Fix use-after-free in FE_FREE with GC interaction

cataphract · cataphract · commit 8f9bd3b3b873 · 2025-12-23T11:37:55.000Z
When FE_FREE with ZEND_FREE_ON_RETURN frees the loop variable during
an early return from a foreach loop, the live range for the loop
variable was incorrectly extending past the FE_FREE to the normal
loop end. This caused GC to access the already-freed loop variable
when it ran after the RETURN opcode, resulting in use-after-free.

Fix by splitting the ZEND_LIVE_LOOP range when an FE_FREE with
ZEND_FREE_ON_RETURN is encountered:
- One range covers the early return path up to the FE_FREE
- A separate range covers the normal loop end FE_FREE
- Multiple early returns create multiple separate ranges
diff --git a/Zend/tests/gc_048.phpt b/Zend/tests/gc_048.phpt
@@ -0,0 +1,29 @@
+--TEST--
+GC 048: FE_FREE should mark variable as UNDEF to prevent use-after-free during GC
+--FILE--
+<?php
+// FE_FREE frees the iterator but doesn't set zval to UNDEF
+// When GC runs during RETURN, zend_gc_remove_root_tmpvars() may access freed memory
+
+function test_foreach_early_return(string $s): object {
+    foreach ((array) $s as $v) {
+        $obj = new stdClass;
+        // in the early return, the VAR for the cast result is still live
+        return $obj; // the return may trigger GC
+    }
+}
+
+for ($i = 0; $i < 100000; $i++) {
+    // create cyclic garbage to fill GC buffer
+    $a = new stdClass;
+    $b = new stdClass;
+    $a->ref = $b;
+    $b->ref = $a;
+
+    $result = test_foreach_early_return("x");
+}
+
+echo "OK\n";
+?>
+--EXPECT--
+OK
diff --git a/Zend/tests/gc_049.phpt b/Zend/tests/gc_049.phpt
@@ -0,0 +1,36 @@
+--TEST--
+GC 049: Multiple early returns from foreach should create separate live ranges
+--FILE--
+<?php
+
+function f(int $n): object {
+    foreach ((array) $n as $v) {
+        if ($n === 1) {
+            $a = new stdClass;
+            return $a;
+        }
+        if ($n === 2) {
+            $b = new stdClass;
+            return $b;
+        }
+        if ($n === 3) {
+            $c = new stdClass;
+            return $c;
+        }
+    }
+    return new stdClass;
+}
+
+for ($i = 0; $i < 100000; $i++) {
+    // Create cyclic garbage to trigger GC
+    $a = new stdClass;
+    $b = new stdClass;
+    $a->r = $b;
+    $b->r = $a;
+
+    $r = f($i % 3 + 1);
+}
+echo "OK\n";
+?>
+--EXPECT--
+OK
diff --git a/Zend/zend_opcode.c b/Zend/zend_opcode.c
@@ -963,6 +963,26 @@ static void zend_calc_live_ranges(
 					/* OP_DATA is really part of the previous opcode. */
 					last_use[var_num] = opnum - (opline->opcode == ZEND_OP_DATA);
 				}
+			} else if (opline->opcode == ZEND_FE_FREE
+					&& opline->extended_value == ZEND_FREE_ON_RETURN
+					&& opnum + 1 < op_array->last
+					&& ((opline + 1)->opcode == ZEND_RETURN
+						|| (opline + 1)->opcode == ZEND_RETURN_BY_REF
+						|| (opline + 1)->opcode == ZEND_GENERATOR_RETURN)) {
+				/* FE_FREE with ZEND_FREE_ON_RETURN immediately followed by RETURN frees
+				 * the loop variable on early return. We need to split the live range
+				 * so GC doesn't access the freed variable after this FE_FREE.
+				 *
+				 * Emit a range for the segment after RETURN (the loop continuation),
+				 * then update last_use so the main range ends at this FE_FREE. */
+				uint32_t next_fe_free = last_use[var_num];
+				/* Emit range for loop continuation: [RETURN+1, next_FE_FREE) */
+				if (opnum + 2 < next_fe_free) {
+					emit_live_range_raw(op_array, var_num, ZEND_LIVE_LOOP,
+						opnum + 2, next_fe_free);
+				}
+				/* Update last_use so the main range ends at this FE_FREE */
+				last_use[var_num] = opnum;
 			}
 		}
 		if (opline->op2_type & (IS_TMP_VAR|IS_VAR)) {
