: fa fa 00 00 00 00 04 fa fa fa 00 00 00 00 04 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4004110==ABORTING

PHP Version

nightly

Operating System

No response

[nielsdos]

@YuanchengJiang I strongly suspect you're actually hitting an (old) libxml bug related to tree adoption, not a PHP bug. Please share your libxml version.

[devnexen]

Note that if that helps I can still reproduce on debian unstable (libxml2 2.12.7 version).

[nielsdos]

Ah okay I see, I misunderstood the stack trace and because it didn't reproduce on my system at first I thought it was related to an old libxml bug that I thought I recognized.