uaf in jit/zend

[chongwick]

Description

The following code:

<?php
set_error_handler(function($code, $msg) {
    echo "Err: $msg\n";
    $GLOBALS['a']='';
});
$ftp = ftp_connect('127.0.0.1', $port);
$oid1 = 'SNMPv2-MIB::sysContact.0';
$oldvalue1 = snmpget($hostname, $communityWrite, $oid1, $timeout, $retries);
var_dump((snmpget($hostname, $communityWrite, $oid1, $timeout, $retries) === $oldvalue1));
$end   = new DateTime('2010-03-14 03:30:00');
for ($i_0 = 0; $i_0 < 10; $i_0++) {
    $a = new stdClass();
    $a->$x = "string('')";
    var_dump($a);
}

Resulted in this output:

Err: Undefined variable $port
Err: ftp_connect(): Passing null to parameter #2 ($port) of type int is deprecated
Err: Undefined variable $hostname
Err: Undefined variable $communityWrite
Err: Undefined variable $timeout
Err: Undefined variable $retries
Err: snmpget(): Passing null to parameter #1 ($hostname) of type string is deprecated
Err: snmpget(): Passing null to parameter #2 ($community) of type string is deprecated
Err: snmpget(): Passing null to parameter #4 ($timeout) of type int is deprecated
Err: snmpget(): Passing null to parameter #5 ($retries) of type int is deprecated
Err: snmpget(): Invalid object identifier: SNMPv2-MIB::sysContact.0
Err: Undefined variable $hostname
Err: Undefined variable $communityWrite
Err: Undefined variable $timeout
Err: Undefined variable $retries
Err: snmpget(): Passing null to parameter #1 ($hostname) of type string is deprecated
Err: snmpget(): Passing null to parameter #2 ($community) of type string is deprecated
Err: snmpget(): Passing null to parameter #4 ($timeout) of type int is deprecated
Err: snmpget(): Passing null to parameter #5 ($retries) of type int is deprecated
Err: snmpget(): Invalid object identifier: SNMPv2-MIB::sysContact.0
bool(true)
Err: Undefined variable $x
=================================================================
==825731==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040000e5028 at pc 0x000005de9528 bp 0x7ffe76bb13d0 sp 0x7ffe76bb13c8
READ of size 8 at 0x6040000e5028 thread T0
    #0 0x5de9527 in ZEND_ASSIGN_OBJ_SPEC_CV_CV_OP_DATA_CONST_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:51553:16
    #1 0x2bda21a in zend_jit_trace_execute /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:1074:12
    #2 0x2c00c15 in zend_jit_trace_hot_root /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:8175:9
    #3 0x2bc8b43 in zend_jit_trace_counter_helper /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:472:7
    #4 0x2bc83da in zend_jit_func_trace_helper /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:508:2
    #5 0x5c5c79b in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:110065:12
    #6 0x5c5ed2c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:115483:2
    #7 0x696ab09 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1979:3
    #8 0x51a5a1a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2648:13
    #9 0x51a6b58 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2688:9
    #10 0x697fa1a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:949:5
    #11 0x6979dff in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1360:18
    #12 0x1479784d8d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #13 0x1479784d8e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #14 0x607b54 in _start (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x607b54)

0x6040000e5028 is located 24 bytes inside of 40-byte region [0x6040000e5010,0x6040000e5038)
freed by thread T0 here:
    #0 0x6827b2 in free (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x6827b2)
    #1 0x58185b3 in __zend_free /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3572:2
    #2 0x582366b in _efree /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2789:3
    #3 0x67f8c2d in zend_objects_store_del /home/w023dtc/nightly_php/php-src/Zend/zend_objects_API.c:200:3
    #4 0x690ef17 in rc_dtor_func /home/w023dtc/nightly_php/php-src/Zend/zend_variables.c:57:2
    #5 0x62e3442 in zend_assign_to_variable /home/w023dtc/nightly_php/php-src/Zend/zend_execute.h:183:4
    #6 0x5d03d75 in ZEND_ASSIGN_SPEC_VAR_CONST_RETVAL_UNUSED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:25341:11
    #7 0x5c5c79b in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:110065:12
    #8 0x5bec835 in zend_call_function /home/w023dtc/nightly_php/php-src/Zend/zend_execute_API.c:1006:3
    #9 0x5be4d85 in _call_user_function_impl /home/w023dtc/nightly_php/php-src/Zend/zend_execute_API.c:801:9
    #10 0x69612b3 in zend_error_zstr_at /home/w023dtc/nightly_php/php-src/Zend/zend.c:1583:10
    #11 0x6964851 in zend_error_va_list /home/w023dtc/nightly_php/php-src/Zend/zend.c:1637:2
    #12 0x6964ee5 in zend_error_unchecked /home/w023dtc/nightly_php/php-src/Zend/zend.c:1711:2
    #13 0x62cfb35 in zval_undefined_cv /home/w023dtc/nightly_php/php-src/Zend/zend_execute.c:280:3
    #14 0x62d6267 in _get_zval_ptr_cv_BP_VAR_R /home/w023dtc/nightly_php/php-src/Zend/zend_execute.c:353:10
    #15 0x5de8ff7 in ZEND_ASSIGN_OBJ_SPEC_CV_CV_OP_DATA_CONST_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:51540:34
    #16 0x2bda21a in zend_jit_trace_execute /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:1074:12
    #17 0x2c00c15 in zend_jit_trace_hot_root /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:8175:9
    #18 0x2bc8b43 in zend_jit_trace_counter_helper /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:472:7
    #19 0x2bc83da in zend_jit_func_trace_helper /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:508:2
    #20 0x5c5c79b in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:110065:12
    #21 0x5c5ed2c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:115483:2
    #22 0x696ab09 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1979:3
    #23 0x51a5a1a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2648:13
    #24 0x51a6b58 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2688:9
    #25 0x697fa1a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:949:5
    #26 0x6979dff in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1360:18
    #27 0x1479784d8d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T0 here:
    #0 0x682a1d in malloc (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x682a1d)
    #1 0x5824923 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3544:14
    #2 0x5823089 in _emalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2779:10
    #3 0x6801456 in zend_objects_new /home/w023dtc/nightly_php/php-src/Zend/zend_objects.c:191:24
    #4 0x586c9e2 in _object_and_properties_init /home/w023dtc/nightly_php/php-src/Zend/zend_API.c:1820:22
    #5 0x586d1d0 in object_init_ex /home/w023dtc/nightly_php/php-src/Zend/zend_API.c:1843:9
    #6 0x5ee3b31 in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:11345:6
    #7 0x2bda21a in zend_jit_trace_execute /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:1074:12
    #8 0x2c00c15 in zend_jit_trace_hot_root /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:8175:9
    #9 0x2bc8b43 in zend_jit_trace_counter_helper /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:472:7
    #10 0x2bc83da in zend_jit_func_trace_helper /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:508:2
    #11 0x5c5c79b in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:110065:12
    #12 0x5c5ed2c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:115483:2
    #13 0x696ab09 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1979:3
    #14 0x51a5a1a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2648:13
    #15 0x51a6b58 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2688:9
    #16 0x697fa1a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:949:5
    #17 0x6979dff in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1360:18
    #18 0x1479784d8d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:51553:16 in ZEND_ASSIGN_OBJ_SPEC_CV_CV_OP_DATA_CONST_HANDLER
Shadow bytes around the buggy address:
  0x0c08800149b0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c08800149c0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c08800149d0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c08800149e0: fa fa 00 00 00 00 04 fa fa fa fd fd fd fd fd fa
  0x0c08800149f0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00
=>0x0c0880014a00: fa fa fd fd fd[fd]fd fa fa fa fd fd fd fd fd fd
  0x0c0880014a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0880014a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0880014a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0880014a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0880014a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==825731==ABORTING

USE_ZEND_ALLOC=0 php -d "memory_limit = -1" -d "zend.assertions = 1" -d "display_errors = On" -d "display_startup_errors = On" -d "opcache.memory_consumption=4096M" -d "opcache.enable=1" -d "opcache.enable_cli=1" -d "opcache.jit=tracing" -d "opcache.validate_timestamps=0" -d "opcache.jit_buffer_size=128M" -d "opcache.file_update_protection=0" -d "opcache.max_accelerated_files=1000000" -d "opcache.interned_strings_buffer=64" -d "opcache.jit_prof_threshold=0.000000001" -d "opcache.jit_max_root_traces=  100000" -d "opcache.jit_max_side_traces=  100000" -d "opcache.jit_max_exit_counters=100000" -d "opcache.jit_hot_loop=1" -d "opcache.jit_hot_func=1" -d "opcache.jit_hot_return=1" -d "opcache.jit_hot_side_exit=1" -d "opcache.jit_blacklist_root_trace=255" -d "opcache.jit_blacklist_side_trace=255" -d "opcache.protect_memory=1"

PHP Version

nightly

Operating System

No response

[devnexen]

with this slighty simplified reproducer

<?php
set_error_handler(function($code, $msg) {
    echo "Err: $msg\n";
    $GLOBALS['a']='';
});
for ($i_0 = 0; $i_0 < 10; $i_0++) {
    $a = new stdClass();
    $a->$x = "string('')";
    var_dump($a);
}

we get zendmm leaks w/o jit too

[Mon Mar  9 20:17:09 2026]  Script:  '/home/dcarlier/Contribs/php-src/a.php'
/home/dcarlier/Contribs/php-src/Zend/zend_hash.c(290) :  Freeing 0x000070c743a4c720 (56 bytes), script=/home/dcarlier/Contribs/php-src/a.php
Last leak repeated 9 times
[Mon Mar  9 20:17:09 2026]  Script:  '/home/dcarlier/Contribs/php-src/a.php'
/home/dcarlier/Contribs/php-src/Zend/zend_hash.c(176) :  Freeing 0x000070c743a71480 (320 bytes), script=/home/dcarlier/Contribs/php-src/a.php
Last leak repeated 9 times
=== Total 20 memory leaks detected ===

[ndossche]

Basically of the same family as #15938