Skip to content

Side effects during zend_assign_to_typed_ref_ex() may modify the reference being assigned to #20318

New issue
New issue
Open
#20254
Open
Side effects during zend_assign_to_typed_ref_ex() may modify the reference being assigned to#20318
#20254
Assignees
arnaud-lb
Labels
BugStatus: Needs Triage
@arnaud-lb

Description

@arnaud-lb
arnaud-lb
opened on Oct 28, 2025

Description

First reported by @iluuu1994 in #15961 (comment).

The following code:

class C {
    public mixed $prop1;
    public ?string $prop2;

    public function __toString() {
        unset($this->prop1);
        unset($this->prop2);
        return 'bar';
    }
}

function test() {
    $c = new C();
    $c->prop1 = 'foo';
    $c->prop1 = &$c->prop2;
    $c->prop1 = $c;
    var_dump($c);
}

test();

Results in a use-after-free:

==2046482==ERROR: AddressSanitizer: heap-use-after-free on address 0x7ba84ae17f28 at pc 0x000001ec6c7a bp 0x7ffc1e84ef70 sp 0x7ffc1e84ef68
READ of size 8 at 0x7ba84ae17f28 thread T0
    #0 0x000001ec6c79 in zend_verify_ref_assignable_zval Zend/zend_execute.c:3972
    #1 0x000001ec7c85 in zend_assign_to_typed_ref_ex Zend/zend_execute.c:4048
    #2 0x00000235f3a6 in zend_assign_to_variable_ex Zend/zend_execute.h:198
    #3 0x00000236c5cb in zend_std_write_property Zend/zend_object_handlers.c:1108
    #4 0x000002126976 in ZEND_ASSIGN_OBJ_SPEC_CV_CONST_OP_DATA_CV_HANDLER Zend/zend_vm_execute.h:44861
    #5 0x0000021c4a2c in execute_ex Zend/zend_vm_execute.h:120524
    #6 0x0000021c9900 in zend_execute Zend/zend_vm_execute.h:121476
    #7 0x00000243e999 in zend_execute_script Zend/zend.c:1977
    #8 0x00000199551f in php_execute_script_ex main/main.c:2640
    #9 0x000001995a49 in php_execute_script main/main.c:2680
    #10 0x00000244707e in do_cli sapi/cli/php_cli.c:951
    #11 0x00000244a9b4 in main sapi/cli/php_cli.c:1362
    #12 0x7f684c011574 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #13 0x7f684c011627 in __libc_start_main_impl ../csu/libc-start.c:360
    #14 0x000000402eb4 in _start (sapi/cli/php+0x402eb4) (BuildId: b4e601b8ae67ff842acabff31f3d1f47e0a6dd3b)

There are multiple issues:

First, variable_ptr may be freed or turned to a non-reference by coercion side effects during the zend_verify_ref_assignable_zval() call here:

php-src/Zend/zend_execute.c

Line 4048 in 292e0c2

ret = zend_verify_ref_assignable_zval(Z_REF_P(variable_ptr), &value, strict);

Then, effects may modify the reference type list while it's being iterated by zend_verify_ref_assignable_zval(), which results in UAFs or invalid typing (as some types may be skipped).

PHP Version

PHP 8.3

Operating System

No response

Metadata

Metadata

Assignees

Labels

BugStatus: Needs Triage

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions