heap use after free zend_execute.h:195

[chongwick]

Description

The following code:

<?php
class Test {
    public string $x;
}
$a = [];
set_error_handler(function() use(&$a) {
    $a['b'] = 2;
});
$test = new Test;
$test->x = "";
$a[0] =& $test->x;
var_dump($a[0] = $v);

Resulted in this output:

=================================================================
==3825313==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000017201 at pc 0x0000062d1f7a bp 0x7fffb3b555e0 sp 0x7fffb3b555d8
READ of size 1 at 0x60d000017201 thread T0
    #0 0x62d1f79 in zend_assign_to_variable_ex /home/w023dtc/nightly_php/php-src/Zend/zend_execute.h:195:7
    #1 0x5d2f3ef in ZEND_ASSIGN_DIM_SPEC_CV_CONST_OP_DATA_CV_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:43332:12
    #2 0x5c4a6fb in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:110065:12
    #3 0x5c4cc8c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:115483:2
    #4 0x69587e9 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1979:3
    #5 0x5193dca in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2648:13
    #6 0x5194f08 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2688:9
    #7 0x696d6fa in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:949:5
    #8 0x6967adf in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1360:18
    #9 0x1479ca5d4d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #10 0x1479ca5d4e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #11 0x607b44 in _start (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x607b44)

0x60d000017201 is located 17 bytes inside of 136-byte region [0x60d0000171f0,0x60d000017278)
freed by thread T0 here:
    #0 0x6827a2 in free (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x6827a2)
    #1 0x5806443 in __zend_free /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3572:2
    #2 0x58114fb in _efree /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2789:3
    #3 0x63e9219 in zend_hash_packed_to_hash /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:369:2
    #4 0x640770c in _zend_hash_add_or_update_i /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:839:4
    #5 0x6409977 in zend_hash_lookup /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:1020:9
    #6 0x62b84ef in zend_fetch_dimension_address_inner /home/w023dtc/nightly_php/php-src/Zend/zend_execute.c:2855:13
    #7 0x62d285c in zend_fetch_dimension_address_inner_W_CONST /home/w023dtc/nightly_php/php-src/Zend/zend_execute.c:2890:9
    #8 0x5d2748c in ZEND_ASSIGN_DIM_SPEC_CV_CONST_OP_DATA_CONST_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:43010:20
    #9 0x5c4a6fb in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:110065:12
    #10 0x5bda795 in zend_call_function /home/w023dtc/nightly_php/php-src/Zend/zend_execute_API.c:1006:3
    #11 0x5bd2ce5 in _call_user_function_impl /home/w023dtc/nightly_php/php-src/Zend/zend_execute_API.c:801:9
    #12 0x694ef93 in zend_error_zstr_at /home/w023dtc/nightly_php/php-src/Zend/zend.c:1583:10
    #13 0x6952531 in zend_error_va_list /home/w023dtc/nightly_php/php-src/Zend/zend.c:1637:2
    #14 0x6952bc5 in zend_error_unchecked /home/w023dtc/nightly_php/php-src/Zend/zend.c:1711:2
    #15 0x62bda65 in zval_undefined_cv /home/w023dtc/nightly_php/php-src/Zend/zend_execute.c:280:3
    #16 0x62c4197 in _get_zval_ptr_cv_BP_VAR_R /home/w023dtc/nightly_php/php-src/Zend/zend_execute.c:353:10
    #17 0x5d2f162 in ZEND_ASSIGN_DIM_SPEC_CV_CONST_OP_DATA_CV_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:43331:12
    #18 0x5c4a6fb in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:110065:12
    #19 0x5c4cc8c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:115483:2
    #20 0x69587e9 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1979:3
    #21 0x5193dca in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2648:13
    #22 0x5194f08 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2688:9
    #23 0x696d6fa in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:949:5
    #24 0x6967adf in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1360:18
    #25 0x1479ca5d4d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T0 here:
    #0 0x682a0d in malloc (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x682a0d)
    #1 0x58127b3 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3544:14
    #2 0x5810f19 in _emalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2779:10
    #3 0x63e312f in zend_hash_real_init_packed_ex /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:156:10
    #4 0x6410206 in _zend_hash_index_add_or_update_i /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:1165:4
    #5 0x6411987 in zend_hash_index_lookup /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:1249:9
    #6 0x62b803a in zend_fetch_dimension_address_inner /home/w023dtc/nightly_php/php-src/Zend/zend_execute.c:2828:4
    #7 0x6328374 in zend_fetch_dimension_address /home/w023dtc/nightly_php/php-src/Zend/zend_execute.c:2919:13
    #8 0x6327a0e in zend_fetch_dimension_address_W /home/w023dtc/nightly_php/php-src/Zend/zend_execute.c:3040:2
    #9 0x5f8156e in ZEND_FETCH_DIM_W_SPEC_CV_CONST_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:42013:2
    #10 0x5c4a6fb in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:110065:12
    #11 0x5c4cc8c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:115483:2
    #12 0x69587e9 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1979:3
    #13 0x5193dca in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2648:13
    #14 0x5194f08 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2688:9
    #15 0x696d6fa in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:949:5
    #16 0x6967adf in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1360:18
    #17 0x1479ca5d4d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/w023dtc/nightly_php/php-src/Zend/zend_execute.h:195:7 in zend_assign_to_variable_ex
Shadow bytes around the buggy address:
  0x0c1a7fffadf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fffae00: 00 fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
  0x0c1a7fffae10: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c1a7fffae20: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fffae30: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fd fd
=>0x0c1a7fffae40:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1a7fffae50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fffae60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fffae70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fffae80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fffae90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3825313==ABORTING

USE_ZEND_ALLOC=0

PHP Version

nightly

Operating System

No response

[iluuu1994]

See #20018. I think we're at a point where fuzzing set_error_handler() stopped being useful. Can you add it to the ignore list of your fuzzer? Thanks!