heap buffer overflow in jit #20012
Description
Description
The following code:
<?php
$v_1292 = 'abc';
$v_1307 = bin2hex($v_1292,);
$v_1302 = '\n';
$v_1300 = sha1($v_1302,$v_1294,);
$v_1294 = sha1($v_1307,$v_1300,);
$v_1298 = 'abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq';
$v_1296 = '\n';
$v_1297 = $v_1298 . $v_1296;
$v_1311 = TRUE;
$v_1303 = $v_1307 . $v_1311;
$v_1309 = $v_1302 . $v_1296;
$i = 1;
$v_401 = 2;
$v_402 = $i % $v_401;
$v_403 = 0;
$v_404 = $v_402 == $v_403;
$v_1315 = $v_1292 . $v_404;Resulted in this output:
=================================================================
==2058733==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000057574 at pc 0x0000029bebfc bp 0x7fffaa023420 sp 0x7fffaa023418
WRITE of size 4 at 0x625000057574 thread T0
#0 0x29bebfb in ir_iter_remove_insn /home/w023dtc/nightly_php/php-src/ext/opcache/jit/ir/ir_sccp.c:1166:2
#1 0x29f58f0 in ir_iter_optimize_guard /home/w023dtc/nightly_php/php-src/ext/opcache/jit/ir/ir_sccp.c:3494:6
#2 0x29be9d8 in ir_iter_opt /home/w023dtc/nightly_php/php-src/ext/opcache/jit/ir/ir_sccp.c:3684:4
#3 0x29f84a7 in ir_sccp /home/w023dtc/nightly_php/php-src/ext/opcache/jit/ir/ir_sccp.c:3708:2
#4 0x318e7bc in zend_jit_ir_compile /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_ir.c:2876:2
#5 0x302a4b4 in zend_jit_finish /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_ir.c:16744:10
#6 0x2e632a7 in zend_jit_trace /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:7318:12
#7 0x2c23e39 in zend_jit_compile_root_trace /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:7533:14
#8 0x2c16100 in zend_jit_trace_hot_root /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:8227:10
#9 0x2bdc0c3 in zend_jit_trace_counter_helper /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:472:7
#10 0x2bdb95a in zend_jit_func_trace_helper /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:508:2
#11 0x5c7481b in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:115722:12
#12 0x5c76dac in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:121434:2
#13 0x69fb049 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1977:3
#14 0x51d5a0a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2640:13
#15 0x51d6b48 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2680:9
#16 0x6a0ff5a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
#17 0x6a0a33f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
#18 0x147a48f3fd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#19 0x147a48f3fe3f in __libc_start_main csu/../csu/libc-start.c:392:3
#20 0x607ae4 in _start (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x607ae4)
0x625000057574 is located 1308 bytes to the right of 8024-byte region [0x625000055100,0x625000057058)
freed by thread T0 here:
#0 0x682742 in free (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x682742)
#1 0x583ef03 in __zend_free /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3571:2
#2 0x5849fbb in _efree /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2790:3
#3 0x57e2eb4 in zend_arena_destroy /home/w023dtc/nightly_php/php-src/Zend/zend_arena.h:158:3
#4 0x57d396d in zend_optimize_script /home/w023dtc/nightly_php/php-src/Zend/Optimizer/zend_optimizer.c:1752:2
#5 0x24f3980 in cache_script_in_shared_memory /home/w023dtc/nightly_php/php-src/ext/opcache/ZendAccelerator.c:1582:2
#6 0x24e2774 in persistent_compile_file /home/w023dtc/nightly_php/php-src/ext/opcache/ZendAccelerator.c:2186:24
#7 0x69fae30 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1970:28
#8 0x51d5a0a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2640:13
#9 0x51d6b48 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2680:9
#10 0x6a0ff5a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
#11 0x6a0a33f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
#12 0x147a48f3fd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
previously allocated by thread T0 here:
#0 0x6829ad in malloc (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x6829ad)
#1 0x584b273 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3543:14
#2 0x58499d9 in _emalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2780:10
#3 0x57d3a4e in zend_arena_create /home/w023dtc/nightly_php/php-src/Zend/zend_arena.h:142:36
#4 0x57cdfde in zend_optimize_script /home/w023dtc/nightly_php/php-src/Zend/Optimizer/zend_optimizer.c:1600:14
#5 0x24f3980 in cache_script_in_shared_memory /home/w023dtc/nightly_php/php-src/ext/opcache/ZendAccelerator.c:1582:2
#6 0x24e2774 in persistent_compile_file /home/w023dtc/nightly_php/php-src/ext/opcache/ZendAccelerator.c:2186:24
#7 0x69fae30 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1970:28
#8 0x51d5a0a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2640:13
#9 0x51d6b48 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2680:9
#10 0x6a0ff5a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
#11 0x6a0a33f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
#12 0x147a48f3fd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/w023dtc/nightly_php/php-src/ext/opcache/jit/ir/ir_sccp.c:1166:2 in ir_iter_remove_insn
Shadow bytes around the buggy address:
0x0c4a80002e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a80002e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a80002e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a80002e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a80002e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a80002ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa
0x0c4a80002eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a80002ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a80002ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a80002ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a80002ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2058733==ABORTING
USE_ZEND_ALLOC=0 php -d "memory_limit = -1" -d "zend.assertions = 1" -d "display_errors = On" -d "display_startup_errors = On" -d "opcache.memory_consumption=4096M" -d "opcache.enable=1" -d "opcache.enable_cli=1" -d "opcache.jit=tracing" -d "opcache.validate_timestamps=0" -d "opcache.jit_buffer_size=128M" -d "opcache.file_update_protection=0" -d "opcache.max_accelerated_files=1000000" -d "opcache.interned_strings_buffer=64" -d "opcache.jit_prof_threshold=0.000000001" -d "opcache.jit_max_root_traces= 100000" -d "opcache.jit_max_side_traces= 100000" -d "opcache.jit_max_exit_counters=100000" -d "opcache.jit_hot_loop=1" -d "opcache.jit_hot_func=1" -d "opcache.jit_hot_return=1" -d "opcache.jit_hot_side_exit=1" -d "opcache.jit_blacklist_root_trace=255" -d "opcache.jit_blacklist_side_trace=255" -d "opcache.protect_memory=1" script.php
PHP Version
nightly
Operating System
22.04