Skip to content

heap-buffer-overflow ext/opcache/jit/zend_jit.c:3455:10 in zend_jit_script #18639

New issue
New issue
Open
Open
heap-buffer-overflow ext/opcache/jit/zend_jit.c:3455:10 in zend_jit_script#18639
Labels
BugCategory: JITExtension: opcacheStatus: Needs Triage
@YuanchengJiang

Description

@YuanchengJiang
YuanchengJiang
opened on May 24, 2025

Description

The following code:



Resulted in this output:


=================================================================
==3229307==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e0000931f0 at pc 0x702e3d0e1d13 bp 0x7ffea07a0df0 sp 0x7ffea07a0de8
READ of size 8 at 0x60e0000931f0 thread T0
    #0 0x702e3d0e1d12 in zend_jit_script /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/zend_jit.c:3455:10
    #1 0x702e3c96fe76 in zend_accel_script_persist /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/zend_persist.c:1447:4
    #2 0x702e3ca51eba in preload_script_in_shared_memory /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/ZendAccelerator.c:4440:26
    #3 0x702e3ca38c3e in accel_preload /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/ZendAccelerator.c:4731:26
    #4 0x702e3ca2ce6a in accel_finish_startup_preload /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/ZendAccelerator.c:4856:7
    #5 0x702e3ca0cde7 in accel_finish_startup /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/ZendAccelerator.c:5006:10
    #6 0x702e3c9ff13f in accel_post_startup /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/ZendAccelerator.c:3437:6
    #7 0x579cd64 in zend_post_startup /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1108:7
    #8 0x3f9fdff in php_module_startup /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2343:6
    #9 0x57ccb68 in php_cli_startup /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:398:9
    #10 0x57c0a99 in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1330:6
    #11 0x702e4463ad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x702e4463ae3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #13 0x606164 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x606164)

0x60e0000931f0 is located 16 bytes to the left of 160-byte region [0x60e000093200,0x60e0000932a0)
allocated by thread T0 here:
    #0 0x68102d in malloc (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x68102d)
    #1 0x4684bb9 in zend_register_functions /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.c:3078:18
    #2 0x4699cbb in do_register_internal_class /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.c:3493:3
    #3 0x469902e in zend_register_internal_class_with_flags /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.c:3527:37
    #4 0x5407c59 in register_class_InternalIterator /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_interfaces_arginfo.h:197:16
    #5 0x5400d2d in zend_register_interfaces /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_interfaces.c:671:30
    #6 0x49578b8 in zend_register_default_classes /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_default_classes.c:34:2
    #7 0x474f412 in zm_startup_core /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_builtin_functions.c:38:2
    #8 0x4677c7a in zend_startup_module_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.c:2435:7
    #9 0x467d1ee in zend_startup_module_zval /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.c:2450:10
    #10 0x5298293 in zend_hash_apply /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_hash.c:2084:13
    #11 0x467c41b in zend_startup_modules /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.c:2573:2
    #12 0x3f9f752 in php_module_startup /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2306:2
    #13 0x57ccb68 in php_cli_startup /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:398:9
    #14 0x57c0a99 in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1330:6
    #15 0x702e4463ad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/zend_jit.c:3455:10 in zend_jit_script
Shadow bytes around the buggy address:
  0x0c1c8000a5e0: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c1c8000a5f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c8000a600: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1c8000a610: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c1c8000a620: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1c8000a630: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa[fa]fa
  0x0c1c8000a640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c8000a650: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c1c8000a660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c8000a670: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1c8000a680: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3229307==ABORTING




To reproduce:


./php-src/sapi/cli/php  -d "zend_extension=/home/phpfuzz/WorkSpace/flowfusion/php-src/modules/opcache.so" -d "opcache.enable_cli=1" -d "opcache.preload=/home/phpfuzz/WorkSpace/flowfusion/php-src/tests/fused/preload_gh18567.inc" -d "opcache.jit=1255" ./test.php



Commit:


dfff6ac852a23c6e33c06c7716d095ad4a7166d8



Configurations:


CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv



Operating System:


Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest



This report is automatically generated by FlowFusion


PHP Version


dfff6ac852a23c6e33c06c7716d095ad4a7166d8



Operating System


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    BugCategory: JITExtension: opcacheStatus: Needs Triage
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions