php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81610 Interrupt on jump leads to dangling pointer
Submitted: 2021-11-11 06:44 UTC Modified: 2021-11-11 08:08 UTC
From: tstarling@php.net Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 8.1Git-2021-11-11 (Git) OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: tstarling@php.net
New email:
PHP Version: OS:

 

 [2021-11-11 06:44 UTC] tstarling@php.net
Description:
------------
Handlers of jump-like opcodes update the opline to point to the jump target before checking EG(vm_interrupt) and calling the interrupt handler. If an exception is thrown by the interrupt handler, the ZEND_HANDLE_EXCEPTION handler will free the return value of the target opline, even though it has had no opportunity to run yet.

There will be a PR.

Test script:
---------------
<?php

/* Run with opcache.enable_cli=1 and send SIGUSR1 several times */

class C {
	public static $cond = 1;
	public static $a;
}

C::$a = [ C::$cond ]; // make countable zval

function go() {
	while ( true ) {
		$cond = C::$cond;
		// T1 = FETCH_STATIC_PROP_R string("a") string("C")
		C::$a;
		// FREE T1
		// JMPZ CV0($cond) 0000
		if ( $cond )
			// T1 = FETCH_STATIC_PROP_R string("a") string("C")
			// (not executed but T1 freed)
			C::$a;
	}
}

pcntl_async_signals( true );
pcntl_signal( SIGUSR1, function () {
	throw new Exception( 'ping' );
} );
while ( true ) {
	try {
		go();
	} catch ( Exception $e ) {}
}

Actual result:
--------------
It crashes after receiving about 4 SIGUSR1 signals.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-11-11 07:09 UTC] tstarling@php.net
Originally discussed at https://phabricator.wikimedia.org/T293568
 [2021-11-11 08:08 UTC] nikic@php.net
Duplicate of bug #81577.
 [2021-11-11 08:08 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 16:01:28 2024 UTC