Skip to content

Side effects during zend_assign_to_typed_ref_ex() may modify the reference being assigned to #20318

New issue
New issue
Open
#20254
Open
Side effects during zend_assign_to_typed_ref_ex() may modify the reference being assigned to#20318
#20254
Assignees
arnaud-lb
Labels
BugStatus: Needs Triage
@arnaud-lb

Description

@arnaud-lb
arnaud-lb
opened on Oct 28, 2025

Description

First reported by @iluuu1994 in #15961 (comment).

The following code:

class C { public mixed $prop1; public ?string $prop2; public function __toString() { unset($this->prop1); unset($this->prop2); return 'bar'; } } function test() { $c = new C(); $c->prop1 = 'foo'; $c->prop1 = &$c->prop2; $c->prop1 = $c; var_dump($c); } test();

Results in a use-after-free:

==2046482==ERROR: AddressSanitizer: heap-use-after-free on address 0x7ba84ae17f28 at pc 0x000001ec6c7a bp 0x7ffc1e84ef70 sp 0x7ffc1e84ef68 READ of size 8 at 0x7ba84ae17f28 thread T0 #0 0x000001ec6c79 in zend_verify_ref_assignable_zval Zend/zend_execute.c:3972 #1 0x000001ec7c85 in zend_assign_to_typed_ref_ex Zend/zend_execute.c:4048 #2 0x00000235f3a6 in zend_assign_to_variable_ex Zend/zend_execute.h:198 #3 0x00000236c5cb in zend_std_write_property Zend/zend_object_handlers.c:1108 #4 0x000002126976 in ZEND_ASSIGN_OBJ_SPEC_CV_CONST_OP_DATA_CV_HANDLER Zend/zend_vm_execute.h:44861 #5 0x0000021c4a2c in execute_ex Zend/zend_vm_execute.h:120524 #6 0x0000021c9900 in zend_execute Zend/zend_vm_execute.h:121476 #7 0x00000243e999 in zend_execute_script Zend/zend.c:1977 #8 0x00000199551f in php_execute_script_ex main/main.c:2640 #9 0x000001995a49 in php_execute_script main/main.c:2680 #10 0x00000244707e in do_cli sapi/cli/php_cli.c:951 #11 0x00000244a9b4 in main sapi/cli/php_cli.c:1362 #12 0x7f684c011574 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #13 0x7f684c011627 in __libc_start_main_impl ../csu/libc-start.c:360 #14 0x000000402eb4 in _start (sapi/cli/php+0x402eb4) (BuildId: b4e601b8ae67ff842acabff31f3d1f47e0a6dd3b)

There are multiple issues:

First, variable_ptr may be freed or turned to a non-reference by coercion side effects during the zend_verify_ref_assignable_zval() call here:

php-src/Zend/zend_execute.c

Line 4048 in 292e0c2

ret = zend_verify_ref_assignable_zval(Z_REF_P(variable_ptr), &value, strict);

Then, effects may modify the reference type list while it's being iterated by zend_verify_ref_assignable_zval(), which results in UAFs or invalid typing (as some types may be skipped).

PHP Version

PHP 8.3

Operating System

No response

Metadata

Metadata

Assignees

Labels

BugStatus: Needs Triage

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions