php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68676 Explicit Double Free
Submitted: 2014-12-29 02:16 UTC Modified: 2014-12-31 01:03 UTC
From: bugreports at internot dot info Assigned: kalle (profile)
Status: Closed Package: *General Issues
PHP Version: master-Git-2014-12-29 (Git) OS: Linux Ubuntu 14.04
Private report: No CVE-ID: 2014-9425
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bugreports at internot dot info
New email:
PHP Version: OS:

 

 [2014-12-29 02:16 UTC] bugreports at internot dot info
Description:
------------
Hi,


In /Zend/zend_ts_hash.c:


142        tsrm_mutex_free(ht->mx_reader);
143        tsrm_mutex_free(ht->mx_reader);

This is a double free. 

Probably a merge mistake. I'll check it out.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-29 02:23 UTC] bugreports at internot dot info
Nope.

It's been here since 2002!


 # git blame -L 142,143  Zend/zend_ts_hash.c
d5e64b22 (Harald Radi 2002-03-20 21:26:46 +0000 142)    tsrm_mutex_free(ht->mx_reader);
d5e64b22 (Harald Radi 2002-03-20 21:26:46 +0000 143)    tsrm_mutex_free(ht->mx_reader);



commit d5e64b2287b1a8c38d29af1597af6d63a0f7e68c
Author: Harald Radi <phanto@php.net>
Date:   Wed Mar 20 21:26:46 2002 +0000

    added thread safe hashtable which allows concurrent
    reads but only exclusive writes
 [2014-12-29 08:43 UTC] kalle@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: kalle
 [2014-12-29 10:03 UTC] kalle@php.net
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2bcf69d073190e4f032d883f3416dea1b027a39e
Log: Fixed bug #68676 (Explicit Double Free)
 [2014-12-29 10:03 UTC] kalle@php.net
-Status: Assigned +Status: Closed
 [2014-12-29 10:04 UTC] kalle@php.net
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=24125f0f26f3787c006e4a51611ba33ee3b841cb
Log: Fixed bug #68676 (Explicit Double Free)
 [2014-12-29 10:04 UTC] kalle@php.net
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fbf3a6bc1abcc8a5b5226b0ad9464c37f11ddbd6
Log: Fixed bug #68676 (Explicit Double Free)
 [2014-12-29 17:24 UTC] kaplan@php.net
-CVE-ID: +CVE-ID: 2014-9425
 [2014-12-30 09:28 UTC] stas@php.net
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fbf3a6bc1abcc8a5b5226b0ad9464c37f11ddbd6
Log: Fixed bug #68676 (Explicit Double Free)
 [2014-12-30 09:28 UTC] stas@php.net
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=24125f0f26f3787c006e4a51611ba33ee3b841cb
Log: Fixed bug #68676 (Explicit Double Free)
 [2014-12-30 23:38 UTC] bugreports at internot dot info
Is a testcase available for this, by the way?

Thanks,
 [2014-12-31 01:03 UTC] kalle@php.net
Honestly there is not really, as the TsHash API is barely used, and the only place I spotted a zend_ts_hash_init call was in ext/com_dotnet which is Windows only
 [2015-07-31 11:52 UTC] paul at ifdnrg dot com
Whilst this is marked as closed, the CVE entry is still open and its getting picked by PCI compliance tests (trustwave)

I can still see the double free in the git src.
 [2016-07-20 11:40 UTC] davey@php.net
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2bcf69d073190e4f032d883f3416dea1b027a39e
Log: Fixed bug #68676 (Explicit Double Free)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 13:01:29 2024 UTC