Zend: Fix GH-22257 type confusion in Exception::getTraceAsString().

[devnexen]

A crafted, deliberately truncated unserialize() payload can leave Exception::$trace holding a non-array value, since the typed-property check is skipped on the parse failure path. getTraceAsString() then reinterpreted the object as a HashTable, causing an out-of-bounds read. Guard against a non-array trace and return an empty string instead.

Fix #22257

[ndossche]

Shouldn't this throw instead? I don't think it makes sense trying to support/continue operating on maliciously-crafted code.

[devnexen]

yes, you re not wrong.

[012git012]

Hello @ndossche @devnexen
Could you please update the credits section here? (https://github.com/php/php-src/pull/22263/changes)
Instead of this account (012git012) please note the researcher:
Igor Sak-Sakovskiy (Positive Technologies)

Thank you in advance!

[ndossche]

Actually, $trace is defined with type array, so it should not be possible to break that constraint. This should be blocked instead of adding a check in getTraceAsString

[devnexen]

To clarify, if I reset to the
property default ([]) rather than undef, the slot stays a valid array and the getTraceAsString check becomes unnecessary. wdyt ?

[ndossche]

To clarify, if I reset to the property default ([]) rather than undef, the slot stays a valid array and the getTraceAsString check becomes unnecessary. wdyt ?

Yeah it should not be allowed to violate the property type so that seems better.

[ndossche]

I assume evil destructors can cause issues here, so a temporary copy may be necessary (i.e. the zval garbage; trick)
I wonder though if "restoring after violation" is the right approach, but that may be a much bigger change

[devnexen]

Went with var_push_dtor_value rather than the inline zval garbage, it moves the old value into the deferred-dtor list. So nothing is destroyed during the unwind or the delayed calls wdyt ?