Thanks to visit codestin.com
Credit goes to github.com

Skip to content

uaf in streams #20678

Closed
Closed
uaf in streams#20678
Labels
BugCategory: StreamsStatus: Verified
@chongwick

Description

@chongwick
chongwick
opened on Dec 10, 2025

Description

The following code:

$iter = new GlobIterator(__DIR__ . '/*.abcdefghij');
$resources = get_resources();
$resource = end($resources);
fclose($resource);
Original 

<?php
$v_14785 = __DIR__;
$v_14786 = '/*.abcdefghij';
$v_14787 = $v_14785 . $v_14786;
$v_14788 = new GlobIterator($v_14787,);
$v_14789 = 'Test getATime()\n';
$v_14790 = $v_14788->getATime();
$v_14831 = 'Test getSize()\n';
$v_14791 = var_dump($v_14831,);
$v_14792 = 'Test getBasename()\n';
$v_14793 = $v_14788->getBasename();
$v_14826 = $v_14788->getPerms();
$v_14859 = var_dump($v_14826,);
$v_14794 = var_dump($v_14859,);
$v_14795 = 'Test getCTime()\n';
$v_14796 = $v_14788->getCTime();
$v_14857 = var_dump($v_14831,);
$v_14797 = var_dump($v_14857,);
$v_14798 = 'Test getExtension()\n';
$v_14799 = $v_14788->getExtension();
$v_14820 = $v_14788->getPathInfo();
$v_14800 = var_dump($v_14820,);
$v_14801 = 'Test getFilename()\n';
$v_14802 = $v_14788->getFilename();
$v_14803 = var_dump($v_14797,);
$v_14804 = 'Test getGroup()\n';
$v_14805 = $v_14788->getGroup();
$v_14841 = $v_14788->isExecutable();
$v_14806 = var_dump($v_14841,);
$v_14807 = 'Test getInode()\n';
$v_14808 = $v_14788->getInode();
$v_14809 = var_dump($v_14808,);
$v_14810 = 'Test getMTime()\n';
$v_14811 = $v_14788->getMTime();
$v_14817 = $v_14788->getPath();
$v_14812 = var_dump($v_14817,);
$v_14813 = 'Test getOwner()\n';
$v_14814 = $v_14788->getOwner();
$v_14844 = $v_14788->isFile();
$v_14815 = var_dump($v_14844,);
$v_14816 = 'Test getPath()\n';
$v_1851 = get_resources();
$v_1852 = end($v_1851,);
$v_1853 = fclose($v_1852,);

Resulted in this output:

=================================================================
==1217721==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000026050 at pc 0x0000052ba3db bp 0x7ffdd00fcbd0 sp 0x7ffdd00fcbc8
READ of size 8 at 0x611000026050 thread T0
    #0 0x52ba3da in _php_stream_free /home/w023dtc/nightly_php/php-src/main/streams/streams.c:386:12
    #1 0x3eee09a in spl_filesystem_object_destroy_object /home/w023dtc/nightly_php/php-src/ext/spl/spl_directory.c:114:4
    #2 0x68506ba in zend_objects_store_del /home/w023dtc/nightly_php/php-src/Zend/zend_objects_API.c:181:4
    #3 0x6967eb7 in rc_dtor_func /home/w023dtc/nightly_php/php-src/Zend/zend_variables.c:57:2
    #4 0x696813e in i_zval_ptr_dtor /home/w023dtc/nightly_php/php-src/Zend/zend_variables.h:45:4
    #5 0x6967ef4 in zval_ptr_dtor /home/w023dtc/nightly_php/php-src/Zend/zend_variables.c:84:2
    #6 0x6487a31 in _zend_hash_del_el_ex /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:1500:3
    #7 0x64851ad in _zend_hash_del_el /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:1527:2
    #8 0x649eaf4 in zend_hash_reverse_apply /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:2243:5
    #9 0x5b9c41c in shutdown_destructors /home/w023dtc/nightly_php/php-src/Zend/zend_execute_API.c:262:4
    #10 0x69b080b in zend_call_destructors /home/w023dtc/nightly_php/php-src/Zend/zend.c:1336:3
    #11 0x517bda3 in php_request_shutdown /home/w023dtc/nightly_php/php-src/main/main.c:1985:3
    #12 0x69dde91 in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1158:3
    #13 0x69d2e6f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
    #14 0x1547ee9bed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #15 0x1547ee9bee3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #16 0x607b04 in _start (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x607b04)

0x611000026050 is located 144 bytes inside of 224-byte region [0x611000025fc0,0x6110000260a0)
freed by thread T0 here:
    #0 0x682762 in free (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x682762)
    #1 0x57fac33 in __zend_free /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3571:2
    #2 0x5805ceb in _efree /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2790:3
    #3 0x52bd96d in _php_stream_free /home/w023dtc/nightly_php/php-src/main/streams/streams.c:530:3
    #4 0x4282e12 in zif_fclose /home/w023dtc/nightly_php/php-src/ext/standard/file.c:765:2
    #5 0x611ff6f in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:1421:2
    #6 0x5c3068b in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:116212:12
    #7 0x5c32c1c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:121924:2
    #8 0x69c3b79 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1975:3
    #9 0x519095a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2645:13
    #10 0x5191a98 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2685:9
    #11 0x69d8a8a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
    #12 0x69d2e6f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
    #13 0x1547ee9bed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T0 here:
    #0 0x6829cd in malloc (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x6829cd)
    #1 0x5806fa3 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3543:14
    #2 0x5805709 in _emalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2780:10
    #3 0x52b8a73 in _php_stream_alloc /home/w023dtc/nightly_php/php-src/main/streams/streams.c:284:22
    #4 0x5291ec3 in php_glob_stream_opener /home/w023dtc/nightly_php/php-src/main/streams/glob_wrapper.c:299:9
    #5 0x52dee04 in _php_stream_opendir /home/w023dtc/nightly_php/php-src/main/streams/streams.c:2179:12
    #6 0x3ef7387 in spl_filesystem_dir_open /home/w023dtc/nightly_php/php-src/ext/spl/spl_directory.c:293:23
    #7 0x3e96c30 in spl_filesystem_object_construct /home/w023dtc/nightly_php/php-src/ext/spl/spl_directory.c:715:3
    #8 0x3ec7581 in zim_GlobIterator___construct /home/w023dtc/nightly_php/php-src/ext/spl/spl_directory.c:1525:2
    #9 0x5eeda3b in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:2022:4
    #10 0x5c3068b in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:116212:12
    #11 0x5c32c1c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:121924:2
    #12 0x69c3b79 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1975:3
    #13 0x519095a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2645:13
    #14 0x5191a98 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2685:9
    #15 0x69d8a8a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
    #16 0x69d2e6f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
    #17 0x1547ee9bed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/w023dtc/nightly_php/php-src/main/streams/streams.c:386:12 in _php_stream_free
Shadow bytes around the buggy address:
  0x0c227fffcbb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fffcbc0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c227fffcbd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fffcbe0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c227fffcbf0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c227fffcc00: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
  0x0c227fffcc10: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fffcc20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fffcc30: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c227fffcc40: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c227fffcc50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1217721==ABORTING

USE_ZEND_ALLOC=0

PHP Version

nightly

Operating System

ubuntu 22.04

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugCategory: StreamsStatus: Verified

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions