php: Fix memory corruption for uwsgi_cache_* #2108
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
xrmx
reviewed
Dec 14, 2019
aszlig
force-pushed
the
fix-php-cache-crashes
branch
from
6646b31
to
7a459d9
Compare
xrmx
reviewed
Jan 19, 2020
Ah the joys of variadic arguments in C... So, when using zend_parse_parameters(), PHP internally loops through the type specifiers and accordingly uses va_arg() to get the corresponding argument. Since the arguments are expected to be pointers to the corresponding values, the size of them *does* matter, because PHP simply writes to the corresponding address with a size of size_t. If we for example pass a pointer to a 32bit integer and PHP writes 64 bits, we have an overflow of 4 bytes. From README.PARAMETER_PARSING_API in the PHP source tree: > Please note that since version 7 PHP uses zend_long as integer type > and zend_string with size_t as length, so make sure you pass > zend_longs to "l" and size_t to strings length (i.e. for "s" you need > to pass char * and size_t), not the other way round! > > Both mistakes might cause memory corruptions and segfaults: > 1) > char *str; > long str_len; /* XXX THIS IS WRONG!! Use size_t instead. */ > zend_parse_parameters(ZEND_NUM_ARGS(), "s", &str, &str_len) > > 2) > int num; /* XXX THIS IS WRONG!! Use zend_long instead. */ > zend_parse_parameters(ZEND_NUM_ARGS(), "l", &num) To fix this, I changed the types accordingly to use size_t and zend_long if the PHP major version is >= 7. Signed-off-by: aszlig <aszlig@nix.build>
aszlig
force-pushed
the
fix-php-cache-crashes
branch
from
7a459d9
to
f8b4c28
Compare
|
@xrmx: Seeing that this issue still persists in version 2.0.20, could you please cherry-pick this to |
|
@aszlig backported here xrmx@a5c1e28 , will merge here once the ci finishes |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Ah the joys of variadic arguments in C...
So, when using
zend_parse_parameters(), PHP internally loops through the type specifiers and accordingly usesva_arg()to get the corresponding argument.Since the arguments are expected to be pointers to the corresponding values, the size of them does matter, because PHP simply writes to the corresponding address with a size of
size_t.If we for example pass a pointer to a 32bit integer and PHP writes 64 bits, we have an overflow of 4 bytes.
From
README.PARAMETER_PARSING_APIin the PHP source tree:To fix this, I changed the types accordingly to use
size_tandzend_longif the PHP major version is >= 7.