Open
Description
Description
The following code:
<?php
class CliServerInfo {
}
function php_cli_server_start(
): CliServerInfo {
$descriptorspec = array(
);
$handle = proc_open($cmd, $descriptorspec, $pipes, $doc_root, null, array("suppress_errors" => true));
register_shutdown_function(
function($handle) use($router, $doc_root, $output_file) {
$status = proc_get_status($handle);
},
$handle
);
return new CliServerInfo($doc_root, $handle);
}
php_cli_server_start(
["-d", "enable_post_data_reading=Off"]);
require 'filter_errors.inc';
class test_filter4 extends php_user_filter {
function filter($in, $out, &$consumed, $fusion): int {
if (!$closing) {
$bucket = stream_bucket_new($this->stream, "42");
}
return PSFS_ERR_FATAL;
}
}
for($i = 0; $i < 5; ++$i) {
var_dump(stream_filter_register("test_filter$i", "test_filter$i"));
filter_errors_test("test_filter$i", "42");
}Resulted in this output:
zend_mm_heap corrupted
AddressSanitizer:DEADLYSIGNAL
=================================================================
==620763==ERROR: AddressSanitizer: SEGV on unknown address 0x03e8000978db (pc 0x7f2de3cf875b bp 0x7fffdfb5f500 sp 0x7fffdfb5f4e8 T0)
==620763==The signal is caused by a READ memory access.
#0 0x7f2de3cf875b in kill (/lib/x86_64-linux-gnu/libc.so.6+0x4275b) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
#1 0x5577baa42b4c in zend_mm_panic /php-src/Zend/zend_alloc.c:396:2
#2 0x5577baa42e94 in zend_mm_get_next_free_slot /php-src/Zend/zend_alloc.c:1326:4
#3 0x5577baa5d5ce in zend_mm_alloc_small /php-src/Zend/zend_alloc.c:1410:30
#4 0x5577baa4d63c in zend_mm_alloc_heap /php-src/Zend/zend_alloc.c:1488:9
#5 0x5577baa525fd in _emalloc /php-src/Zend/zend_alloc.c:2740:9
#6 0x5577bb54a76f in zend_string_alloc /php-src/Zend/zend_string.h:176:36
#7 0x5577bb54a517 in zend_string_init /php-src/Zend/zend_string.h:198:21
#8 0x5577bb50bd35 in _zend_hash_str_add_or_update_i /php-src/Zend/zend_hash.c:958:17
#9 0x5577bb50a4dd in zend_hash_str_update /php-src/Zend/zend_hash.c:1035:9
#10 0x5577baa8f358 in zend_symtable_str_update /php-src/Zend/zend_hash.h:579:10
#11 0x5577baa8f90d in add_assoc_bool_ex /php-src/Zend/zend_API.c:1947:2
#12 0x5577ba125fff in add_assoc_bool /php-src/Zend/zend_API.h:569:2
#13 0x5577ba125579 in zif_proc_get_status /php-src/ext/standard/proc_open.c:448:2
#14 0x5577bb2297d1 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /php-src/Zend/zend_vm_execute.h:1351:2
#15 0x5577bada8f47 in execute_ex /php-src/Zend/zend_vm_execute.h:58585:7
#16 0x5577bad5638b in zend_call_function /php-src/Zend/zend_execute_API.c:996:3
#17 0x5577b9ec0614 in user_shutdown_function_call /php-src/ext/standard/basic_functions.c:1616:16
#18 0x5577bb52c762 in zend_hash_apply /php-src/Zend/zend_hash.c:2070:13
#19 0x5577b9ec024f in php_call_shutdown_functions /php-src/ext/standard/basic_functions.c:1677:4
#20 0x5577ba46c8a7 in php_request_shutdown /php-src/main/main.c:1911:3
#21 0x5577bb8d7e30 in do_cli /php-src/sapi/cli/php_cli.c:1105:3
#22 0x5577bb8d14f2 in main /php-src/sapi/cli/php_cli.c:1309:18
#23 0x7f2de3cdfd8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
#24 0x7f2de3cdfe3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
#25 0x5577b8603244 in _start (/php-src/sapi/cli/php+0x1c03244) (BuildId: ee1f743275c2fdd0ccef8e16c7fa1c0bff43bbe8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x4275b) (BuildId: 490fef8403240c91833978d494d39e537409b92e) in kill
If USE_ZEND_ALLOC=0, it causes UAF.
PHP Version
PHP 8.4.0-dev
Operating System
ubuntu 22.04