Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix possible double-free with hooks on internal methods inherited by user classes #2372

Merged
merged 1 commit into from
Nov 20, 2023
Merged

Fix possible double-free with hooks on internal methods inherited by user classes #2372

merged 1 commit into from
Nov 20, 2023

Conversation

bwoebi
Copy link
Collaborator

@bwoebi bwoebi commented Nov 20, 2023

Description

Doing the due diligence whether I can reuse nNumOfElements in the HashTable, to increase and decrease it, so that all checks for zend_hash_num_elements() == 0 only are true when neither internal duplicates exist, nor actual hooks exist, I missed the tiny detail, that, while all direct usages of nNumOfElements were safe, there was an usage of nNumOfElements in the HT_IS_WITHOUT_HOLES() macro, checking whether nNumOfElements == nNumUsed.

Thus, when there were two hooks, one later removed, and one class inheriting the internal method, nNumOfElements happened to be equal to nNumUsed in shutdown. During hash destruction the smart Zend code would check this and unconditionally iterate over all elements of the array, skipping IS_UNDEF checks.

Eventually leading to a double free.
As a saving grace, this double free generally happened very late in the shutdown sequence, so the memory corruption would usually not surface...

Readiness checklist

  • (only for Members) Changelog has been added to the release document.
  • Tests added for this feature/bug.

Reviewer checklist

  • Appropriate labels assigned.
  • Milestone is set.
  • Changelog has been added to the release document. For community contributors the reviewer is in charge of this task.

@bwoebi bwoebi added this to the 0.94.0 milestone Nov 20, 2023
@bwoebi bwoebi requested a review from a team as a code owner November 20, 2023 03:53
@bwoebi
Fix possible double-free with hooks on internal methods inherited by …
2da0daa 
…user classes

Doing the due diligence whether I can reuse nNumOfElements in the HashTable, to increase and decrease it, so that all checks for zend_hash_num_elements() == 0  only are true when neither internal duplicates exist, nor actual hooks exist, I missed the tiny detail, that, while all direct usages of nNumOfElements were safe, there was an usage of nNumOfElements in the HT_IS_WITHOUT_HOLES() macro, checking whether nNumOfElements == nNumUsed.

Thus, when there were two hooks, one later removed, and one class inheriting the internal method, nNumOfElements happened to be equal to nNumUsed in shutdown. During hash destruction the smart Zend code would check this and unconditionally iterate over all elements of the array, skipping IS_UNDEF checks.

Eventually leading to a double free.
As a saving grace, this double free generally happened very late in the shutdown sequence, so the memory corruption would usually not surface...

Signed-off-by: Bob Weinand <bob.weinand@datadoghq.com>
PROFeNoM
PROFeNoM approved these changes Nov 20, 2023
View reviewed changes
Copy link
Contributor

@PROFeNoM PROFeNoM left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch

@bwoebi bwoebi merged commit ab347f8 into master Nov 20, 2023
601 checks passed
@bwoebi bwoebi deleted the bob/less-clever branch November 20, 2023 15:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PROFeNoM PROFeNoM PROFeNoM approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.94.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@bwoebi @PROFeNoM