Skip to content

Reloading document can cause UAF in iterator #16906

Closed
Closed
Reloading document can cause UAF in iterator#16906
Assignees
ndossche
Labels
BugExtension: domStatus: Verified

Description

@YuanchengJiang
YuanchengJiang
opened on Nov 23, 2024

Description

The following code:

<?php
$doc = new DOMDocument;
$doc->loadXML('<?xml version="1.0"?><span><strong id="1"/><strong id="2"/></span>');
$list = $doc->getElementsByTagName('strong');
$doc->load(__DIR__."/book.xml");
var_dump(get_defined_vars());

Resulted in this output:

==4032568==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190000046dc at pc 0x000001149f0e bp 0x7fff176e4600 sp 0x7fff176e45f8
READ of size 1 at 0x6190000046dc thread T0
    #0 0x1149f0d in dom_get_elements_by_tag_name_ns_raw /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/dom/php_dom.c:1870:25
    #1 0x10d9637 in php_dom_get_nodelist_length /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/dom/nodelist.c:108:3
    #2 0x10da350 in dom_nodelist_length_read /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/dom/nodelist.c:124:2
    #3 0x1155b1b in dom_get_debug_info_helper /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/dom/php_dom.c:513:7
    #4 0x1100abc in dom_get_debug_info /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/dom/php_dom.c:536:9
    #5 0x4bd318a in zend_std_get_properties_for /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_object_handlers.c:2387:10
    #6 0x4bd3ea1 in zend_get_properties_for /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_object_handlers.c:2436:9
    #7 0x32770ca in php_var_dump /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/var.c:178:11
    #8 0x327931e in php_array_element_dump /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/var.c:51:2
    #9 0x3275e46 in php_var_dump /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/var.c:152:5
    #10 0x327b23a in zif_var_dump /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/var.c:245:3
    #11 0x44b7c39 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:1299:2
    #12 0x3faf4c7 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58595:7
    #13 0x3fb174c in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64247:2
    #14 0x4d47d09 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1934:3
    #15 0x355d6aa in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2576:13
    #16 0x355e7e8 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2616:9
    #17 0x4d5c01a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:938:5
    #18 0x4d564ff in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1313:18
    #19 0x7fd394a41d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #20 0x7fd394a41e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #21 0x605a54 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x605a54)

0x6190000046dc is located 92 bytes inside of 1048-byte region [0x619000004680,0x619000004a98)
freed by thread T0 here:
    #0 0x6806b2 in free (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x6806b2)
    #1 0x7fd3952faa61 in xmlDictFree (/lib/x86_64-linux-gnu/libxml2.so.2+0x13ea61)

previously allocated by thread T0 here:
    #0 0x68091d in malloc (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x68091d)
    #1 0x7fd3952f6bde  (/lib/x86_64-linux-gnu/libxml2.so.2+0x13abde)

SUMMARY: AddressSanitizer: heap-use-after-free /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/dom/php_dom.c:1870:25 in dom_get_elements_by_tag_name_ns_raw
Shadow bytes around the buggy address:
  0x0c327fff8880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff88a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff88b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff88c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fff88d0: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
  0x0c327fff88e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff88f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4032568==ABORTING

PHP Version

nightly

Operating System

ubuntu 22.04

Metadata

Metadata

Assignees

Labels

BugExtension: domStatus: Verified

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions