heap-buffer-overflow with opcache when extending an internal class with class constant having attributes

[TimWolla]

Description

The following code sapi/cli/php -d zend_extension=$(pwd)/modules/opcache.so -d opcache.enable_cli=1 -d opcache.protect_memory=1 test.php

<?php
class Test extends ZendAttributeTest {
}
echo "Success";
?>

Resulted in this output:

=================================================================
==759376==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d000000000 at pc 0x5641f1586a27 bp 0x7ffdd841e720 sp 0x7ffdd841e718
READ of size 8 at 0x60d000000000 thread T0
    #0 0x5641f1586a26 in zend_mm_free_heap php-src/Zend/zend_alloc.c:1433:3
    #1 0x5641f158c526 in _efree php-src/Zend/zend_alloc.c:2600:2
    #2 0x7f199bb6b521 in _zend_shared_memdup php-src/ext/opcache/zend_shared_alloc.c:435:3
    #3 0x7f199bb6b596 in zend_shared_memdup_free php-src/ext/opcache/zend_shared_alloc.c:452:9
    #4 0x7f199b9e8f50 in zend_hash_persist php-src/ext/opcache/zend_persist.c:125:11
    #5 0x7f199b9fa9a9 in zend_persist_attributes php-src/ext/opcache/zend_persist.c:289:2
    #6 0x7f199b9f74b0 in zend_persist_class_constant php-src/ext/opcache/zend_persist.c:843:19
    #7 0x7f199b9c599c in zend_persist_class_entry php-src/ext/opcache/zend_persist.c:926:4
    #8 0x7f199b9400a5 in zend_accel_inheritance_cache_add php-src/ext/opcache/ZendAccelerator.c:2420:23
    #9 0x5641f22e8347 in zend_try_early_bind php-src/Zend/zend_inheritance.c:3430:13
    #10 0x7f199bb782a4 in zend_accel_do_delayed_early_binding php-src/ext/opcache/zend_accelerator_util_funcs.c:362:11
    #11 0x7f199bb76743 in zend_accel_load_script php-src/ext/opcache/zend_accelerator_util_funcs.c:417:3
    #12 0x7f199b9078e1 in persistent_compile_file php-src/ext/opcache/ZendAccelerator.c:2229:9
    #13 0x5641f17f334c in zend_execute_script php-src/Zend/zend.c:1892:28
    #14 0x5641f11c4668 in php_execute_script_ex php-src/main/main.c:2507:13
    #15 0x5641f11c5718 in php_execute_script php-src/main/main.c:2547:9
    #16 0x5641f2806053 in do_cli php-src/sapi/cli/php_cli.c:966:5
    #17 0x5641f2801454 in main php-src/sapi/cli/php_cli.c:1340:18
    #18 0x7f19a242814f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #19 0x7f19a2428208 in __libc_start_main csu/../csu/libc-start.c:360:3
    #20 0x5641ef2033a4 in _start (php-src/sapi/cli/php+0x1c033a4) (BuildId: 95921ded0c1e297942d1485268c05dddd0a9385e)

0x60d000000000 is located 64 bytes before 136-byte region [0x60d000000040,0x60d0000000c8)
freed by thread T0 here:
    #0 0x5641ef29e429 in __interceptor_realloc (php-src/sapi/cli/php+0x1c9e429) (BuildId: 95921ded0c1e297942d1485268c05dddd0a9385e)
    #1 0x5641f183f421 in zend_register_functions php-src/Zend/zend_API.c:3001:26
    #2 0x5641f1838ee6 in zend_register_module_ex php-src/Zend/zend_API.c:2568:27
    #3 0x5641f1843259 in zend_register_internal_module php-src/Zend/zend_API.c:2584:9
    #4 0x5641f11b4fe8 in php_register_extensions php-src/main/main.c:2004:8
    #5 0x5641f27ff364 in php_register_internal_extensions php-src/main/internal_functions_cli.c:88:9
    #6 0x5641f11b6114 in php_module_startup php-src/main/main.c:2204:6
    #7 0x5641f2809bc8 in php_cli_startup php-src/sapi/cli/php_cli.c:410:9
    #8 0x5641f2800cc7 in main php-src/sapi/cli/php_cli.c:1307:6
    #9 0x7f19a242814f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T0 here:
    #0 0x5641ef29e429 in __interceptor_realloc (php-src/sapi/cli/php+0x1c9e429) (BuildId: 95921ded0c1e297942d1485268c05dddd0a9385e)
    #1 0x5641f183f421 in zend_register_functions php-src/Zend/zend_API.c:3001:26
    #2 0x5641f1838ee6 in zend_register_module_ex php-src/Zend/zend_API.c:2568:27
    #3 0x5641f1843259 in zend_register_internal_module php-src/Zend/zend_API.c:2584:9
    #4 0x5641f11b4fe8 in php_register_extensions php-src/main/main.c:2004:8
    #5 0x5641f27ff364 in php_register_internal_extensions php-src/main/internal_functions_cli.c:88:9
    #6 0x5641f11b6114 in php_module_startup php-src/main/main.c:2204:6
    #7 0x5641f2809bc8 in php_cli_startup php-src/sapi/cli/php_cli.c:410:9
    #8 0x5641f2800cc7 in main php-src/sapi/cli/php_cli.c:1307:6
    #9 0x7f19a242814f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow php-src/Zend/zend_alloc.c:1433:3 in zend_mm_free_heap
Shadow bytes around the buggy address:
  0x60cffffffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x60cffffffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x60cffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x60cfffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x60cfffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x60d000000000:[fa]fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x60d000000080: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x60d000000100: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x60d000000180: fd fd fd fa fa fa fa fa fa fa fa fa 00 00 00 00
  0x60d000000200: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x60d000000280: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==759376==ABORTING

But I expected this output instead:

Success

Found as part of #11293

PHP Version

git master

Operating System

Ubuntu 23.10

[TimWolla]

When disabling ZendMM with env USE_ZEND_ALLOC=0 sapi/cli/php -d zend_extension=$(pwd)/modules/opcache.so -d opcache.enable_cli=1 -d opcache.protect_memory=1 test.php the Success message is printed and then a heap-use-after-free is reported:

Success=================================================================
==762731==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000032d24 at pc 0x55f490b42281 bp 0x7ffdde836800 sp 0x7ffdde8367f8
READ of size 4 at 0x606000032d24 thread T0
    #0 0x55f490b42280 in zend_hash_release php-src/Zend/zend_hash.h:374:8
    #1 0x55f490b4db7c in destroy_zend_class php-src/Zend/zend_opcode.c:500:8
    #2 0x55f490cd5be5 in _zend_hash_del_el_ex php-src/Zend/zend_hash.c:1482:3
    #3 0x55f490cd353d in _zend_hash_del_el php-src/Zend/zend_hash.c:1509:2
    #4 0x55f490ce7ab1 in zend_hash_graceful_reverse_destroy php-src/Zend/zend_hash.c:2034:4
    #5 0x55f490bdc7cf in compiler_globals_dtor php-src/Zend/zend.c:764:3
    #6 0x55f4905a0d4c in ts_free_id php-src/TSRM/TSRM.c:560:8
    #7 0x55f490bdffa6 in zend_shutdown php-src/Zend/zend.c:1173:2
    #8 0x55f4905c2505 in php_module_shutdown php-src/main/main.c:2379:2
    #9 0x55f491c01671 in main php-src/sapi/cli/php_cli.c:1353:3
    #10 0x7f57a382814f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #11 0x7f57a3828208 in __libc_start_main csu/../csu/libc-start.c:360:3
    #12 0x55f48e6033a4 in _start (php-src/sapi/cli/php+0x1c033a4) (BuildId: 95921ded0c1e297942d1485268c05dddd0a9385e)

0x606000032d24 is located 4 bytes inside of 56-byte region [0x606000032d20,0x606000032d58)
freed by thread T0 here:
    #0 0x55f48e69dd4a in free (php-src/sapi/cli/php+0x1c9dd4a) (BuildId: 95921ded0c1e297942d1485268c05dddd0a9385e)
    #1 0x55f4909823f3 in __zend_free php-src/Zend/zend_alloc.c:3115:2
    #2 0x55f49098c3b6 in _efree php-src/Zend/zend_alloc.c:2596:3
    #3 0x7f579d16b521 in _zend_shared_memdup php-src/ext/opcache/zend_shared_alloc.c:435:3
    #4 0x7f579d16b567 in zend_shared_memdup_put_free php-src/ext/opcache/zend_shared_alloc.c:447:9
    #5 0x7f579cfff5eb in zend_persist_attributes php-src/ext/opcache/zend_persist.c:308:19
    #6 0x7f579cff74b0 in zend_persist_class_constant php-src/ext/opcache/zend_persist.c:843:19
    #7 0x7f579cfc599c in zend_persist_class_entry php-src/ext/opcache/zend_persist.c:926:4
    #8 0x7f579cf400a5 in zend_accel_inheritance_cache_add php-src/ext/opcache/ZendAccelerator.c:2420:23
    #9 0x55f4916e8347 in zend_try_early_bind php-src/Zend/zend_inheritance.c:3430:13
    #10 0x7f579d1782a4 in zend_accel_do_delayed_early_binding php-src/ext/opcache/zend_accelerator_util_funcs.c:362:11
    #11 0x7f579d176743 in zend_accel_load_script php-src/ext/opcache/zend_accelerator_util_funcs.c:417:3
    #12 0x7f579cf078e1 in persistent_compile_file php-src/ext/opcache/ZendAccelerator.c:2229:9
    #13 0x55f490bf334c in zend_execute_script php-src/Zend/zend.c:1892:28
    #14 0x55f4905c4668 in php_execute_script_ex php-src/main/main.c:2507:13
    #15 0x55f4905c5718 in php_execute_script php-src/main/main.c:2547:9
    #16 0x55f491c06053 in do_cli php-src/sapi/cli/php_cli.c:966:5
    #17 0x55f491c01454 in main php-src/sapi/cli/php_cli.c:1340:18
    #18 0x7f57a382814f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T0 here:
    #0 0x55f48e69dff2 in malloc (php-src/sapi/cli/php+0x1c9dff2) (BuildId: 95921ded0c1e297942d1485268c05dddd0a9385e)
    #1 0x55f49098d583 in __zend_malloc php-src/Zend/zend_alloc.c:3087:14
    #2 0x55f490d7c082 in zend_add_attribute php-src/Zend/zend_attributes.c:280:17
    #3 0x55f4905438d1 in zend_add_class_constant_attribute php-src/Zend/zend_attributes.h:118:9
    #4 0x55f49052d4b6 in register_class_ZendAttributeTest php-src/ext/zend_test/test_arginfo.h:704:2
    #5 0x55f490525981 in zm_startup_zend_test php-src/ext/zend_test/test.c:1132:30
    #6 0x55f490c32c4d in zend_startup_module_ex php-src/Zend/zend_API.c:2362:7
    #7 0x55f490c37e61 in zend_startup_module_zval php-src/Zend/zend_API.c:2377:10
    #8 0x55f490ce8ee4 in zend_hash_apply php-src/Zend/zend_hash.c:2080:13
    #9 0x55f490c370bf in zend_startup_modules php-src/Zend/zend_API.c:2500:2
    #10 0x55f4905b61bf in php_module_startup php-src/main/main.c:2222:2
    #11 0x55f491c09bc8 in php_cli_startup php-src/sapi/cli/php_cli.c:410:9
    #12 0x55f491c00cc7 in main php-src/sapi/cli/php_cli.c:1307:6
    #13 0x7f57a382814f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-use-after-free php-src/Zend/zend_hash.h:374:8 in zend_hash_release
Shadow bytes around the buggy address:
  0x606000032a80: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x606000032b00: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x606000032b80: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x606000032c00: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
  0x606000032c80: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
=>0x606000032d00: fa fa fa fa[fd]fd fd fd fd fd fd fa fa fa fa fa
  0x606000032d80: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x606000032e00: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x606000032e80: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x606000032f00: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
  0x606000032f80: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==762731==ABORTING