SEGV Zend/zend_API.h:2316 dl

[YuanchengJiang]

Description

The following code:

<?php
$loaded = dl('dl_test.so');
var_dump(dl_test_test2("World!"));

Resulted in this output:

/home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.h:2316:11: runtime error: member access within null pointer of type 'zend_string' (aka 'struct _zend_string')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.h:2316:11

To reproduce:

-d "extension_dir=/home/phpfuzz/WorkSpace/flowfusion/php-src/modules/" -d "zend_test.observer.enabled=1" -d "zend_test.observer.observe_functions=1"

PHP Version

nightly

Operating System

No response

[cmb69]

This either has the same root cause as #16811 or #9196, I think.

[arnaud-lb]

What is happening is that after ZEND_SEND_VAL_EX "World!", the arg is overridden here:

php-src/Zend/zend_observer.c

Line 270 in 4b1c3cf

*prev_observed_frame(execute_data) = EG(current_observed_frame);

prev_observed_frame() miscomputes the address of the frame because the function doesn't have a temporary to store the previous frame. Normally, we add the temporary in zend_observer_post_startup(), but this is not executed for dl'ed functions:

php-src/Zend/zend_observer.c

Lines 86 to 96 in 4b1c3cf

	// Add an observer temporary to store previous observed frames
	zend_internal_function *zif;
	ZEND_HASH_FOREACH_PTR(CG(function_table), zif) {
	++zif->T;
	} ZEND_HASH_FOREACH_END();
	zend_class_entry *ce;
	ZEND_HASH_MAP_FOREACH_PTR(CG(class_table), ce) {
	ZEND_HASH_MAP_FOREACH_PTR(&ce->function_table, zif) {
	++zif->T;
	} ZEND_HASH_FOREACH_END();
	} ZEND_HASH_FOREACH_END();

[arnaud-lb]

Thank you @YuanchengJiang!