php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78173 XML-RPC mutates immutable objects during encoding
Submitted: 2019-06-17 09:16 UTC Modified: 2019-06-18 15:11 UTC
From: asher dot baker at tripleplay dot tv Assigned: cmb (profile)
Status: Closed Package: XMLRPC-EPI related
PHP Version: 7.2.19 OS: Linux CentOS 7
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: asher dot baker at tripleplay dot tv
New email:
PHP Version: OS:

 

 [2019-06-17 09:16 UTC] asher dot baker at tripleplay dot tv
Description:
------------
With opcache.protect_memory=1 enabled, the XML-RPC extension causes a segfault on PHP 7.2 as it is modifying the recursion counter of objects it touches, without first checking if they are immutable or not.

https://github.com/php/php-src/blob/28808ca96d202e63db0c407548f4fb7d4cb46d9f/ext/xmlrpc/xmlrpc-epi-php.c#L573-L575

It was fixed for 7.3 by the general recursion check refactoring: https://github.com/php/php-src/commit/cb9d81ef4f07f82835273800b0cb3d6a67816050#diff-b55aaf035c39d54c37c0f9bcc0ece5c8

It looks like this just needs some ZEND_HASH_APPLY_PROTECTION checks for 7.2

By the way, I ran into this debugging a related issue where we're seeing the nApplyCount of the shared empty array getting incremented and staying that way (but I don't know how to reproduce that yet), poisoning it for the rest of the process lifetime. Could this code ever leave the count unbalanced? or is it "harmless" as it will always be back to 0 upon finishing?

Many thanks for looking at this, apologies for not having a test script but I don't know enough about XML-RPC to extract one.

php-xmlrpc-7.2.19-2.el7.remi.x86_64

Actual result:
--------------
#0  PHP_to_XMLRPC_worker (key=key@entry=0x0, in_val=in_val@entry=0x7ffec63de950, depth=5, depth@entry=0) at /usr/src/debug/php-7.2.19/ext/xmlrpc/xmlrpc-epi-php.c:574
#1  0x00007fd26e3958a3 in PHP_to_XMLRPC (root_val=0x7ffec63de950) at /usr/src/debug/php-7.2.19/ext/xmlrpc/xmlrpc-epi-php.c:607
#2  php_xmlrpc_callback (server=<optimized out>, xRequest=0x7fd27aa704b0, data=0x7ffec63de920) at /usr/src/debug/php-7.2.19/ext/xmlrpc/xmlrpc-epi-php.c:911
#3  0x00007fd26e395a70 in zif_xmlrpc_server_call_method (execute_data=<optimized out>, return_value=0x7fd27aa20390) at /usr/src/debug/php-7.2.19/ext/xmlrpc/xmlrpc-epi-php.c:1082
#4  0x00007fd27bdd9acb in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER () at /usr/src/debug/php-7.2.19/Zend/zend_vm_execute.h:617
#5  execute_ex (ex=0x7fd27aa00040) at /usr/src/debug/php-7.2.19/Zend/zend_vm_execute.h:59750
#6  0x00007fd27bddf63e in zend_execute (op_array=op_array@entry=0x7fd27aa641c0, return_value=return_value@entry=0x7fd261706988)
    at /usr/src/debug/php-7.2.19/Zend/zend_vm_execute.h:63776
#7  0x00007fd27bd2d033 in zend_execute_scripts (type=2057437840, type@entry=8, retval=0x7fd261706988, retval@entry=0x0, file_count=file_count@entry=3)
    at /usr/src/debug/php-7.2.19/Zend/zend.c:1498
#8  0x00007fd27bcc7848 in php_execute_script (primary_file=primary_file@entry=0x7ffec63e0e80) at /usr/src/debug/php-7.2.19/main/main.c:2594

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-06-18 14:13 UTC] asher dot baker at tripleplay dot tv
The following pull request has been associated:

Patch Name: Fix XML-RPC changing immutable hash tables
On GitHub:  https://github.com/php/php-src/pull/4285
Patch:      https://github.com/php/php-src/pull/4285.patch
 [2019-06-18 15:11 UTC] cmb@php.net
Automatic comment on behalf of asher.baker@tripleplay.tv
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d54220bc795a7025a162c61128c98a7af14087a4
Log: Fix #78173: XML-RPC mutates immutable objects during encoding
 [2019-06-18 15:11 UTC] cmb@php.net
-Status: Open +Status: Closed
 [2019-06-18 15:11 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 23 07:01:29 2024 UTC