php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81435 Observer current_observed_frame may point to an old (overwritten) frame
Submitted: 2021-09-13 12:14 UTC Modified: 2021-09-13 12:15 UTC
From: bwoebi@php.net Assigned: bwoebi (profile)
Status: Closed Package: Reproducible crash
PHP Version: 8.0.10 OS: MacOS 11
Private report: No CVE-ID: None
 [2021-09-13 12:14 UTC] bwoebi@php.net
Description:
------------
Observer current_observed_frame is unconditionally updated to prev_execute_data. However prev_execute_data may point to an unobserved function, causing current_observed_frame not to be updated until another observed function ends.
Thus current_observed_frame may point to some already left unobserved function, which may already have been overwritten.

Test script:
---------------
Installing observers on a and d,

<?php

ini_set("memory_limit", "20M");

function d() {} // observed

function c() { // gets prev_execute_data after end of d()
        d();
}

function b() {
        c();
}

function bailout(...$args) {
        array_map("str_repeat", ["\xFF"], [100000000]);
}

function a() { // observed (first_observed_frame)
        b();
        bailout(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15); // overwrite the vm_stack containing prev_execute_data
}

a();

Expected result:
----------------
No crash.

Actual result:
--------------
Crash, with current_observed_frame pointing to something not being a valid frame on the vm_stack:

(gdb) bt
#0  0x0000000012cd24c9 in zend_observer_fcall_end_all () at /usr/src/debug/php-8.0.10/Zend/zend_observer.c:235
#1  0x0000000012be059b in php_request_shutdown (dummy=dummy@entry=0x0) at /usr/src/debug/php-8.0.10/main/main.c:1777


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-09-13 12:15 UTC] bwoebi@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: bwoebi
 [2021-09-13 14:17 UTC] git@php.net
Automatic comment on behalf of bwoebi
Revision: https://github.com/php/php-src/commit/12b0f1b7cc67d479b780e38391837eaf44f5d570
Log: Fix #81435 Observer current_observed_frame may point to an old (overwritten) frame
 [2021-09-13 14:17 UTC] git@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 16:01:28 2024 UTC