Heap-use-after-free in zend_array_count at Zend/zend_hash.c

[amrmp]

Description

The following code:

<?php
class Foo {
    public function __destruct() {
        $a[0] =&$a;
        $a =   $this->$$a =   $this->#destruct() {
            $a = unserialize(serialize($GLOBALS));
        }
    }

$c = new Foo();
for($cnt=0;$cnt<6;$cnt++) {
    $a = unserialize(serialize($GLOBALS));
    $a.= unserialize(serialize($GLOBALS));
    $a = unserialize(serialize($GLOBALS));
}

Resulted in this output:

SUMMARY: AddressSanitizer: heap-use-after-free php-src/Zend/zend_hash.c:478:6 in zend_array_count
Shadow bytes around the buggy address:
  0x0c0c7fffe490: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fffe4a0: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fffe4b0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fffe4c0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c7fffe4d0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 fa
=>0x0c0c7fffe4e0: fa fa fa fa fd[fd]fd fd fd fd fd fa fa fa fa fa
  0x0c0c7fffe4f0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c7fffe500: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fffe510: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c7fffe520: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c7fffe530: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3046755==ABORTING

Commit:

9cd367362da5442861f30d3b41e967d641b90cbd

Build configuration:

CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" ./configure --enable-debug --enable-address-sanitizer --disable-shared --with-pic

Thanks a lot for finding this bug with the help of @vi3tL0u1s

PHP Version

PHP 8.6.0-dev (cli) (built: Nov 14 2025 10:37:56) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.6.0-dev, Copyright (c), by Zend Technologies

Operating System

Ubuntu 22.04

[devnexen]

ext/standard/var.c:985:3: runtime error: member access within misaligned address 0x000000000044 for type 'Bucket' (aka 'struct _Bucket'), which requires 8 byte alignment
0x000000000044: note: pointer points here
<memory cannot be printed>
    #0 0x61a9ab581349 in php_var_serialize_nested_data /home/dcarlier/Contribs/php-src/ext/standard/var.c:985:3
    #1 0x61a9ab56fbd3 in php_var_serialize_intern /home/dcarlier/Contribs/php-src/ext/standard/var.c:1302:4
    #2 0x61a9ab581b4c in php_var_serialize_nested_data /home/dcarlier/Contribs/php-src/ext/standard/var.c:1008:6
    #3 0x61a9ab56fbd3 in php_var_serialize_intern /home/dcarlier/Contribs/php-src/ext/standard/var.c:1302:4
    #4 0x61a9ab581b4c in php_var_serialize_nested_data /home/dcarlier/Contribs/php-src/ext/standard/var.c:1008:6
    #5 0x61a9ab56fbd3 in php_var_serialize_intern /home/dcarlier/Contribs/php-src/ext/standard/var.c:1302:4
    #6 0x61a9ab569859 in php_var_serialize /home/dcarlier/Contribs/php-src/ext/standard/var.c:1318:2
    #7 0x61a9ab57263e in zif_serialize /home/dcarlier/Contribs/php-src/ext/standard/var.c:1364:2
    #8 0x61a9ad2a0421 in ZEND_DO_ICALL_SPEC_RETVAL_USED_TAILCALL_HANDLER /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:57205:2
    #9 0x61a9ac830a5e in execute_ex /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:116212:12
    #10 0x61a9ac7d0217 in zend_call_function /home/dcarlier/Contribs/php-src/Zend/zend_execute_API.c:1014:3
    #11 0x61a9ac7d579a in zend_call_known_function /home/dcarlier/Contribs/php-src/Zend/zend_execute_API.c:1108:23
    #12 0x61a9ad92cd32 in zend_call_known_instance_method /home/dcarlier/Contribs/php-src/Zend/zend_API.h:860:2
    #13 0x61a9ad9265cb in zend_call_known_instance_method_with_0_params /home/dcarlier/Contribs/php-src/Zend/zend_API.h:866:2
    #14 0x61a9ad924fb6 in zend_objects_destroy_object /home/dcarlier/Contribs/php-src/Zend/zend_objects.c:172:3
    #15 0x61a9ad91e283 in zend_objects_store_del /home/dcarlier/Contribs/php-src/Zend/zend_objects_API.c:181:4
    #16 0x61a9ada09b44 in rc_dtor_func /home/dcarlier/Contribs/php-src/Zend/zend_variables.c:57:2
    #17 0x61a9ad5ea28e in i_zval_ptr_dtor /home/dcarlier/Contribs/php-src/Zend/zend_variables.h:45:4
    #18 0x61a9ad5e9408 in zend_array_destroy /home/dcarlier/Contribs/php-src/Zend/zend_hash.c:1852:6
    #19 0x61a9ada09b44 in rc_dtor_func /home/dcarlier/Contribs/php-src/Zend/zend_variables.c:57:2
    #20 0x61a9ad5ea28e in i_zval_ptr_dtor /home/dcarlier/Contribs/php-src/Zend/zend_variables.h:45:4
    #21 0x61a9ad5e9408 in zend_array_destroy /home/dcarlier/Contribs/php-src/Zend/zend_hash.c:1852:6
    #22 0x61a9ad9213a8 in zend_object_dtor_dynamic_properties /home/dcarlier/Contribs/php-src/Zend/zend_objects.c:57:5
    #23 0x61a9ad92222e in zend_object_std_dtor /home/dcarlier/Contribs/php-src/Zend/zend_objects.c:89:2
    #24 0x61a9ad91efd3 in zend_objects_store_del /home/dcarlier/Contribs/php-src/Zend/zend_objects_API.c:196:4
    #25 0x61a9ada09b44 in rc_dtor_func /home/dcarlier/Contribs/php-src/Zend/zend_variables.c:57:2
    #26 0x61a9ad5ea28e in i_zval_ptr_dtor /home/dcarlier/Contribs/php-src/Zend/zend_variables.h:45:4
    #27 0x61a9ad5e9408 in zend_array_destroy /home/dcarlier/Contribs/php-src/Zend/zend_hash.c:1852:6
    #28 0x61a9ada09b44 in rc_dtor_func /home/dcarlier/Contribs/php-src/Zend/zend_variables.c:57:2
    #29 0x61a9ad993c3e in i_zval_ptr_dtor /home/dcarlier/Contribs/php-src/Zend/zend_variables.h:45:4
    #30 0x61a9ad992ef8 in concat_function /home/dcarlier/Contribs/php-src/Zend/zend_operators.c:2129:5
    #31 0x61a9ad496b66 in zend_binary_op /home/dcarlier/Contribs/php-src/Zend/zend_execute.c:1636:9
    #32 0x61a9acffc960 in ZEND_ASSIGN_OP_SPEC_CV_TMPVAR_TAILCALL_HANDLER /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:103346:3
    #33 0x61a9ac830a5e in execute_ex /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:116212:12
    #34 0x61a9ac832ade in zend_execute /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:121924:2
    #35 0x61a9ada57b9f in zend_execute_script /home/dcarlier/Contribs/php-src/Zend/zend.c:1975:3
    #36 0x61a9abf0c9c2 in php_execute_script_ex /home/dcarlier/Contribs/php-src/main/main.c:2645:13
    #37 0x61a9abf0d8a8 in php_execute_script /home/dcarlier/Contribs/php-src/main/main.c:2685:9
    #38 0x61a9ada6946e in do_cli /home/dcarlier/Contribs/php-src/sapi/cli/php_cli.c:951:5
    #39 0x61a9ada65411 in main /home/dcarlier/Contribs/php-src/sapi/cli/php_cli.c:1362:18
    #40 0x7ab1cf22a574 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #41 0x7ab1cf22a627 in __libc_start_main csu/../csu/libc-start.c:360:3
    #42 0x61a9a7e07e54 in _start (/home/dcarlier/Contribs/php-src/sapi/cli/php+0x3607e54) (BuildId: f1b59c01a32f8b0be968656ea746c1897da84e38)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/dcarlier/Contribs/php-src/ext/standard/var.c:985:3 

[devnexen]

cc @ndossche. do not know if the hashtable is going to be destroyed, throwing a straight exception would be the appropriate approach (not necessarily in php_var_serialize_nested_data itself though) .. flags zend assert ?

[ndossche]

Reduced to:

<?php
class Foo {
    public function __destruct() {
        global $a;
        serialize($a);
    }
}

$a = [str_repeat('index.php', random_int(1,1)), 'c' => new Foo];
$a .= 'x';

[ndossche]

This would work, but doesn't resolve a remaining leak:

diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index 2550fcbeb1c..ac04c5e942c 100644
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -2125,11 +2125,16 @@ has_op2_string:;
 		if (result == op1) {
 			/* Destroy the old result first to drop the refcount, such that $x .= ...; may happen in-place. */
 			if (free_op1_string) {
-				/* op1_string will be used as the result, so we should not free it */
-				i_zval_ptr_dtor(result);
-				/* Set it to NULL in case that the extension will throw an out-of-memory error.
+				/* op1_string will be used as the result, so we should not free it.
+				 * Set it to NULL in case that the extension will throw an out-of-memory error.
 				 * Otherwise the shutdown sequence will try to free this again. */
-				ZVAL_NULL(result);
+				if (Z_REFCOUNTED_P(result)) {
+					zend_refcounted *rc = Z_COUNTED_P(result);
+					ZVAL_NULL(result);
+					GC_DTOR_NO_REF(rc);
+				} else {
+					ZVAL_NULL(result);
+				}
 				free_op1_string = false;
 			}
 			/* special case, perform operations on result */

This is related to #20001