From 35455b17be9fce39c2072a5dcfd9b835507c754f Mon Sep 17 00:00:00 2001 From: Levi Morrison Date: Mon, 19 May 2025 09:45:28 -0600 Subject: [PATCH 1/3] fix: dangling opline in ZEND_INIT_ARRAY (#18578) This causes problems if an allocation profiler decides to walk the stack, or if the engine itself OOMs on this opcode, and it tries to print file and line information. --- Zend/zend_vm_def.h | 1 + Zend/zend_vm_execute.h | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 53aa7a821f6..19422fe5eeb 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -6281,6 +6281,7 @@ ZEND_VM_HANDLER(71, ZEND_INIT_ARRAY, CONST|TMP|VAR|CV|UNUSED, CONST|TMPVAR|UNUSE uint32_t size; USE_OPLINE + SAVE_OPLINE(); array = EX_VAR(opline->result.var); if (OP1_TYPE != IS_UNUSED) { size = opline->extended_value >> ZEND_ARRAY_SIZE_SHIFT; diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 2c86a94134c..209e6cdbe7d 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -7424,6 +7424,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_ARRAY_SPEC_CONST_CONST_HA uint32_t size; USE_OPLINE + SAVE_OPLINE(); array = EX_VAR(opline->result.var); if (IS_CONST != IS_UNUSED) { size = opline->extended_value >> ZEND_ARRAY_SIZE_SHIFT; @@ -9765,6 +9766,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_ARRAY_SPEC_CONST_TMPVAR_H uint32_t size; USE_OPLINE + SAVE_OPLINE(); array = EX_VAR(opline->result.var); if (IS_CONST != IS_UNUSED) { size = opline->extended_value >> ZEND_ARRAY_SIZE_SHIFT; @@ -10695,6 +10697,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_ARRAY_SPEC_CONST_UNUSED_H uint32_t size; USE_OPLINE + SAVE_OPLINE(); array = EX_VAR(opline->result.var); if (IS_CONST != IS_UNUSED) { size = opline->extended_value >> ZEND_ARRAY_SIZE_SHIFT; @@ -12161,6 +12164,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_ARRAY_SPEC_CONST_CV_HANDL uint32_t size; USE_OPLINE + SAVE_OPLINE(); array = EX_VAR(opline->result.var); if (IS_CONST != IS_UNUSED) { size = opline->extended_value >> ZEND_ARRAY_SIZE_SHIFT; @@ -20189,6 +20193,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_ARRAY_SPEC_TMP_CONST_HAND uint32_t size; USE_OPLINE + SAVE_OPLINE(); array = EX_VAR(opline->result.var); if (IS_TMP_VAR != IS_UNUSED) { size = opline->extended_value >> ZEND_ARRAY_SIZE_SHIFT; @@ -20633,6 +20638,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_ARRAY_SPEC_TMP_TMPVAR_HAN uint32_t size; USE_OPLINE + SAVE_OPLINE(); array = EX_VAR(opline->result.var); if (IS_TMP_VAR != IS_UNUSED) { size = opline->extended_value >> ZEND_ARRAY_SIZE_SHIFT; @@ -21094,6 +21100,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_ARRAY_SPEC_TMP_UNUSED_HAN uint32_t size; USE_OPLINE + SAVE_OPLINE(); array = EX_VAR(opline->result.var); if (IS_TMP_VAR != IS_UNUSED) { size = opline->extended_value >> ZEND_ARRAY_SIZE_SHIFT; @@ -21498,6 +21505,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_ARRAY_SPEC_TMP_CV_HANDLER uint32_t size; USE_OPLINE + SAVE_OPLINE(); array = EX_VAR(opline->result.var); if (IS_TMP_VAR != IS_UNUSED) { size = opline->extended_value >> ZEND_ARRAY_SIZE_SHIFT; @@ -25327,6 +25335,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_ARRAY_SPEC_VAR_CONST_HAND uint32_t size; USE_OPLINE + SAVE_OPLINE(); array = EX_VAR(opline->result.var); if (IS_VAR != IS_UNUSED) { size = opline->extended_value >> ZEND_ARRAY_SIZE_SHIFT; @@ -27777,6 +27786,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_ARRAY_SPEC_VAR_TMPVAR_HAN uint32_t size; USE_OPLINE + SAVE_OPLINE(); array = EX_VAR(opline->result.var); if (IS_VAR != IS_UNUSED) { size = opline->extended_value >> ZEND_ARRAY_SIZE_SHIFT; @@ -29855,6 +29865,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_ARRAY_SPEC_VAR_UNUSED_HAN uint32_t size; USE_OPLINE + SAVE_OPLINE(); array = EX_VAR(opline->result.var); if (IS_VAR != IS_UNUSED) { size = opline->extended_value >> ZEND_ARRAY_SIZE_SHIFT; @@ -32165,6 +32176,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_ARRAY_SPEC_VAR_CV_HANDLER uint32_t size; USE_OPLINE + SAVE_OPLINE(); array = EX_VAR(opline->result.var); if (IS_VAR != IS_UNUSED) { size = opline->extended_value >> ZEND_ARRAY_SIZE_SHIFT; @@ -34399,6 +34411,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_ARRAY_SPEC_UNUSED_CONST_H uint32_t size; USE_OPLINE + SAVE_OPLINE(); array = EX_VAR(opline->result.var); if (IS_UNUSED != IS_UNUSED) { size = opline->extended_value >> ZEND_ARRAY_SIZE_SHIFT; @@ -36281,6 +36294,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_ARRAY_SPEC_UNUSED_TMPVAR_ uint32_t size; USE_OPLINE + SAVE_OPLINE(); array = EX_VAR(opline->result.var); if (IS_UNUSED != IS_UNUSED) { size = opline->extended_value >> ZEND_ARRAY_SIZE_SHIFT; @@ -36918,6 +36932,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_ARRAY_SPEC_UNUSED_UNUSED_ uint32_t size; USE_OPLINE + SAVE_OPLINE(); array = EX_VAR(opline->result.var); if (IS_UNUSED != IS_UNUSED) { size = opline->extended_value >> ZEND_ARRAY_SIZE_SHIFT; @@ -38776,6 +38791,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_ARRAY_SPEC_UNUSED_CV_HAND uint32_t size; USE_OPLINE + SAVE_OPLINE(); array = EX_VAR(opline->result.var); if (IS_UNUSED != IS_UNUSED) { size = opline->extended_value >> ZEND_ARRAY_SIZE_SHIFT; @@ -43871,6 +43887,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_ARRAY_SPEC_CV_CONST_HANDL uint32_t size; USE_OPLINE + SAVE_OPLINE(); array = EX_VAR(opline->result.var); if (IS_CV != IS_UNUSED) { size = opline->extended_value >> ZEND_ARRAY_SIZE_SHIFT; @@ -47511,6 +47528,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_ARRAY_SPEC_CV_TMPVAR_HAND uint32_t size; USE_OPLINE + SAVE_OPLINE(); array = EX_VAR(opline->result.var); if (IS_CV != IS_UNUSED) { size = opline->extended_value >> ZEND_ARRAY_SIZE_SHIFT; @@ -49480,6 +49498,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_ARRAY_SPEC_CV_UNUSED_HAND uint32_t size; USE_OPLINE + SAVE_OPLINE(); array = EX_VAR(opline->result.var); if (IS_CV != IS_UNUSED) { size = opline->extended_value >> ZEND_ARRAY_SIZE_SHIFT; @@ -52998,6 +53017,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_ARRAY_SPEC_CV_CV_HANDLER( uint32_t size; USE_OPLINE + SAVE_OPLINE(); array = EX_VAR(opline->result.var); if (IS_CV != IS_UNUSED) { size = opline->extended_value >> ZEND_ARRAY_SIZE_SHIFT; From 46ac878f6a0c19514085b81b185a574084f244cf Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sun, 18 May 2025 14:30:35 +0200 Subject: [PATCH 2/3] Fix OSS-Fuzz #417078295 If the variable_ptr and fetched value are the same or overlap, then we get a UAF. Prevent this by delaying destruction. Closes GH-18588. --- NEWS | 1 + Zend/tests/oss_fuzz_417078295.phpt | 17 +++++++++++++++++ Zend/zend_vm_def.h | 3 ++- Zend/zend_vm_execute.h | 3 ++- 4 files changed, 22 insertions(+), 2 deletions(-) create mode 100644 Zend/tests/oss_fuzz_417078295.phpt diff --git a/NEWS b/NEWS index 25651e5ca77..4a4259867a3 100644 --- a/NEWS +++ b/NEWS @@ -7,6 +7,7 @@ PHP NEWS (nielsdos/David Carlier) . Partially fixed GH-18572 (nested object comparisons leading to stack overflow). (David Carlier) + . Fixed OSS-Fuzz #417078295. (nielsdos) - Curl: . Fixed GH-18460 (curl_easy_setopt with CURLOPT_USERPWD/CURLOPT_USERNAME/ diff --git a/Zend/tests/oss_fuzz_417078295.phpt b/Zend/tests/oss_fuzz_417078295.phpt new file mode 100644 index 00000000000..6e53f9478e1 --- /dev/null +++ b/Zend/tests/oss_fuzz_417078295.phpt @@ -0,0 +1,17 @@ +--TEST-- +OSS-Fuzz #417078295 +--FILE-- + +--EXPECT-- +object(stdClass)#1 (0) refcount(2){ +} diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 19422fe5eeb..0eacdfe145d 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -8981,7 +8981,6 @@ ZEND_VM_HANDLER(183, ZEND_BIND_STATIC, CV, ANY, REF) value = (zval*)((char*)ht->arData + (opline->extended_value & ~(ZEND_BIND_REF|ZEND_BIND_IMPLICIT|ZEND_BIND_EXPLICIT))); if (opline->extended_value & ZEND_BIND_REF) { - i_zval_ptr_dtor(variable_ptr); if (UNEXPECTED(!Z_ISREF_P(value))) { zend_reference *ref = (zend_reference*)emalloc(sizeof(zend_reference)); GC_SET_REFCOUNT(ref, 2); @@ -8996,9 +8995,11 @@ ZEND_VM_HANDLER(183, ZEND_BIND_STATIC, CV, ANY, REF) ref->sources.ptr = NULL; Z_REF_P(value) = ref; Z_TYPE_INFO_P(value) = IS_REFERENCE_EX; + i_zval_ptr_dtor(variable_ptr); ZVAL_REF(variable_ptr, ref); } else { Z_ADDREF_P(value); + i_zval_ptr_dtor(variable_ptr); ZVAL_REF(variable_ptr, Z_REF_P(value)); if (OP2_TYPE != IS_UNUSED) { FREE_OP2(); diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 209e6cdbe7d..4ea6b302c8c 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -40564,7 +40564,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_BIND_STATIC_SPEC_CV_HANDLER(ZE value = (zval*)((char*)ht->arData + (opline->extended_value & ~(ZEND_BIND_REF|ZEND_BIND_IMPLICIT|ZEND_BIND_EXPLICIT))); if (opline->extended_value & ZEND_BIND_REF) { - i_zval_ptr_dtor(variable_ptr); if (UNEXPECTED(!Z_ISREF_P(value))) { zend_reference *ref = (zend_reference*)emalloc(sizeof(zend_reference)); GC_SET_REFCOUNT(ref, 2); @@ -40579,9 +40578,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_BIND_STATIC_SPEC_CV_HANDLER(ZE ref->sources.ptr = NULL; Z_REF_P(value) = ref; Z_TYPE_INFO_P(value) = IS_REFERENCE_EX; + i_zval_ptr_dtor(variable_ptr); ZVAL_REF(variable_ptr, ref); } else { Z_ADDREF_P(value); + i_zval_ptr_dtor(variable_ptr); ZVAL_REF(variable_ptr, Z_REF_P(value)); if (opline->op2_type != IS_UNUSED) { FREE_OP(opline->op2_type, opline->op2.var); From 98cb17f4fd19590f261c1916c0322a7aecc768b9 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sun, 18 May 2025 14:59:27 +0200 Subject: [PATCH 3/3] Fix OSS-Fuzz #418106144 The VM assumes that an exception must be handled when the AST evaluation returns FAILURE. However, the comparison functions always return SUCCESS even if an exception happened. This can be fixed in zend_ast_evaluate_inner() or we can make is_smaller_function() etc check for the exception. I chose the former to avoid impact or API breaks. Perhaps in the future the comparison functions should either return void or return whether an exception happened, as to be not misleading. Closes GH-18589. --- NEWS | 1 + Zend/tests/gh418106144.phpt | 20 ++++++++++++++++++++ Zend/zend_ast.c | 3 ++- 3 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 Zend/tests/gh418106144.phpt diff --git a/NEWS b/NEWS index 4a4259867a3..f20891f344f 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,7 @@ PHP NEWS . Partially fixed GH-18572 (nested object comparisons leading to stack overflow). (David Carlier) . Fixed OSS-Fuzz #417078295. (nielsdos) + . Fixed OSS-Fuzz #418106144. (nielsdos) - Curl: . Fixed GH-18460 (curl_easy_setopt with CURLOPT_USERPWD/CURLOPT_USERNAME/ diff --git a/Zend/tests/gh418106144.phpt b/Zend/tests/gh418106144.phpt new file mode 100644 index 00000000000..9357b0a179b --- /dev/null +++ b/Zend/tests/gh418106144.phpt @@ -0,0 +1,20 @@ +--TEST-- +OSS-Fuzz #418106144 +--FILE-- +''){ + var_dump(); +} +try { + test(); +} catch (TypeError $e) { + echo $e->getMessage(), "\n"; +} + +?> +--EXPECT-- +Foo::__toString(): Return value must be of type string, none returned diff --git a/Zend/zend_ast.c b/Zend/zend_ast.c index bf602449e5e..0fb50e2eae1 100644 --- a/Zend/zend_ast.c +++ b/Zend/zend_ast.c @@ -564,9 +564,10 @@ ZEND_API zend_result ZEND_FASTCALL zend_ast_evaluate_inner( /* op1 > op2 is the same as op2 < op1 */ binary_op_type op = ast->kind == ZEND_AST_GREATER ? is_smaller_function : is_smaller_or_equal_function; - ret = op(result, &op2, &op1); + op(result, &op2, &op1); zval_ptr_dtor_nogc(&op1); zval_ptr_dtor_nogc(&op2); + ret = EG(exception) ? FAILURE : SUCCESS; } break; case ZEND_AST_UNARY_OP: