uaf in streams

[chongwick]

Description

The following code:

<?php
$dom = new DOMDocument;
$attributes = $dom->documentElement->attributes;
sscanf("2147483647", '%d', $int);
$data = 'a b=c d';
$fd = fopen('php://temp', 'w+');
fwrite($fd, $data);
$resources = get_resources();
fclose(end($resources));

Resulted in this output:

Warning: Attempt to read property "attributes" on null in /home/w023dtc/goodgood/fuzz_mjsunit-regress-regress-2606_82272fac12.php.er on line 3
=================================================================
==813677==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000025fe8 at pc 0x0000052d455c bp 0x7ffd67095e50 sp 0x7ffd67095e48
READ of size 8 at 0x611000025fe8 thread T0
    #0 0x52d455b in _php_stream_flush /home/w023dtc/nightly_php/php-src/main/streams/streams.c:1299:27
    #1 0x52b0de8 in php_stream_temp_flush /home/w023dtc/nightly_php/php-src/main/streams/memory.c:436:27
    #2 0x52d49b7 in _php_stream_flush /home/w023dtc/nightly_php/php-src/main/streams/streams.c:1306:9
    #3 0x52d1aed in _php_stream_free /home/w023dtc/nightly_php/php-src/main/streams/streams.c:453:3
    #4 0x52eef84 in stream_resource_regular_dtor /home/w023dtc/nightly_php/php-src/main/streams/streams.c:1856:19
    #5 0x67910f9 in zend_resource_dtor /home/w023dtc/nightly_php/php-src/Zend/zend_list.c:73:3
    #6 0x6793bde in zend_close_rsrc_list /home/w023dtc/nightly_php/php-src/Zend/zend_list.c:228:6
    #7 0x5bca05a in zend_shutdown_executor_values /home/w023dtc/nightly_php/php-src/Zend/zend_execute_API.c:275:2
    #8 0x5bd62be in shutdown_executor /home/w023dtc/nightly_php/php-src/Zend/zend_execute_API.c:454:2
    #9 0x695801b in zend_deactivate /home/w023dtc/nightly_php/php-src/Zend/zend.c:1355:2
    #10 0x5192cba in php_request_shutdown /home/w023dtc/nightly_php/php-src/main/main.c:2028:2
    #11 0x6984e21 in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1156:3
    #12 0x6979dff in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1360:18
    #13 0x150f5bf28d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #14 0x150f5bf28e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #15 0x607b54 in _start (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x607b54)

0x611000025fe8 is located 40 bytes inside of 224-byte region [0x611000025fc0,0x6110000260a0)
freed by thread T0 here:
    #0 0x6827b2 in free (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x6827b2)
    #1 0x58185b3 in __zend_free /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3572:2
    #2 0x582366b in _efree /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2789:3
    #3 0x52d439d in _php_stream_free /home/w023dtc/nightly_php/php-src/main/streams/streams.c:530:3
    #4 0x42918a2 in zif_fclose /home/w023dtc/nightly_php/php-src/ext/standard/file.c:764:2
    #5 0x60d5fee in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:1318:2
    #6 0x5c5c79b in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:110065:12
    #7 0x5c5ed2c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:115483:2
    #8 0x696ab09 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1979:3
    #9 0x51a5a1a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2648:13
    #10 0x51a6b58 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2688:9
    #11 0x697fa1a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:949:5
    #12 0x6979dff in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1360:18
    #13 0x150f5bf28d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T0 here:
    #0 0x682a1d in malloc (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x682a1d)
    #1 0x5824923 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3544:14
    #2 0x5823089 in _emalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2779:10
    #3 0x52cf4cd in _php_stream_alloc /home/w023dtc/nightly_php/php-src/main/streams/streams.c:284:22
    #4 0x52af17c in _php_stream_memory_create /home/w023dtc/nightly_php/php-src/main/streams/memory.c:307:11
    #5 0x52b2b74 in _php_stream_temp_create_ex /home/w023dtc/nightly_php/php-src/main/streams/memory.c:569:22
    #6 0x52b2d42 in _php_stream_temp_create /home/w023dtc/nightly_php/php-src/main/streams/memory.c:579:9
    #7 0x4482937 in php_stream_url_wrap_php /home/w023dtc/nightly_php/php-src/ext/standard/php_fopen_wrapper.c:205:10
    #8 0x52f7d3a in _php_stream_open_wrapper_ex /home/w023dtc/nightly_php/php-src/main/streams/streams.c:2270:13
    #9 0x4290167 in zif_fopen /home/w023dtc/nightly_php/php-src/ext/standard/file.c:740:11
    #10 0x34e5990 in zif_phar_fopen /home/w023dtc/nightly_php/php-src/ext/phar/func_interceptors.c:317:2
    #11 0x60d80bf in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:1384:2
    #12 0x5c5c79b in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:110065:12
    #13 0x5c5ed2c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:115483:2
    #14 0x696ab09 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1979:3
    #15 0x51a5a1a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2648:13
    #16 0x51a6b58 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2688:9
    #17 0x697fa1a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:949:5
    #18 0x6979dff in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1360:18
    #19 0x150f5bf28d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/w023dtc/nightly_php/php-src/main/streams/streams.c:1299:27 in _php_stream_flush
Shadow bytes around the buggy address:
  0x0c227fffcba0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c227fffcbb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fffcbc0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fffcbd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fffcbe0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c227fffcbf0: fa fa fa fa fa fa fa fa fd fd fd fd fd[fd]fd fd
  0x0c227fffcc00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fffcc10: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fffcc20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fffcc30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fffcc40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==813677==ABORTING

USE_ZEND_ALLOC=0

PHP Version

nightly

Operating System

No response

[devnexen]

seems to ressemble some known cases like here., DOM is not needed no more that writing in the stream.

[ndossche]

Indeed, just a simple dupe.