php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #79649 Altering disable_functions from module init corrupts memory
Submitted: 2020-05-28 18:51 UTC Modified: -
From: video dot ice dot power at seznam dot cz Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.4.6 OS: Windows
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: video dot ice dot power at seznam dot cz
New email:
PHP Version: OS:

 

 [2020-05-28 18:51 UTC] video dot ice dot power at seznam dot cz 
Description:
------------
disable_functions ini directive can be set before the php engine is initialized here https://github.com/php/php-src/blob/PHP-7.4.6/main/main.c#L2345

but for some reasons, setting/clearing disable_functions ini directive causes currently memory corruptions / php crash.

In the example below I post complete source code of the module where the problem is isolated and it can be produced repeatably by these steps:
1. compile the module
2.a run "php -v" with the module loaded
2.b run https://pastebin.com/NxHCBGmJ with the module loaded and notice "B" is not printed. This issue is presented if at least 195 functions are defined and ini_set() is called. If defined functions count is reduced or ini_set() is not called, full "AB" is printed, otherwise only "A" is printed.

Can you reproduce the issue and is the usage of "zend_alter_ini_entry_chars" function correct? Is there currently a workaround to clear the disable_functions ini from module init?

Test script:
---------------
problematic line:

zend_alter_ini_entry_chars(ini_name_zend, "", strlen(""), PHP_INI_SYSTEM, PHP_INI_STAGE_ACTIVATE);

complete mmm.c / module source:

#ifdef HAVE_CONFIG_H
#include "config.h"
#endif

#include "php.h"

PHP_MINIT_FUNCTION(mmm) {
    zend_string *ini_name_zend = zend_string_init("disable_functions", strlen("disable_functions"), 0);
    zend_alter_ini_entry_chars(ini_name_zend, "", strlen(""), PHP_INI_SYSTEM, PHP_INI_STAGE_ACTIVATE);
    zend_string_release_ex(ini_name_zend, 0);

    return SUCCESS;
}

zend_module_entry mmm_module_entry = {
    STANDARD_MODULE_HEADER,
    "mmm",
    NULL,
    PHP_MINIT(mmm),
    NULL,
    NULL,
    NULL,
    NULL,
    "1.0.0",
    STANDARD_MODULE_PROPERTIES
};

ZEND_GET_MODULE(mmm)


Expected result:
----------------
PHP 7.4.5 (cli) (built: Apr 14 2020 16:17:19) ( NTS Visual C++ 2017 x64 )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.5, Copyright (c), by Zend Technologies


Actual result:
--------------
PHP 7.4.5 (cli) (built: Apr 14 2020 16:17:19) ( NTS Visual C++ 2017 x64 )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.5, Copyright (c), by Zend Technologies
zend_mm_heap corrupted

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-06-10 03:21 UTC] laruence@php.net 
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a297c09da5ad355d53a8e8ea72655a06d15b7bc7
Log: Partial fixed bug #79649 (Altering disable_functions from module init corrupts memory)
 [2020-06-10 03:21 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2020-06-10 07:36 UTC] video dot ice dot power at seznam dot cz 
Thanks for the fix!

Is there currently any "unit test extension" where test for this can be added?
 [2020-07-09 07:12 UTC] remi@php.net 
This fix breaks lot of extension which are using zend_alter_ini_entry in RINIT (xdebug, componere, uopz, decimal...)

Perhaps this don't have to be supported in MINIT
 [2020-07-09 08:51 UTC] derick@php.net 
Automatic comment on behalf of github@derickrethans.nl
Revision: http://git.php.net/?p=php-src.git;a=commit;h=972383fda4235e8dc9f5de1bd95d30a6e2e25385
Log: Revert "Partial fixed bug #79649 (Altering disable_functions from module init corrupts memory)"
 [2020-07-09 08:51 UTC] derick@php.net 
Automatic comment on behalf of github@derickrethans.nl
Revision: http://git.php.net/?p=php-src.git;a=commit;h=66996b2df026be939c0b7a841b77933eb6fb3c2f
Log: Revert "Partial fixed bug #79649 (Altering disable_functions from module init corrupts memory)"
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 21:01:28 2024 UTC