heap buffer overflow in jit #20012
Description
Description
The following code:
<?php $v_1292 = 'abc'; $v_1307 = bin2hex($v_1292,); $v_1302 = '\n'; $v_1300 = sha1($v_1302,$v_1294,); $v_1294 = sha1($v_1307,$v_1300,); $v_1298 = 'abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq'; $v_1296 = '\n'; $v_1297 = $v_1298 . $v_1296; $v_1311 = TRUE; $v_1303 = $v_1307 . $v_1311; $v_1309 = $v_1302 . $v_1296; $i = 1; $v_401 = 2; $v_402 = $i % $v_401; $v_403 = 0; $v_404 = $v_402 == $v_403; $v_1315 = $v_1292 . $v_404;Resulted in this output:
================================================================= ==2058733==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000057574 at pc 0x0000029bebfc bp 0x7fffaa023420 sp 0x7fffaa023418 WRITE of size 4 at 0x625000057574 thread T0 #0 0x29bebfb in ir_iter_remove_insn /home/w023dtc/nightly_php/php-src/ext/opcache/jit/ir/ir_sccp.c:1166:2 #1 0x29f58f0 in ir_iter_optimize_guard /home/w023dtc/nightly_php/php-src/ext/opcache/jit/ir/ir_sccp.c:3494:6 #2 0x29be9d8 in ir_iter_opt /home/w023dtc/nightly_php/php-src/ext/opcache/jit/ir/ir_sccp.c:3684:4 #3 0x29f84a7 in ir_sccp /home/w023dtc/nightly_php/php-src/ext/opcache/jit/ir/ir_sccp.c:3708:2 #4 0x318e7bc in zend_jit_ir_compile /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_ir.c:2876:2 #5 0x302a4b4 in zend_jit_finish /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_ir.c:16744:10 #6 0x2e632a7 in zend_jit_trace /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:7318:12 #7 0x2c23e39 in zend_jit_compile_root_trace /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:7533:14 #8 0x2c16100 in zend_jit_trace_hot_root /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:8227:10 #9 0x2bdc0c3 in zend_jit_trace_counter_helper /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:472:7 #10 0x2bdb95a in zend_jit_func_trace_helper /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:508:2 #11 0x5c7481b in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:115722:12 #12 0x5c76dac in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:121434:2 #13 0x69fb049 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1977:3 #14 0x51d5a0a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2640:13 #15 0x51d6b48 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2680:9 #16 0x6a0ff5a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5 #17 0x6a0a33f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18 #18 0x147a48f3fd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #19 0x147a48f3fe3f in __libc_start_main csu/../csu/libc-start.c:392:3 #20 0x607ae4 in _start (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x607ae4) 0x625000057574 is located 1308 bytes to the right of 8024-byte region [0x625000055100,0x625000057058) freed by thread T0 here: #0 0x682742 in free (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x682742) #1 0x583ef03 in __zend_free /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3571:2 #2 0x5849fbb in _efree /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2790:3 #3 0x57e2eb4 in zend_arena_destroy /home/w023dtc/nightly_php/php-src/Zend/zend_arena.h:158:3 #4 0x57d396d in zend_optimize_script /home/w023dtc/nightly_php/php-src/Zend/Optimizer/zend_optimizer.c:1752:2 #5 0x24f3980 in cache_script_in_shared_memory /home/w023dtc/nightly_php/php-src/ext/opcache/ZendAccelerator.c:1582:2 #6 0x24e2774 in persistent_compile_file /home/w023dtc/nightly_php/php-src/ext/opcache/ZendAccelerator.c:2186:24 #7 0x69fae30 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1970:28 #8 0x51d5a0a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2640:13 #9 0x51d6b48 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2680:9 #10 0x6a0ff5a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5 #11 0x6a0a33f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18 #12 0x147a48f3fd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 previously allocated by thread T0 here: #0 0x6829ad in malloc (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x6829ad) #1 0x584b273 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3543:14 #2 0x58499d9 in _emalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2780:10 #3 0x57d3a4e in zend_arena_create /home/w023dtc/nightly_php/php-src/Zend/zend_arena.h:142:36 #4 0x57cdfde in zend_optimize_script /home/w023dtc/nightly_php/php-src/Zend/Optimizer/zend_optimizer.c:1600:14 #5 0x24f3980 in cache_script_in_shared_memory /home/w023dtc/nightly_php/php-src/ext/opcache/ZendAccelerator.c:1582:2 #6 0x24e2774 in persistent_compile_file /home/w023dtc/nightly_php/php-src/ext/opcache/ZendAccelerator.c:2186:24 #7 0x69fae30 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1970:28 #8 0x51d5a0a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2640:13 #9 0x51d6b48 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2680:9 #10 0x6a0ff5a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5 #11 0x6a0a33f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18 #12 0x147a48f3fd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/w023dtc/nightly_php/php-src/ext/opcache/jit/ir/ir_sccp.c:1166:2 in ir_iter_remove_insn Shadow bytes around the buggy address: 0x0c4a80002e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a80002e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a80002e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a80002e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a80002e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c4a80002ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa 0x0c4a80002eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a80002ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a80002ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a80002ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a80002ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2058733==ABORTING USE_ZEND_ALLOC=0 php -d "memory_limit = -1" -d "zend.assertions = 1" -d "display_errors = On" -d "display_startup_errors = On" -d "opcache.memory_consumption=4096M" -d "opcache.enable=1" -d "opcache.enable_cli=1" -d "opcache.jit=tracing" -d "opcache.validate_timestamps=0" -d "opcache.jit_buffer_size=128M" -d "opcache.file_update_protection=0" -d "opcache.max_accelerated_files=1000000" -d "opcache.interned_strings_buffer=64" -d "opcache.jit_prof_threshold=0.000000001" -d "opcache.jit_max_root_traces= 100000" -d "opcache.jit_max_side_traces= 100000" -d "opcache.jit_max_exit_counters=100000" -d "opcache.jit_hot_loop=1" -d "opcache.jit_hot_func=1" -d "opcache.jit_hot_return=1" -d "opcache.jit_hot_side_exit=1" -d "opcache.jit_blacklist_root_trace=255" -d "opcache.jit_blacklist_side_trace=255" -d "opcache.protect_memory=1" script.php PHP Version
nightly Operating System
22.04