uaf in streams #20678
Description
Description
The following code:
$iter = new GlobIterator(__DIR__ . '/*.abcdefghij');
$resources = get_resources();
$resource = end($resources);
fclose($resource);Original
<?php
$v_14785 = __DIR__;
$v_14786 = '/*.abcdefghij';
$v_14787 = $v_14785 . $v_14786;
$v_14788 = new GlobIterator($v_14787,);
$v_14789 = 'Test getATime()\n';
$v_14790 = $v_14788->getATime();
$v_14831 = 'Test getSize()\n';
$v_14791 = var_dump($v_14831,);
$v_14792 = 'Test getBasename()\n';
$v_14793 = $v_14788->getBasename();
$v_14826 = $v_14788->getPerms();
$v_14859 = var_dump($v_14826,);
$v_14794 = var_dump($v_14859,);
$v_14795 = 'Test getCTime()\n';
$v_14796 = $v_14788->getCTime();
$v_14857 = var_dump($v_14831,);
$v_14797 = var_dump($v_14857,);
$v_14798 = 'Test getExtension()\n';
$v_14799 = $v_14788->getExtension();
$v_14820 = $v_14788->getPathInfo();
$v_14800 = var_dump($v_14820,);
$v_14801 = 'Test getFilename()\n';
$v_14802 = $v_14788->getFilename();
$v_14803 = var_dump($v_14797,);
$v_14804 = 'Test getGroup()\n';
$v_14805 = $v_14788->getGroup();
$v_14841 = $v_14788->isExecutable();
$v_14806 = var_dump($v_14841,);
$v_14807 = 'Test getInode()\n';
$v_14808 = $v_14788->getInode();
$v_14809 = var_dump($v_14808,);
$v_14810 = 'Test getMTime()\n';
$v_14811 = $v_14788->getMTime();
$v_14817 = $v_14788->getPath();
$v_14812 = var_dump($v_14817,);
$v_14813 = 'Test getOwner()\n';
$v_14814 = $v_14788->getOwner();
$v_14844 = $v_14788->isFile();
$v_14815 = var_dump($v_14844,);
$v_14816 = 'Test getPath()\n';
$v_1851 = get_resources();
$v_1852 = end($v_1851,);
$v_1853 = fclose($v_1852,);Resulted in this output:
=================================================================
==1217721==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000026050 at pc 0x0000052ba3db bp 0x7ffdd00fcbd0 sp 0x7ffdd00fcbc8
READ of size 8 at 0x611000026050 thread T0
#0 0x52ba3da in _php_stream_free /home/w023dtc/nightly_php/php-src/main/streams/streams.c:386:12
#1 0x3eee09a in spl_filesystem_object_destroy_object /home/w023dtc/nightly_php/php-src/ext/spl/spl_directory.c:114:4
#2 0x68506ba in zend_objects_store_del /home/w023dtc/nightly_php/php-src/Zend/zend_objects_API.c:181:4
#3 0x6967eb7 in rc_dtor_func /home/w023dtc/nightly_php/php-src/Zend/zend_variables.c:57:2
#4 0x696813e in i_zval_ptr_dtor /home/w023dtc/nightly_php/php-src/Zend/zend_variables.h:45:4
#5 0x6967ef4 in zval_ptr_dtor /home/w023dtc/nightly_php/php-src/Zend/zend_variables.c:84:2
#6 0x6487a31 in _zend_hash_del_el_ex /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:1500:3
#7 0x64851ad in _zend_hash_del_el /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:1527:2
#8 0x649eaf4 in zend_hash_reverse_apply /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:2243:5
#9 0x5b9c41c in shutdown_destructors /home/w023dtc/nightly_php/php-src/Zend/zend_execute_API.c:262:4
#10 0x69b080b in zend_call_destructors /home/w023dtc/nightly_php/php-src/Zend/zend.c:1336:3
#11 0x517bda3 in php_request_shutdown /home/w023dtc/nightly_php/php-src/main/main.c:1985:3
#12 0x69dde91 in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1158:3
#13 0x69d2e6f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
#14 0x1547ee9bed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#15 0x1547ee9bee3f in __libc_start_main csu/../csu/libc-start.c:392:3
#16 0x607b04 in _start (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x607b04)
0x611000026050 is located 144 bytes inside of 224-byte region [0x611000025fc0,0x6110000260a0)
freed by thread T0 here:
#0 0x682762 in free (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x682762)
#1 0x57fac33 in __zend_free /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3571:2
#2 0x5805ceb in _efree /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2790:3
#3 0x52bd96d in _php_stream_free /home/w023dtc/nightly_php/php-src/main/streams/streams.c:530:3
#4 0x4282e12 in zif_fclose /home/w023dtc/nightly_php/php-src/ext/standard/file.c:765:2
#5 0x611ff6f in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:1421:2
#6 0x5c3068b in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:116212:12
#7 0x5c32c1c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:121924:2
#8 0x69c3b79 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1975:3
#9 0x519095a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2645:13
#10 0x5191a98 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2685:9
#11 0x69d8a8a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
#12 0x69d2e6f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
#13 0x1547ee9bed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
previously allocated by thread T0 here:
#0 0x6829cd in malloc (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x6829cd)
#1 0x5806fa3 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3543:14
#2 0x5805709 in _emalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2780:10
#3 0x52b8a73 in _php_stream_alloc /home/w023dtc/nightly_php/php-src/main/streams/streams.c:284:22
#4 0x5291ec3 in php_glob_stream_opener /home/w023dtc/nightly_php/php-src/main/streams/glob_wrapper.c:299:9
#5 0x52dee04 in _php_stream_opendir /home/w023dtc/nightly_php/php-src/main/streams/streams.c:2179:12
#6 0x3ef7387 in spl_filesystem_dir_open /home/w023dtc/nightly_php/php-src/ext/spl/spl_directory.c:293:23
#7 0x3e96c30 in spl_filesystem_object_construct /home/w023dtc/nightly_php/php-src/ext/spl/spl_directory.c:715:3
#8 0x3ec7581 in zim_GlobIterator___construct /home/w023dtc/nightly_php/php-src/ext/spl/spl_directory.c:1525:2
#9 0x5eeda3b in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:2022:4
#10 0x5c3068b in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:116212:12
#11 0x5c32c1c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:121924:2
#12 0x69c3b79 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1975:3
#13 0x519095a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2645:13
#14 0x5191a98 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2685:9
#15 0x69d8a8a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
#16 0x69d2e6f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
#17 0x1547ee9bed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-use-after-free /home/w023dtc/nightly_php/php-src/main/streams/streams.c:386:12 in _php_stream_free
Shadow bytes around the buggy address:
0x0c227fffcbb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fffcbc0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c227fffcbd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fffcbe0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c227fffcbf0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c227fffcc00: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
0x0c227fffcc10: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fffcc20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fffcc30: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c227fffcc40: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c227fffcc50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1217721==ABORTING
USE_ZEND_ALLOC=0
PHP Version
nightly
Operating System
ubuntu 22.04