global buffer overflow in url.c

[chongwick]

Description

The following code:

<?php
$v_8910 = 'file:///datafoo:test';
$v_5729 = Uri\WhatWg\Url::parse($v_8910,);
$v_5732 = $v_5729->getAsciiHost();
$v_5731 = $v_5729->withHost($v_5732,);

Resulted in this output:

=================================================================
==1246000==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000813571f at pc 0x000001d899fb bp 0x7fffbfdf62f0 sp 0x7fffbfdf62e8
READ of size 1 at 0x00000813571f thread T0
    #0 0x1d899fa in lxb_url_parse_basic_h /home/w023dtc/nightly_php/php-src/ext/lexbor/lexbor/url/url.c:2137:25
    #1 0x1d9a6b6 in lxb_url_host_set_h /home/w023dtc/nightly_php/php-src/ext/lexbor/lexbor/url/url.c:4351:14
    #2 0x1d9ab52 in lxb_url_api_hostname_set /home/w023dtc/nightly_php/php-src/ext/lexbor/lexbor/url/url.c:4315:12
    #3 0x47c5a72 in php_uri_parser_whatwg_host_write /home/w023dtc/nightly_php/php-src/ext/uri/uri_parser_whatwg.c:392:6
    #4 0x47ae77a in php_uri_property_write_helper /home/w023dtc/nightly_php/php-src/ext/uri/php_uri_common.c:86:6
    #5 0x47af746 in php_uri_property_write_str_or_null_helper /home/w023dtc/nightly_php/php-src/ext/uri/php_uri_common.c:123:2
    #6 0x4791261 in zim_Uri_Rfc3986_Uri_withHost /home/w023dtc/nightly_php/php-src/ext/uri/php_uri.c:618:2
    #7 0x5ef166b in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:2152:4
    #8 0x5c3068b in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:116212:12
    #9 0x5c32c1c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:121924:2
    #10 0x69c3b79 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1975:3
    #11 0x519095a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2645:13
    #12 0x5191a98 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2685:9
    #13 0x69d8a8a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
    #14 0x69d2e6f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
    #15 0x151e2b81ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #16 0x151e2b81ee3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #17 0x607b04 in _start (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x607b04)

0x00000813571f is located 1 bytes to the left of global variable '<string literal>' defined in '/home/w023dtc/nightly_php/php-src/ext/uri/uri_parser_whatwg.c:574:153' (0x8135720) of size 1
  '<string literal>' is ascii string ''
0x00000813571f is located 60 bytes to the right of global variable '<string literal>' defined in '/home/w023dtc/nightly_php/php-src/ext/uri/uri_parser_whatwg.c:574:146' (0x81356e0) of size 3
  '<string literal>' is ascii string ' ('
SUMMARY: AddressSanitizer: global-buffer-overflow /home/w023dtc/nightly_php/php-src/ext/lexbor/lexbor/url/url.c:2137:25 in lxb_url_parse_basic_h
Shadow bytes around the buggy address:
  0x00008101ea90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008101eaa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008101eab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008101eac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008101ead0: 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9
=>0x00008101eae0: f9 f9 f9[f9]01 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9
  0x00008101eaf0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008101eb00: 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x00008101eb10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008101eb20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008101eb30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1246000==ABORTING

But I expected this output instead:

PHP Version

nightly

Operating System

No response

[kocsismate]

I couldn't reproduce it locally, so I'm trying it in CI: #20670

lexbor/lexbor#319 was somewhat similar issue which have been fixed in the meanwhile, so maybe this bug is not present anymore.

[devnexen]

I can reproduce locally. here my configure if that helps.

CC=clang CXX=clang++ CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE -Wdiscarded-qualifiers" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv --with-tidy --with-openssl

[kocsismate]

I still can't seem to reproduce it on my Mac :( I have very similar config with even a bit more checks (+ undefined sanitizer and a few other custom PHP checks like -DZEND_TRACK_ARENA_ALLOC), but it still doesn't work for me. I even enabled zts + started to use clang instead of gcc, but I have the same result as the first time

[TimWolla]

Don't have ASAN on this machine, but valgrind doesn't show anything for me:

$ valgrind php-src/sapi/cli/php test.php
==309652== Memcheck, a memory error detector
==309652== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==309652== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
==309652== Command: php-src/sapi/cli/php test.php
==309652== 

Fatal error: Uncaught Uri\WhatWg\InvalidUrlException: The specified host is malformed (DomainInvalidCodePoint) in test.php:5
Stack trace:
#0 test.php(5): Uri\WhatWg\Url->withHost('')
#1 {main}
  thrown in test.php on line 5
==309652== 
==309652== HEAP SUMMARY:
==309652==     in use at exit: 0 bytes in 0 blocks
==309652==   total heap usage: 20,068 allocs, 20,068 frees, 4,141,888 bytes allocated
==309652== 
==309652== All heap blocks were freed -- no leaks are possible
==309652== 
==309652== For lists of detected and suppressed errors, rerun with: -s
==309652== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

[TimWolla]

@devnexen If you can reproduce, are you able to trim down the example further? With cleaned up naming, the original code should be equivalent to:

<?php
$parsed = Uri\WhatWg\Url::parse('file:///datafoo:test');
$updated = $parsed->withHost($parsed->getAsciiHost());

With $parsed->getAsciiHost() returning '', so:

<?php
$parsed = Uri\WhatWg\Url::parse('file:///datafoo:test');
$updated = $parsed->withHost('');

Does the latter still reproduce for you?

[devnexen]

yes

sapi/cli/php b.php
=================================================================
==1078343==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55fad0f55b5f at pc 0x55facb280f7a bp 0x7ffc79857ef0 sp 0x7ffc79857ee8
READ of size 1 at 0x55fad0f55b5f thread T0
    #0 0x55facb280f79 in lxb_url_parse_basic_h /home/dcarlier/Contribs/php-src/ext/lexbor/lexbor/url/url.c:2137:25
    #1 0x55facb28e1f1 in lxb_url_host_set_h /home/dcarlier/Contribs/php-src/ext/lexbor/lexbor/url/url.c:4351:14
    #2 0x55facb28e622 in lxb_url_api_hostname_set /home/dcarlier/Contribs/php-src/ext/lexbor/lexbor/url/url.c:4315:12
    #3 0x55facd67927e in php_uri_parser_whatwg_host_write /home/dcarlier/Contribs/php-src/ext/uri/uri_parser_whatwg.c:392:6
    #4 0x55facd665bfd in php_uri_property_write_helper /home/dcarlier/Contribs/php-src/ext/uri/php_uri_common.c:86:6
    #5 0x55facd6668e1 in php_uri_property_write_str_or_null_helper /home/dcarlier/Contribs/php-src/ext/uri/php_uri_common.c:123:2
    #6 0x55facd64ce01 in zim_Uri_Rfc3986_Uri_withHost /home/dcarlier/Contribs/php-src/ext/uri/php_uri.c:618:2
    #7 0x55facf09f188 in ZEND_DO_FCALL_SPEC_RETVAL_USED_TAILCALL_HANDLER /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:57936:4
    #8 0x55face82c56e in execute_ex /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:116212:12
    #9 0x55face82e5ee in zend_execute /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:121924:2
    #10 0x55facfa4f5af in zend_execute_script /home/dcarlier/Contribs/php-src/Zend/zend.c:1975:3
    #11 0x55facdf086c2 in php_execute_script_ex /home/dcarlier/Contribs/php-src/main/main.c:2645:13
    #12 0x55facdf095a8 in php_execute_script /home/dcarlier/Contribs/php-src/main/main.c:2685:9
    #13 0x55facfa60e7e in do_cli /home/dcarlier/Contribs/php-src/sapi/cli/php_cli.c:951:5
    #14 0x55facfa5ce21 in main /home/dcarlier/Contribs/php-src/sapi/cli/php_cli.c:1362:18
    #15 0x7e9335a2a574 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #16 0x7e9335a2a627 in __libc_start_main csu/../csu/libc-start.c:360:3
    #17 0x55fac9e07e54 in _start (/home/dcarlier/Contribs/php-src/sapi/cli/php+0x3607e54) (BuildId: a01d0bb68a06b2c77e5fea759e66c2434a5ce718)

0x55fad0f55b5f is located 33 bytes before global variable '.str.4' defined in '/home/dcarlier/Contribs/php-src/ext/uri/uri_parser_whatwg.c:574' (0x55fad0f55b80) of size 2
  '.str.4' is ascii string ')'
0x55fad0f55b5f is located 1 bytes before global variable '.str.3' defined in '/home/dcarlier/Contribs/php-src/ext/uri/uri_parser_whatwg.c:574' (0x55fad0f55b60) of size 1
  '.str.3' is ascii string ''
0x55fad0f55b5f is located 28 bytes after global variable '.str.2' defined in '/home/dcarlier/Contribs/php-src/ext/uri/uri_parser_whatwg.c:574' (0x55fad0f55b40) of size 3
  '.str.2' is ascii string ' ('
SUMMARY: AddressSanitizer: global-buffer-overflow /home/dcarlier/Contribs/php-src/ext/lexbor/lexbor/url/url.c:2137:25 in lxb_url_parse_basic_h
Shadow bytes around the buggy address:
  0x55fad0f55880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x55fad0f55900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x55fad0f55980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x55fad0f55a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x55fad0f55a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x55fad0f55b00: 05 f9 f9 f9 f9 f9 f9 f9 03 f9 f9[f9]01 f9 f9 f9
  0x55fad0f55b80: 02 f9 f9 f9 07 f9 f9 f9 00 07 f9 f9 00 f9 f9 f9
  0x55fad0f55c00: 00 06 f9 f9 00 00 f9 f9 00 00 07 f9 f9 f9 f9 f9
  0x55fad0f55c80: 00 00 05 f9 f9 f9 f9 f9 00 06 f9 f9 00 00 01 f9
  0x55fad0f55d00: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 03 f9
  0x55fad0f55d80: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 05 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1078343==ABORTING