New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Crash in zend_objects_store_free_object_storage due to uninitialised handlers #11734
Comments
Initialize object.handlers to std_object_handlers on zend_objects_new. This avoids a use-after-free for objects using custom handlers that are installed after allocation, accessing the handlers on shutdown when they haven't been set yet. Fixes phpGH-11734
@tstarling Thanks for your analysis! I went for a slight variation of what you suggested in #11739, also setting |
Initialize object.handlers to std_object_handlers in zend_object_alloc. This avoids a use-after-free for objects using custom handlers that are installed after allocation, accessing the handlers on shutdown when they haven't been set yet. Fixes phpGH-11734
Initialize object.handlers to std_object_handlers in zend_object_alloc. This avoids a use-after-free for objects using custom handlers that are installed after allocation, accessing the handlers on shutdown when they haven't been set yet. Fixes phpGH-11734
Initialize object.handlers to std_object_handlers in zend_object_alloc. This avoids a use-after-free for objects using custom handlers that are installed after allocation, accessing the handlers on shutdown when they haven't been set yet. Fixes phpGH-11734
/*
/* Add this include at the top of your PHP extension file */ /* Add this function to initialize the handlers /
} /* Replace spl_heap_object_new_ex with this fixed version /
} /* Replace the original spl_heap_object_new_ex implementation with our fixed version */ /* The rest of your extension code goes here / /* Don't forget to implement the MINIT and MSHUTDOWN functions in your extension, if necessary. */ |
We should initialize object handlers before trying to allocate more memory, because if we OOM we'll look for the free_obj handler which has not been initialized. Furthermore, free_obj can run before the object is fully initialized, requiring guards for potentially unset fields. Fixes phpGH-11734
We should initialize object handlers before trying to allocate more memory, because if we OOM we'll look for the free_obj handler which has not been initialized. Furthermore, free_obj can run before the object is fully initialized, requiring guards for potentially unset fields. Fixes phpGH-11734
We should initialize object handlers before trying to allocate more memory, because if we OOM we'll look for the free_obj handler which has not been initialized. Furthermore, free_obj can run before the object is fully initialized, requiring guards for potentially unset fields. Fixes phpGH-11734
We should initialize object handlers before trying to allocate more memory, because if we OOM we'll look for the free_obj handler which has not been initialized. Furthermore, free_obj can run before the object is fully initialized, requiring guards for potentially unset fields. Fixes phpGH-11734
We should initialize object handlers before trying to allocate more memory, because if we OOM we'll look for the free_obj handler which has not been initialized. Furthermore, free_obj can run before the object is fully initialized, requiring guards for potentially unset fields. Fixes phpGH-11734
We should initialize object handlers before trying to allocate more memory, because if we OOM we'll look for the free_obj handler which has not been initialized. Furthermore, free_obj can run before the object is fully initialized, requiring guards for potentially unset fields. Fixes phpGH-11734
We should initialize object handlers before trying to allocate more memory, because if we OOM we'll look for the free_obj handler which has not been initialized. Furthermore, free_obj can run before the object is fully initialized, requiring guards for potentially unset fields. Fixes phpGH-11734
We should initialize object handlers before trying to allocate more memory, because if we OOM we'll look for the free_obj handler which has not been initialized. Furthermore, free_obj can run before the object is fully initialized, requiring guards for potentially unset fields. Fixes phpGH-11734
We should initialize object handlers before trying to allocate more memory, because if we OOM we'll look for the free_obj handler which has not been initialized. Furthermore, free_obj can run before the object is fully initialized, requiring guards for potentially unset fields. Fixes phpGH-11734
We should initialize object handlers before trying to allocate more memory, because if we OOM we'll look for the free_obj handler which has not been initialized. Furthermore, free_obj can run before the object is fully initialized, requiring guards for potentially unset fields. Fixes phpGH-11734
We should initialize object handlers before trying to allocate more memory, because if we OOM we'll look for the free_obj handler which has not been initialized. Furthermore, free_obj can run before the object is fully initialized, requiring guards for potentially unset fields. Fixes phpGH-11734
We may OOM during object initialization. In this case, free_obj needs to guard against NULL values. There may be more cases where this is an issue, these were the ones I was able to discover via script. Fixes phpGH-11734
We may OOM during object initialization. In this case, free_obj needs to guard against NULL values. There may be more cases where this is an issue, these were the ones I was able to discover via script. Fixes phpGH-11734
We may OOM during object initialization. In this case, free_obj needs to guard against NULL values. There may be more cases where this is an issue, these were the ones I was able to discover via script. Fixes phpGH-11734
Description
This crashes on shutdown:
When an object is created, there is a critical section between zend_object_std_init() and the assignment to handlers during which time it is unsafe to call the Zend allocator.
This was reported in LuaSandbox (T322748) but a quick review suggests that many other extensions have the same issue. In the PHP 8.1 tree, there is:
My test case above uses the bug in spl_heap_object_new_ex().
Potential rectification options:
PHP Version
PHP 8.1.20
Operating System
No response
The text was updated successfully, but these errors were encountered: