php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68676 Explicit Double Free
Submitted: 2014-12-29 02:16 UTC Modified: 2014-12-31 01:03 UTC
From: bugreports at internot dot info Assigned: kalle
Status: Closed Package: *General Issues
PHP Version: master-Git-2014-12-29 (Git) OS: Linux Ubuntu 14.04
Private report: No CVE-ID: 2014-9425
 [2014-12-29 02:16 UTC] bugreports at internot dot info
Description:
------------
Hi,


In /Zend/zend_ts_hash.c:


142        tsrm_mutex_free(ht->mx_reader);
143        tsrm_mutex_free(ht->mx_reader);

This is a double free. 

Probably a merge mistake. I'll check it out.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-29 02:23 UTC] bugreports at internot dot info
Nope.

It's been here since 2002!


 # git blame -L 142,143  Zend/zend_ts_hash.c
d5e64b22 (Harald Radi 2002-03-20 21:26:46 +0000 142)    tsrm_mutex_free(ht->mx_reader);
d5e64b22 (Harald Radi 2002-03-20 21:26:46 +0000 143)    tsrm_mutex_free(ht->mx_reader);



commit d5e64b2287b1a8c38d29af1597af6d63a0f7e68c
Author: Harald Radi <phanto@php.net>
Date:   Wed Mar 20 21:26:46 2002 +0000

    added thread safe hashtable which allows concurrent
    reads but only exclusive writes
 [2014-12-29 08:43 UTC] kalle@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: kalle
 [2014-12-29 10:03 UTC] kalle@php.net
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2bcf69d073190e4f032d883f3416dea1b027a39e
Log: Fixed bug #68676 (Explicit Double Free)
 [2014-12-29 10:03 UTC] kalle@php.net
-Status: Assigned +Status: Closed
 [2014-12-29 10:04 UTC] kalle@php.net
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=24125f0f26f3787c006e4a51611ba33ee3b841cb
Log: Fixed bug #68676 (Explicit Double Free)
 [2014-12-29 10:04 UTC] kalle@php.net
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fbf3a6bc1abcc8a5b5226b0ad9464c37f11ddbd6
Log: Fixed bug #68676 (Explicit Double Free)
 [2014-12-29 17:24 UTC] kaplan@php.net
-CVE-ID: +CVE-ID: 2014-9425
 [2014-12-30 09:28 UTC] stas@php.net
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fbf3a6bc1abcc8a5b5226b0ad9464c37f11ddbd6
Log: Fixed bug #68676 (Explicit Double Free)
 [2014-12-30 09:28 UTC] stas@php.net
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=24125f0f26f3787c006e4a51611ba33ee3b841cb
Log: Fixed bug #68676 (Explicit Double Free)
 [2014-12-30 23:38 UTC] bugreports at internot dot info
Is a testcase available for this, by the way?

Thanks,
 [2014-12-31 01:03 UTC] kalle@php.net
Honestly there is not really, as the TsHash API is barely used, and the only place I spotted a zend_ts_hash_init call was in ext/com_dotnet which is Windows only
 [2015-07-31 11:52 UTC] paul at ifdnrg dot com
Whilst this is marked as closed, the CVE entry is still open and its getting picked by PCI compliance tests (trustwave)

I can still see the double free in the git src.
 [2016-07-20 11:40 UTC] davey@php.net
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2bcf69d073190e4f032d883f3416dea1b027a39e
Log: Fixed bug #68676 (Explicit Double Free)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Feb 19 14:01:37 2017 UTC