Reloading document can cause UAF in iterator #16906

YuanchengJiang · 2024-11-23T14:12:27Z

Description

The following code:

<?php
$doc = new DOMDocument;
$doc->loadXML('<?xml version="1.0"?><span><strong id="1"/><strong id="2"/></span>');
$list = $doc->getElementsByTagName('strong');
$doc->load(__DIR__."/book.xml");
var_dump(get_defined_vars());

Resulted in this output:

==4032568==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190000046dc at pc 0x000001149f0e bp 0x7fff176e4600 sp 0x7fff176e45f8
READ of size 1 at 0x6190000046dc thread T0
    #0 0x1149f0d in dom_get_elements_by_tag_name_ns_raw /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/dom/php_dom.c:1870:25
    #1 0x10d9637 in php_dom_get_nodelist_length /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/dom/nodelist.c:108:3
    #2 0x10da350 in dom_nodelist_length_read /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/dom/nodelist.c:124:2
    #3 0x1155b1b in dom_get_debug_info_helper /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/dom/php_dom.c:513:7
    #4 0x1100abc in dom_get_debug_info /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/dom/php_dom.c:536:9
    #5 0x4bd318a in zend_std_get_properties_for /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_object_handlers.c:2387:10
    #6 0x4bd3ea1 in zend_get_properties_for /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_object_handlers.c:2436:9
    #7 0x32770ca in php_var_dump /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/var.c:178:11
    #8 0x327931e in php_array_element_dump /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/var.c:51:2
    #9 0x3275e46 in php_var_dump /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/var.c:152:5
    #10 0x327b23a in zif_var_dump /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/var.c:245:3
    #11 0x44b7c39 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:1299:2
    #12 0x3faf4c7 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58595:7
    #13 0x3fb174c in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64247:2
    #14 0x4d47d09 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1934:3
    #15 0x355d6aa in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2576:13
    #16 0x355e7e8 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2616:9
    #17 0x4d5c01a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:938:5
    #18 0x4d564ff in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1313:18
    #19 0x7fd394a41d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #20 0x7fd394a41e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #21 0x605a54 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x605a54)

0x6190000046dc is located 92 bytes inside of 1048-byte region [0x619000004680,0x619000004a98)
freed by thread T0 here:
    #0 0x6806b2 in free (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x6806b2)
    #1 0x7fd3952faa61 in xmlDictFree (/lib/x86_64-linux-gnu/libxml2.so.2+0x13ea61)

previously allocated by thread T0 here:
    #0 0x68091d in malloc (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x68091d)
    #1 0x7fd3952f6bde  (/lib/x86_64-linux-gnu/libxml2.so.2+0x13abde)

SUMMARY: AddressSanitizer: heap-use-after-free /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/dom/php_dom.c:1870:25 in dom_get_elements_by_tag_name_ns_raw
Shadow bytes around the buggy address:
  0x0c327fff8880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff88a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff88b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff88c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fff88d0: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
  0x0c327fff88e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff88f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4032568==ABORTING

PHP Version

nightly

Operating System

ubuntu 22.04

The text was updated successfully, but these errors were encountered:

YuanchengJiang · 2024-11-23T14:14:28Z

need book.xml https://github.com/php/php-src/blob/c84b7ed0c52da92d598b2ddf67275e9c9a1e8d81/ext/dom/tests/book.xml

nielsdos · 2024-11-23T14:35:27Z

Reproduces in 8.3 and higher.

* PHP-8.3: Fix GH-16906: Reloading document can cause UAF in iterator

* PHP-8.4: Fix GH-16906: Reloading document can cause UAF in iterator

Closes phpGH-16909.

YuanchengJiang added Bug Status: Needs Triage labels Nov 23, 2024

nielsdos added Extension: dom Status: Verified and removed Status: Needs Triage labels Nov 23, 2024

nielsdos self-assigned this Nov 23, 2024

nielsdos changed the title ~~UAF at ext/dom/php_dom.c:1870:25 in dom_get_elements_by_tag_name_ns_raw~~ Reloading document can cause UAF in iterator Nov 23, 2024

nielsdos added a commit to nielsdos/php-src that referenced this issue Nov 23, 2024

Fix phpGH-16906: Reloading document can cause UAF in iterator

9202817

nielsdos linked a pull request Nov 23, 2024 that will close this issue

Fix GH-16906: Reloading document can cause UAF in iterator #16909

Closed

nielsdos closed this as completed in 9d39ff7 Nov 24, 2024

nielsdos added a commit that referenced this issue Nov 24, 2024

Merge branch 'PHP-8.3' into PHP-8.4

52c7c74

* PHP-8.3: Fix GH-16906: Reloading document can cause UAF in iterator

nielsdos added a commit that referenced this issue Nov 24, 2024

Merge branch 'PHP-8.4'

f576b81

* PHP-8.4: Fix GH-16906: Reloading document can cause UAF in iterator

charmitro pushed a commit to wasix-org/php that referenced this issue Mar 13, 2025

Fix phpGH-16906: Reloading document can cause UAF in iterator

4b62c81

Closes phpGH-16909.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Reloading document can cause UAF in iterator #16906

Reloading document can cause UAF in iterator #16906

YuanchengJiang commented Nov 23, 2024

YuanchengJiang commented Nov 23, 2024

Uh oh!

nielsdos commented Nov 23, 2024

Uh oh!

Reloading document can cause UAF in iterator #16906

Reloading document can cause UAF in iterator #16906

Comments

YuanchengJiang commented Nov 23, 2024

Description

PHP Version

Operating System

YuanchengJiang commented Nov 23, 2024

Uh oh!

nielsdos commented Nov 23, 2024

Uh oh!