php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58526 Double free when zval is separated in convert_to_*
Submitted: 2009-01-28 18:54 UTC Modified: 2009-02-12 09:01 UTC
From: james82 at gmail dot com Assigned: mike (profile)
Status: Closed Package: pecl_http (PECL)
PHP Version: 5.2.5 OS: CentOS 5
Private report: No CVE-ID: None
 [2009-01-28 18:54 UTC] james82 at gmail dot com
Description:
------------
pecl_http uses convert_to_* interface to convert variables 
between types. This interface "steals" the reference 
provided by the caller. When there are multiple references 
to the same variable, the convert_to_* interface separates 
the variable into two copies, so as to ensure that we only 
modify one of the references. This variable separation has 
two side effects:
  1) An extra copy of the variable is created. We should 
delete this copy when we are done with it.
  2) The variable separation decreased the reference count 
of our original variable.

We currently handle side effect #1, but we don't handle #2. 
This results in memory corruption and segfaults.



Reproduce code:
---------------
$o = array('ssl' => array('verifypeer'=>'1'));
$r = new HttpRequest('http://www.google.com');
$r->setOptions($o);
$r->send();

See http://www.cs.toronto.edu/~james/pecl-http-double-free-patch.txt for a possible patch for this issue. This patch should be reviewed carefully to make sure that, in fixing the double-free issue, it doesn't add any memory leaks.

Expected result:
----------------
No segfaults or double frees.

Actual result:
--------------
==19115== Invalid read of size 4
==19115==    at 0x5A52B7: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BC7C1: (within /usr/bin/php)
==19115==    by 0x5BCA37: zend_hash_graceful_reverse_destroy 
(in /usr/bin/php)
==19115==    by 0x5A59AA: shutdown_executor (in 
/usr/bin/php)
==19115==    by 0x5B20B1: zend_deactivate (in /usr/bin/php)
==19115==    by 0x56F89D: php_request_shutdown (in 
/usr/bin/php)
==19115==  Address 0xD09D810 is 16 bytes inside a block of 
size 24 free'd
==19115==    at 0x4C1E41E: free (vg_replace_malloc.c:233)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0xB138681: _http_request_object_free (in 
/usr/lib64/php/modules/http.so)
==19115==    by 0x5CFD89: 
zend_objects_store_del_ref_by_handle (in /usr/bin/php)
==19115==    by 0x5CFDBE: zend_objects_store_del_ref (in 
/usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==
==19115== Invalid read of size 4
==19115==    at 0x5A52BE: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BC7C1: (within /usr/bin/php)
==19115==    by 0x5BCA37: zend_hash_graceful_reverse_destroy 
(in /usr/bin/php)
==19115==    by 0x5A59AA: shutdown_executor (in 
/usr/bin/php)
==19115==    by 0x5B20B1: zend_deactivate (in /usr/bin/php)
==19115==    by 0x56F89D: php_request_shutdown (in 
/usr/bin/php)
==19115==  Address 0xD09D810 is 16 bytes inside a block of 
size 24 free'd
==19115==    at 0x4C1E41E: free (vg_replace_malloc.c:233)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0xB138681: _http_request_object_free (in 
/usr/lib64/php/modules/http.so)
==19115==    by 0x5CFD89: 
zend_objects_store_del_ref_by_handle (in /usr/bin/php)
==19115==    by 0x5CFDBE: zend_objects_store_del_ref (in 
/usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)




Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-02-12 09:01 UTC] mike@php.net
This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 16:01:28 2024 UTC