UAF with zend_test opline observer and magic_quotes_gpc=1

[YuanchengJiang]

Description

The following code:

Resulted in this output:

=================================================================
==1565179==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200000cb68 at pc 0x0000037c79f3 bp 0x7ffe3d4cf290 sp 0x7ffe3d4cf288
READ of size 8 at 0x61200000cb68 thread T0
    #0 0x37c79f2 in zend_test_custom_free /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/zend_test/test.c:689:16
    #1 0x45dfded in zend_mm_shutdown /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_alloc.c:2418:4
    #2 0x45f2816 in alloc_globals_dtor /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_alloc.c:3065:2
    #3 0x3f491d1 in ts_free_resources /home/phpfuzz/WorkSpace/flowfusion/php-src/TSRM/TSRM.c:170:5
    #4 0x3f489f2 in tsrm_shutdown /home/phpfuzz/WorkSpace/flowfusion/php-src/TSRM/TSRM.c:204:5
    #5 0x57aaa08 in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1367:2
    #6 0x7f7dbedbdd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #7 0x7f7dbedbde3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #8 0x606174 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x606174)

0x61200000cb68 is located 168 bytes inside of 280-byte region [0x61200000cac0,0x61200000cbd8)
freed by thread T0 here:
    #0 0x680dd2 in free (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x680dd2)
    #1 0x3f4948c in ts_free_resources /home/phpfuzz/WorkSpace/flowfusion/php-src/TSRM/TSRM.c:174:5
    #2 0x3f489f2 in tsrm_shutdown /home/phpfuzz/WorkSpace/flowfusion/php-src/TSRM/TSRM.c:204:5
    #3 0x57aaa08 in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1367:2
    #4 0x7f7dbedbdd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T0 here:
    #0 0x68103d in malloc (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x68103d)
    #1 0x3f4ad31 in tsrm_update_active_threads /home/phpfuzz/WorkSpace/flowfusion/php-src/TSRM/TSRM.c:262:32
    #2 0x3f4a33a in ts_allocate_id /home/phpfuzz/WorkSpace/flowfusion/php-src/TSRM/TSRM.c:306:2
    #3 0x4642f01 in zend_startup_module_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.c:2421:3
    #4 0x464894e in zend_startup_module_zval /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.c:2445:10
    #5 0x5288ea3 in zend_hash_apply /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_hash.c:2085:13
    #6 0x4647b7b in zend_startup_modules /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.c:2568:2
    #7 0x3f7dd42 in php_module_startup /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2296:2
    #8 0x57b5fb8 in php_cli_startup /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:399:9
    #9 0x57a9fd9 in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1315:6
    #10 0x7f7dbedbdd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/zend_test/test.c:689:16 in zend_test_custom_free
Shadow bytes around the buggy address:
  0x0c247fff9910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c247fff9920: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff9930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff9940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff9950: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c247fff9960: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
  0x0c247fff9970: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c247fff9980: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff9990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff99a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff99b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1565179==ABORTING

To reproduce:

./php-src/sapi/cli/php  -d "magic_quotes_gpc=1" ./test.php

Commit:

49d798abcc13cc001b1dbf878bbc76982b079b11

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This report is automatically generated by FlowFusion

PHP Version

49d798a

Operating System

No response

[devnexen]

Hi @YuanchengJiang do you have any code to share eventually ? cheers.

[iluuu1994]

@devnexen I don't think a script should be necessary, since this will error on startup anyway. But I can't reproduce it still. I just get leaks, which are expected for these kind of fatal errors and are harmless.

[nielsdos]

Did you 2 test on zts?

[cmb69]

magic_quotes_gpc=1

magic_quotes_gpc is removed as of PHP 5.4.0. Are there still remains which affect behavior? I'm seriously baffled.

[iluuu1994]

Ah I see, this requires both --enable-zts and zend_test.observe_opline_in_zendmm=1. That said, this is likely a zend_test problem. I could not trigger an error any other way.

[nielsdos]

It's just a very classical problem, confined to zend_test. zend_alloc module is one of the last things that are destroyed, and zend_test module is destroyed prior to zend_alloc. zend_test globals became freed when zend_test module got destroyed. But the zend_alloc module invokes the free handler in zend_test because zend_test registered a ZendMM custom free handler. So, when zend_test tries to access its globals, it crashes with a UAF.
Solution: use a real TLS variable

[nielsdos]

I was thinking of something like this (https://gist.github.com/nielsdos/1baba32771af8de0feef64b9602d74f7), except that doesn't fix the issue because now we have a dangling pointer for the main heap because it was already freed on shutdown; so it's all a mess. Furthermore, that INI option is incompatible with USE_ZEND_ALLOC=0, i.e. it will NULL deref.

[nielsdos]

It's quite easy to fix anyway if we reset on gshutdown. PR incoming...