Fix GH-10709: UAF in recursive AST evaluation

iluuu1994 · iluuu1994 · commit 7202fe16b7fc · 2023-03-06T14:55:34.000+01:00
Fixes https://oss-fuzz.com/testcase-detail/6445949468934144 Closes GH-10718
diff --git a/NEWS b/NEWS
@@ -5,6 +5,7 @@ PHP                                                                        NEWS
 - Core:
   . Added optional support for max_execution_time in ZTS/Linux builds
     (Kévin Dunglas)
+  . Fixed use-after-free in recursive AST evaluation. (ilutov)
 
 - FTP:
   . Propagate success status of ftp_close(). (nielsdos)
diff --git a/Zend/tests/gh10709.phpt b/Zend/tests/gh10709.phpt
@@ -0,0 +1,21 @@
+--TEST--
+GH-10709: Recursive class constant evaluation
+--FILE--
+<?php
+
+class B { const C = A::C . "B"; }
+
+spl_autoload_register(function ($class) {
+    class A { const C = "A"; }
+    var_dump(B::C);
+});
+
+try {
+    new B();
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+string(2) "AB"
diff --git a/Zend/tests/gh10709_2.phpt b/Zend/tests/gh10709_2.phpt
@@ -0,0 +1,30 @@
+--TEST--
+GH-10709: Recursive class constant evaluation
+--FILE--
+<?php
+
+class B {
+    public $prop = A::C;
+}
+
+spl_autoload_register(function ($class) {
+    class A { const C = "A"; }
+    var_dump(new B());
+});
+
+try {
+    var_dump(new B());
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+object(B)#2 (1) {
+  ["prop"]=>
+  string(1) "A"
+}
+object(B)#2 (1) {
+  ["prop"]=>
+  string(1) "A"
+}
diff --git a/Zend/tests/gh10709_3.phpt b/Zend/tests/gh10709_3.phpt
@@ -0,0 +1,42 @@
+--TEST--
+GH-10709: Recursive class constant evaluation with outer call failing
+--FILE--
+<?php
+
+class S {
+    public function __toString() {
+        static $i = 0;
+        $i++;
+        if ($i === 1) {
+            return 'S';
+        } else {
+            throw new \Exception('Thrown from S');
+        }
+    }
+}
+
+const S = new S();
+
+class B {
+    public $prop = A::C . S;
+}
+
+spl_autoload_register(function ($class) {
+    class A { const C = "A"; }
+    var_dump(new B());
+});
+
+var_dump(new B());
+
+?>
+--EXPECTF--
+object(B)#3 (1) {
+  ["prop"]=>
+  string(2) "AS"
+}
+
+Fatal error: Uncaught Exception: Thrown from S in %s:%d
+Stack trace:
+#0 %s(%d): S->__toString()
+#1 {main}
+  thrown in %s on line %d
diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
@@ -685,7 +685,19 @@ ZEND_API zend_result ZEND_FASTCALL zval_update_constant_ex(zval *p, zend_class_e
 		} else {
 			zval tmp;
 
-			if (UNEXPECTED(zend_ast_evaluate(&tmp, ast, scope) != SUCCESS)) {
+			// Increase the refcount during zend_ast_evaluate to avoid releasing the ast too early
+			// on nested calls to zval_update_constant_ex which can happen when retriggering ast
+			// evaluation during autoloading.
+			zend_ast_ref *ast_ref = Z_AST_P(p);
+			bool ast_is_refcounted = !(GC_FLAGS(ast_ref) & GC_IMMUTABLE);
+			if (ast_is_refcounted) {
+				GC_ADDREF(ast_ref);
+			}
+			zend_result result = zend_ast_evaluate(&tmp, ast, scope);
+			if (ast_is_refcounted && !GC_DELREF(ast_ref)) {
+				rc_dtor_func((zend_refcounted *)ast_ref);
+			}
+			if (UNEXPECTED(result != SUCCESS)) {
 				return FAILURE;
 			}
 			zval_ptr_dtor_nogc(p);
diff --git a/ext/opcache/jit/zend_jit_helpers.c b/ext/opcache/jit/zend_jit_helpers.c
@@ -3069,7 +3069,19 @@ static zend_result ZEND_FASTCALL zval_jit_update_constant_ex(zval *p, zend_class
 		} else {
 			zval tmp;
 
-			if (UNEXPECTED(zend_ast_evaluate(&tmp, ast, scope) != SUCCESS)) {
+			// Increase the refcount during zend_ast_evaluate to avoid releasing the ast too early
+			// on nested calls to zval_update_constant_ex which can happen when retriggering ast
+			// evaluation during autoloading.
+			zend_ast_ref *ast_ref = Z_AST_P(p);
+			bool ast_is_refcounted = !(GC_FLAGS(ast_ref) & GC_IMMUTABLE);
+			if (ast_is_refcounted) {
+				GC_ADDREF(ast_ref);
+			}
+			zend_result result = zend_ast_evaluate(&tmp, ast, scope);
+			if (ast_is_refcounted && !GC_DELREF(ast_ref)) {
+				rc_dtor_func((zend_refcounted *)ast_ref);
+			}
+			if (UNEXPECTED(result != SUCCESS)) {
 				return FAILURE;
 			}
 			zval_ptr_dtor_nogc(p);
diff --git a/ext/opcache/zend_persist.c b/ext/opcache/zend_persist.c
@@ -248,6 +248,7 @@ static void zend_persist_zval(zval *z)
 				zend_persist_ast(GC_AST(old_ref));
 				Z_TYPE_FLAGS_P(z) = 0;
 				GC_SET_REFCOUNT(Z_COUNTED_P(z), 1);
+				GC_ADD_FLAGS(Z_COUNTED_P(z), GC_IMMUTABLE);
 				efree(old_ref);
 			}
 			break;

Original file line number	Diff line number	Diff line change
`@@ -248,6 +248,7 @@ static void zend_persist_zval(zval *z)`
`248`	`248`	`zend_persist_ast(GC_AST(old_ref));`
`249`	`249`	`Z_TYPE_FLAGS_P(z) = 0;`
`250`	`250`	`GC_SET_REFCOUNT(Z_COUNTED_P(z), 1);`
	`251`	`+ GC_ADD_FLAGS(Z_COUNTED_P(z), GC_IMMUTABLE);`
`251`	`252`	`efree(old_ref);`
`252`	`253`	`}`
`253`	`254`	`break;`