SEGV zend_smart_str

[YuanchengJiang]

Description

The following code:

<?php
class Foo {
}
$foo = new Foo();
try {zend_delref($foo);} catch (Exception $e) { echo($e); }
try {zend_delref($foo);} catch (Exception $e) { echo($e); }
try {$cls->__call($HTTP_RAW_POST_DATA,$HTTP_RAW_POST_DATA);} catch (Exception $e) { echo($e); }

Resulted in this output:

/home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_smart_str.c:237:64: runtime error: member access within misaligned address 0x00000000001a for type 'zend_class_entry' (aka 'struct _zend_class_entry'), which requires 8 byte alignment
0x00000000001a: note: pointer points here
<memory cannot be printed>
    #0 0x572cd42 in smart_str_append_zval /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_smart_str.c:237:64
    #1 0x497ac72 in _build_trace_args /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:506:6
    #2 0x4965e74 in _build_trace_string /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:578:5
    #3 0x4963de7 in zend_trace_to_string /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:604:3
    #4 0x4967225 in zim_Exception_getTraceAsString /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:634:2
    #5 0x49aaa8f in zend_call_function /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute_API.c:1021:4
    #6 0x4969d36 in zim_Exception___toString /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:679:3
    #7 0x49aaa8f in zend_call_function /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute_API.c:1021:4
    #8 0x49b051e in zend_call_known_function /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute_API.c:1102:23
    #9 0x497ec24 in zend_call_known_instance_method /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.h:860:2
    #10 0x497836b in zend_call_known_instance_method_with_0_params /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.h:866:2
    #11 0x4956847 in zend_exception_error /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_exceptions.c:926:3
    #12 0x57c5d8f in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1950:11
    #13 0x3fa5eca in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2594:13
    #14 0x3fa7008 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2634:9
    #15 0x57da79a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:952:5
    #16 0x57d4b7f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1355:18
    #17 0x7904e8489d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #18 0x7904e8489e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #19 0x606174 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x606174)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_smart_str.c:237:64 in 

To reproduce:

./php-src/sapi/cli/php  ./test.php

Commit:

68665d3cb5dcda5b966fc9edd577581be763ee63

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This report is automatically generated by FlowFusion

PHP Version

68665d3

Operating System

No response

[TimWolla]

zend_delref() was introduced in #18172 and intentionally violates memory-safety. It should be excluded from your fuzzer.

[devnexen]

Ah good to know, I ll try to remember it.

[Girgias]

Going to close this as FONT FIX considering this function is intentionally buggy.