ASan double-free DOM XML php_libxml_decrement_doc_ref_directly

[YuanchengJiang]

Description

The following code:

<?php
try {
function dump($dom, $name) {
$list = $dom->getElementsByTagName($name)[0]->getInScopeNamespaces();
foreach ($list as $entry) {
$dom = Dom\XMLDocument::createFromString(<<<XML
<root xmlns="urn:a">
<child xmlns="">
<c:child xmlns:c="urn:c"/>
</child>
<b:sibling xmlns:b="urn:b" xmlns:d="urn:d" d:foo="bar">
</b:sibling>
</root>
XML);
dump($dom, 'c:child');
dump($dom, 'child');
echo "---\n";
}
}
$dom = Dom\XMLDocument::createFromString(<<<XML
<root xmlns="urn:a">
<child xmlns="">
<c:child xmlns:c="urn:c"/>
</child>
<b:sibling xmlns:b="urn:b" xmlns:d="urn:d" d:foo="bar">
<d:child xmlns:d="urn:d2"/>
</b:sibling>
</root>
XML);
dump($dom, 'c:child');
dump($dom, 'child');
} catch (\Throwable $_ffl_e) {}

Resulted in this output:

=================================================================
==2896043==ERROR: AddressSanitizer: attempting double-free on 0x6020013ce690 in thread T0:
    #0 0x680542 in free (/home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/sapi/cli/php+0x680542)
    #1 0x7ff0877986bd in xmlFreeDoc (/lib/x86_64-linux-gnu/libxml2.so.2+0x646bd)
    #2 0x8daea9 in php_libxml_decrement_doc_ref_directly /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/ext/libxml/libxml.c:1395:4
    #3 0x8db5b7 in php_libxml_decrement_doc_ref /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/ext/libxml/libxml.c:1415:18
    #4 0x10efe16 in dom_objects_free_storage /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/ext/dom/php_dom.c:1499:4
    #5 0x6540ab2 in zend_objects_store_free_object_storage /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/Zend/zend_objects_API.c:118:6
    #6 0x593478b in zend_shutdown_executor_values /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/Zend/zend_execute_API.c:431:2
    #7 0x5935ebe in shutdown_executor /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/Zend/zend_execute_API.c:452:2
    #8 0x669eebb in zend_deactivate /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/Zend/zend.c:1355:2
    #9 0x4ef9e5c in php_request_shutdown /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/main/main.c:2035:2
    #10 0x66ca766 in do_cli /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/sapi/cli/php_cli.c:1166:3
    #11 0x66bf82f in main /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/sapi/cli/php_cli.c:1370:18
    #12 0x7ff086e7cd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #13 0x7ff086e7ce3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #14 0x6058e4 in _start (/home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/sapi/cli/php+0x6058e4)

0x6020013ce690 is located 0 bytes inside of 6-byte region [0x6020013ce690,0x6020013ce696)
freed by thread T0 here:
    #0 0x680542 in free (/home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/sapi/cli/php+0x680542)
    #1 0x7ff0877981b7 in xmlFreeNodeList (/lib/x86_64-linux-gnu/libxml2.so.2+0x641b7)

previously allocated by thread T0 here:
    #0 0x6807ad in malloc (/home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/sapi/cli/php+0x6807ad)
    #1 0x7ff087817892 in xmlStrdup (/lib/x86_64-linux-gnu/libxml2.so.2+0xe3892)

SUMMARY: AddressSanitizer: double-free (/home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/sapi/cli/php+0x680542) in free
==2896043==ABORTING

To reproduce:

/home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/sapi/cli/php  ./test.php

Commit:

fd8eaaf153f958c66068e3bc71b950ee33cb56e8

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This bug was found by fusion-fuzz

PHP Version

nightly

Operating System

No response

[devnexen]

Hi @YuanchengJiang let me know if you can reproduce with a more recent build, I could with this commit id but not the last ones. Cheers.