From 7685fb0e1c241f6a28f0f0999ba54d8d115de044 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Mon, 25 Nov 2024 18:34:33 +0100 Subject: [PATCH 1/3] Enable GHSA-9pqp-7h25-4f32.phpt on Windows Closes GH-16933. --- tests/basic/GHSA-9pqp-7h25-4f32.phpt | 3 --- 1 file changed, 3 deletions(-) diff --git a/tests/basic/GHSA-9pqp-7h25-4f32.phpt b/tests/basic/GHSA-9pqp-7h25-4f32.phpt index 29bcb6557d5a2..af81916370500 100644 --- a/tests/basic/GHSA-9pqp-7h25-4f32.phpt +++ b/tests/basic/GHSA-9pqp-7h25-4f32.phpt @@ -5,9 +5,6 @@ GHSA-9pqp-7h25-4f32 if (!getenv('TEST_PHP_CGI_EXECUTABLE')) { die("skip php-cgi not available"); } -if (substr(PHP_OS, 0, 3) == 'WIN') { - die("skip not for Windows in CI - probably resource issue"); -} ?> --FILE-- Date: Tue, 3 Dec 2024 22:47:53 +0100 Subject: [PATCH 2/3] Fix GH-17037: UAF in user filter when adding existing filter name due to incorrect error handling There are two functions that can each fail in their own way. If the last function fails we have to remove the filter entry from the hash table, otherwise we risk a UAF. Note also that removing the entry from the table on failure will also free its memory. Closes GH-17038. --- NEWS | 3 +++ ext/standard/tests/filters/gh17037.phpt | 8 ++++++++ ext/standard/user_filters.c | 12 ++++++++---- 3 files changed, 19 insertions(+), 4 deletions(-) create mode 100644 ext/standard/tests/filters/gh17037.phpt diff --git a/NEWS b/NEWS index e52764d78db64..a139c14513a57 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? ????, PHP 8.3.16 +- Streams: + . Fixed bug GH-17037 (UAF in user filter when adding existing filter name due + to incorrect error handling). (nielsdos) 19 Dec 2024, PHP 8.3.15 diff --git a/ext/standard/tests/filters/gh17037.phpt b/ext/standard/tests/filters/gh17037.phpt new file mode 100644 index 0000000000000..21319ba26bf99 --- /dev/null +++ b/ext/standard/tests/filters/gh17037.phpt @@ -0,0 +1,8 @@ +--TEST-- +GH-17037 (UAF in user filter when adding existing filter name due to incorrect error handling) +--FILE-- + +--EXPECT-- +bool(false) diff --git a/ext/standard/user_filters.c b/ext/standard/user_filters.c index 063895e2f4049..737237f6630cd 100644 --- a/ext/standard/user_filters.c +++ b/ext/standard/user_filters.c @@ -516,13 +516,17 @@ PHP_FUNCTION(stream_filter_register) fdat = ecalloc(1, sizeof(struct php_user_filter_data)); fdat->classname = zend_string_copy(classname); - if (zend_hash_add_ptr(BG(user_filter_map), filtername, fdat) != NULL && - php_stream_filter_register_factory_volatile(filtername, &user_filter_factory) == SUCCESS) { - RETVAL_TRUE; + if (zend_hash_add_ptr(BG(user_filter_map), filtername, fdat) != NULL) { + if (php_stream_filter_register_factory_volatile(filtername, &user_filter_factory) == SUCCESS) { + RETURN_TRUE; + } + + zend_hash_del(BG(user_filter_map), filtername); } else { zend_string_release_ex(classname, 0); efree(fdat); - RETVAL_FALSE; } + + RETURN_FALSE; } /* }}} */ From 2285d7083ed48f8717974697eacb97be6243947d Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Wed, 4 Dec 2024 20:43:49 +0100 Subject: [PATCH 3/3] Revert "Enable GHSA-9pqp-7h25-4f32.phpt on Windows" This reverts commit 7685fb0e1c241f6a28f0f0999ba54d8d115de044. The test fails at least for PHP-8.2+ on CI. Needs closer investigation. --- tests/basic/GHSA-9pqp-7h25-4f32.phpt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/basic/GHSA-9pqp-7h25-4f32.phpt b/tests/basic/GHSA-9pqp-7h25-4f32.phpt index af81916370500..29bcb6557d5a2 100644 --- a/tests/basic/GHSA-9pqp-7h25-4f32.phpt +++ b/tests/basic/GHSA-9pqp-7h25-4f32.phpt @@ -5,6 +5,9 @@ GHSA-9pqp-7h25-4f32 if (!getenv('TEST_PHP_CGI_EXECUTABLE')) { die("skip php-cgi not available"); } +if (substr(PHP_OS, 0, 3) == 'WIN') { + die("skip not for Windows in CI - probably resource issue"); +} ?> --FILE--