php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79649 Altering disable_functions from module init corrupts memory
Submitted: 2020-05-28 18:51 UTC Modified: -
From: video dot ice dot power at seznam dot cz Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.4.6 OS: Windows
Private report: No CVE-ID: None
 [2020-05-28 18:51 UTC] video dot ice dot power at seznam dot cz
Description:
------------
disable_functions ini directive can be set before the php engine is initialized here https://github.com/php/php-src/blob/PHP-7.4.6/main/main.c#L2345

but for some reasons, setting/clearing disable_functions ini directive causes currently memory corruptions / php crash.

In the example below I post complete source code of the module where the problem is isolated and it can be produced repeatably by these steps:
1. compile the module
2.a run "php -v" with the module loaded
2.b run https://pastebin.com/NxHCBGmJ with the module loaded and notice "B" is not printed. This issue is presented if at least 195 functions are defined and ini_set() is called. If defined functions count is reduced or ini_set() is not called, full "AB" is printed, otherwise only "A" is printed.

Can you reproduce the issue and is the usage of "zend_alter_ini_entry_chars" function correct? Is there currently a workaround to clear the disable_functions ini from module init?

Test script:
---------------
problematic line:

zend_alter_ini_entry_chars(ini_name_zend, "", strlen(""), PHP_INI_SYSTEM, PHP_INI_STAGE_ACTIVATE);

complete mmm.c / module source:

#ifdef HAVE_CONFIG_H
#include "config.h"
#endif

#include "php.h"

PHP_MINIT_FUNCTION(mmm) {
    zend_string *ini_name_zend = zend_string_init("disable_functions", strlen("disable_functions"), 0);
    zend_alter_ini_entry_chars(ini_name_zend, "", strlen(""), PHP_INI_SYSTEM, PHP_INI_STAGE_ACTIVATE);
    zend_string_release_ex(ini_name_zend, 0);

    return SUCCESS;
}

zend_module_entry mmm_module_entry = {
    STANDARD_MODULE_HEADER,
    "mmm",
    NULL,
    PHP_MINIT(mmm),
    NULL,
    NULL,
    NULL,
    NULL,
    "1.0.0",
    STANDARD_MODULE_PROPERTIES
};

ZEND_GET_MODULE(mmm)


Expected result:
----------------
PHP 7.4.5 (cli) (built: Apr 14 2020 16:17:19) ( NTS Visual C++ 2017 x64 )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.5, Copyright (c), by Zend Technologies


Actual result:
--------------
PHP 7.4.5 (cli) (built: Apr 14 2020 16:17:19) ( NTS Visual C++ 2017 x64 )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.5, Copyright (c), by Zend Technologies
zend_mm_heap corrupted

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-06-10 03:21 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a297c09da5ad355d53a8e8ea72655a06d15b7bc7
Log: Partial fixed bug #79649 (Altering disable_functions from module init corrupts memory)
 [2020-06-10 03:21 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2020-06-10 07:36 UTC] video dot ice dot power at seznam dot cz
Thanks for the fix!

Is there currently any "unit test extension" where test for this can be added?
 [2020-07-09 07:12 UTC] remi@php.net
This fix breaks lot of extension which are using zend_alter_ini_entry in RINIT (xdebug, componere, uopz, decimal...)

Perhaps this don't have to be supported in MINIT
 [2020-07-09 08:51 UTC] derick@php.net
Automatic comment on behalf of github@derickrethans.nl
Revision: http://git.php.net/?p=php-src.git;a=commit;h=972383fda4235e8dc9f5de1bd95d30a6e2e25385
Log: Revert "Partial fixed bug #79649 (Altering disable_functions from module init corrupts memory)"
 [2020-07-09 08:51 UTC] derick@php.net
Automatic comment on behalf of github@derickrethans.nl
Revision: http://git.php.net/?p=php-src.git;a=commit;h=66996b2df026be939c0b7a841b77933eb6fb3c2f
Log: Revert "Partial fixed bug #79649 (Altering disable_functions from module init corrupts memory)"
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 23 07:01:31 2024 UTC