Engine UAF with reference assign and dtor

[YuanchengJiang]

Description

The following code:

<?php
$map = new WeakMap;
$obj = new stdClass;
$map[$obj] = new class {
function __destruct() {
throw new Exception("Test");
}
};
headers_sent($obj,$generator);

Resulted in this output:

=================================================================
==3449000==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000002c (pc 0x000004ca3d7b bp 0x7ffe4c5aed40 sp 0x7ffe4c5aec80 T0)
==3449000==The signal is caused by a READ memory access.
==3449000==Hint: address points to the zero page.
    #0 0x4ca3d7b in smart_str_append_zval /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_smart_str.c:230:64
    #1 0x3f014e2 in _build_trace_args /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:507:6
    #2 0x3eec6e4 in _build_trace_string /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:579:5
    #3 0x3eea657 in zend_trace_to_string /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:605:3
    #4 0x3eeda95 in zim_Exception_getTraceAsString /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:635:2
    #5 0x3f30cff in zend_call_function /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute_API.c:1016:4
    #6 0x3ef05a6 in zim_Exception___toString /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:680:3
    #7 0x3f30cff in zend_call_function /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute_API.c:1016:4
    #8 0x3f3678e in zend_call_known_function /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute_API.c:1097:23
    #9 0x3f05494 in zend_call_known_instance_method /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.h:860:2
    #10 0x3efebdb in zend_call_known_instance_method_with_0_params /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.h:866:2
    #11 0x3edd5db in zend_exception_error /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:923:3
    #12 0x4d3bf7f in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1941:11
    #13 0x353f1da in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2577:13
    #14 0x3540318 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2617:9
    #15 0x4d4fd8a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:938:5
    #16 0x4d4a26f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1313:18
    #17 0x7f5a24057d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #18 0x7f5a24057e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #19 0x605934 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x605934)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_smart_str.c:230:64 in smart_str_append_zval
==3449000==ABORTING

PHP Version

nightly

Operating System

No response

[nielsdos]

Needs some good old garbage zval:

diff --git a/Zend/zend_API.h b/Zend/zend_API.h
index 59d489f7aee..b1237dfc155 100644
--- a/Zend/zend_API.h
+++ b/Zend/zend_API.h
@@ -1298,8 +1298,10 @@ ZEND_API zend_result zend_try_assign_typed_ref_zval_ex(zend_reference *ref, zval
 		} \
 		_zv = &ref->val; \
 	} \
-	zval_ptr_dtor(_zv); \
+	zval garbage; \
+	ZVAL_COPY_VALUE(&garbage, _zv); \
 	ZVAL_STRING(_zv, string); \
+	zval_ptr_dtor(&garbage); \
 } while (0)
 
 #define ZEND_TRY_ASSIGN_STRING(zv, string) \

And the others need this too, hm :/