Fix GH-22122: UAF in SQLite3/Pdo\Sqlite authorizer when callback releases it#22126
Open
iliaal wants to merge 1 commit into
Open
Fix GH-22122: UAF in SQLite3/Pdo\Sqlite authorizer when callback releases it#22126iliaal wants to merge 1 commit into
iliaal wants to merge 1 commit into
Conversation
…eleases it zend_call_known_fcc does not addref fcc->object or fcc->closure. When the authorizer callback invokes $db->setAuthorizer(null), zend_fcc_dtor frees the bound $this mid-call. Snapshot object/closure before zend_fcc_addref and release the snapshots after the call. Same fix in Pdo\Sqlite. Replace the misleading "An error occurred" warning on Z_ISUNDEF(retval) with ZEND_ASSERT(EG(exception)) to match Pdo\Sqlite's existing pattern. Fixes phpGH-22122
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
zend_call_known_fccdoes not addreffcc->object/fcc->closure. When the authorizer callback invokes$db->setAuthorizer(null),zend_fcc_dtorreleases the bound$thisand the object is freed mid-call; the method body then dereferences freed memory. Snapshotobjectandclosurebefore the call, addref viazend_fcc_addref, release the snapshots after. Saved pointers are required because the callback can replacedb_obj->authorizer_fcc.Same fix applied to
Pdo\Sqlite, which has the identical reachable bug via its ownsetAuthorizer(null). SQLite3'sZ_ISUNDEF(retval)branch now matchesPdo\Sqlite'sZEND_ASSERT(EG(exception))shape, so a throwing callback no longer triggers the misleading "An error occurred while invoking the authorizer callback" warning.zend_fcc_dupis not safe here: shallow-copy offunction_handlerwould leave a trampoline owned by two FCCs, and dtor of the second would double-free.Fixes #22122