RC1 data returned from offsetGet causes UAF in ArrayObject

[chongwick]

Description

The following code:

<?php
class ArrayObjectWithBcMath extends ArrayObject
{
    public function offsetGet($offset): mixed
    {
        $value = parent::offsetGet($offset);
        if ($value instanceof BcMath\Number) {
            return $value->powmod(2, 3);
        }
        return $value;
    }

    public function offsetSet($offset, $value): void
    {
        if ($value instanceof BcMath\Number) {
            parent::offsetSet(str_rot13($offset), $value->powmod(2, 3));
        } else {
            parent::offsetSet($offset, $value);
        }
    }
}

$values = ['foo' => '', 'bar' => null, 'baz' => 42, 'qux' => new BcMath\Number(12)];

$object = new ArrayObjectWithBcMath($values);

var_dump($object->offsetGet('foo'), isset($object['foo']), empty($object['foo']));
var_dump($object->offsetGet('bar'), isset($object['bar']), empty($object['bar']));
var_dump($object->offsetGet('baz'), isset($object['baz']), empty($object['baz']));
var_dump($object->offsetGet('qux'), isset($object['qux']), empty($object['qux']));
var_dump($object->offsetGet('sbb'), isset($object['sbb']), empty($object['sbb']));

?>

Resulted in this output:

==2226394==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000847d0 at pc 0x556caeaa6327 bp 0x7ffcbf612500 sp 0x7ffcbf6124f0
READ of size 8 at 0x6060000847d0 thread T0
    #0 0x556caeaa6326 in i_zend_is_true /home/w023dtc/nightly_php/php-src/Zend/zend_operators.h:424
    #1 0x556caeaa6326 in zend_is_true /home/w023dtc/nightly_php/php-src/Zend/zend_operators.c:2840
    #2 0x556cade80d9d in spl_array_has_dimension_ex /home/w023dtc/nightly_php/php-src/ext/spl/spl_array.c:673
    #3 0x556cade816d9 in spl_array_has_dimension /home/w023dtc/nightly_php/php-src/ext/spl/spl_array.c:678
    #4 0x556cae653afb in zend_isempty_dim_slow /home/w023dtc/nightly_php/php-src/Zend/zend_execute.c:3176
    #5 0x556cae7e1374 in ZEND_ISSET_ISEMPTY_DIM_OBJ_SPEC_CV_CONST_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:45426
    #6 0x556cae8f5fce in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:63386
    #7 0x556cae950b0f in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:64247
    #8 0x556caeb13bef in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1941
    #9 0x556cae2bc1e3 in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2584
    #10 0x556caeb19285 in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:938
    #11 0x556cacea4c32 in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1313
    #12 0x14e0e50b8d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
    #13 0x14e0e50b8e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
    #14 0x556cacea5f84 in _start (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x2d77f84)

0x6060000847d0 is located 48 bytes inside of 64-byte region [0x6060000847a0,0x6060000847e0)
freed by thread T0 here:
    #0 0x14e0e8eba537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x556caea8a7d0 in zend_objects_store_del /home/w023dtc/nightly_php/php-src/Zend/zend_objects_API.c:198
    #2 0x556cade80f8e in spl_array_has_dimension_ex /home/w023dtc/nightly_php/php-src/ext/spl/spl_array.c:669
    #3 0x556cade816d9 in spl_array_has_dimension /home/w023dtc/nightly_php/php-src/ext/spl/spl_array.c:678
    #4 0x556cae653afb in zend_isempty_dim_slow /home/w023dtc/nightly_php/php-src/Zend/zend_execute.c:3176
    #5 0x556cae7e1374 in ZEND_ISSET_ISEMPTY_DIM_OBJ_SPEC_CV_CONST_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:45426
    #6 0x556cae8f5fce in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:63386
    #7 0x556cae950b0f in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:64247
    #8 0x556caeb13bef in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1941
    #9 0x556cae2bc1e3 in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2584
    #10 0x556caeb19285 in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:938
    #11 0x556cacea4c32 in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1313
    #12 0x14e0e50b8d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

previously allocated by thread T0 here:
    #0 0x14e0e8eba887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x556cae4c90c4 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3280
    #2 0x556cad1d3884 in zend_object_alloc /home/w023dtc/nightly_php/php-src/Zend/zend_objects_API.h:94
    #3 0x556cad1d3884 in bcmath_number_create /home/w023dtc/nightly_php/php-src/ext/bcmath/bcmath.c:885
    #4 0x556cad1e429f in bcmath_number_new_obj /home/w023dtc/nightly_php/php-src/ext/bcmath/bcmath.c:1161
    #5 0x556cad1e429f in zim_BcMath_Number_powmod /home/w023dtc/nightly_php/php-src/ext/bcmath/bcmath.c:1644
    #6 0x556cae93f278 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:2037
    #7 0x556cae93f278 in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:58865
    #8 0x556cae624ef4 in zend_call_function /home/w023dtc/nightly_php/php-src/Zend/zend_execute_API.c:1008
    #9 0x556cae6270e7 in zend_call_known_function /home/w023dtc/nightly_php/php-src/Zend/zend_execute_API.c:1102
    #10 0x556caea0fe7f in zend_call_method /home/w023dtc/nightly_php/php-src/Zend/zend_interfaces.c:83
    #11 0x556cade81840 in zend_call_method_with_1_params /home/w023dtc/nightly_php/php-src/Zend/zend_interfaces.h:52
    #12 0x556cade81840 in spl_array_read_dimension_ex /home/w023dtc/nightly_php/php-src/ext/spl/spl_array.c:437
    #13 0x556cade80d69 in spl_array_has_dimension_ex /home/w023dtc/nightly_php/php-src/ext/spl/spl_array.c:662
    #14 0x556cade816d9 in spl_array_has_dimension /home/w023dtc/nightly_php/php-src/ext/spl/spl_array.c:678
    #15 0x556cae653afb in zend_isempty_dim_slow /home/w023dtc/nightly_php/php-src/Zend/zend_execute.c:3176
    #16 0x556cae7e1374 in ZEND_ISSET_ISEMPTY_DIM_OBJ_SPEC_CV_CONST_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:45426
    #17 0x556cae8f5fce in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:63386
    #18 0x556cae950b0f in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:64247
    #19 0x556caeb13bef in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1941
    #20 0x556cae2bc1e3 in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2584
    #21 0x556caeb19285 in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:938
    #22 0x556cacea4c32 in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1313
    #23 0x14e0e50b8d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

SUMMARY: AddressSanitizer: heap-use-after-free /home/w023dtc/nightly_php/php-src/Zend/zend_operators.h:424 in i_zend_is_true
Shadow bytes around the buggy address:
  0x0c0c800088a0: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x0c0c800088b0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c800088c0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c800088d0: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x0c0c800088e0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c0c800088f0: fa fa fa fa fd fd fd fd fd fd[fd]fd fa fa fa fa
  0x0c0c80008900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80008910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80008920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80008930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80008940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2226394==ABORTING

PHP Version

nightly

Operating System

ubuntu 22.04

[chongwick]

usan:
/home/w023dtc/nightly_php/php-src/ext/bcmath/libbcmath/src/zero.c:60:9: runtime error: member access within null pointer of type 'struct bc_struct'

[iluuu1994]

Just a heads-up: We mostly consider ArrayObject broken. It violates internal assumptions, so this report (and future ArrayObject reports) may end up getting closed as wontfix.

[devnexen]

Ah true I missed it !

[nielsdos]

It's not related to bcmath nor the "ArrayObject with object is broken" thing. This breaks as well:

<?php
class Crap extends ArrayObject
{
    public function offsetGet($offset): mixed
    {
        return [random_int(1,1)];
    }
}

$values = ['qux' => 1];

$object = new Crap($values);

var_dump(empty($object['qux']));

It's a very classic uaf, we first destroy the value and then check for truthiness 🤦 There's probably legit code that can run into this too. I'll get a patch going. The fix is trivial.