PHP :: Bug #69579 :: Invalid free in extension trait

Bug #69579	Invalid free in extension trait
Submitted:	2015-05-06 02:20 UTC	Modified:	2015-07-10 14:33 UTC
From:	jbboehr at gmail dot com	Assigned:
Status:	Closed	Package:	Unknown/Other Function
PHP Version:	master-Git-2015-05-06 (Git)	OS:	Ubuntu 14.04
Private report:	No	CVE-ID:	None

View Developer Edit

[2015-05-06 02:20 UTC] jbboehr at gmail dot com

Description:
------------
Tangentially related to https://bugs.php.net/bug.php?id=69566

I've been working on a PHP extension that includes a trait: https://github.com/jbboehr/php-psr/tree/php7

On git master, I get a sigabort.

I'm not sure why normal traits don't get the invalid free; maybe they're all allocated by arena.

In zend_add_trait_method, the internal function struct is not the same size as a user function, so valgrind outputs an invalid read warning.

As an aside, assuming allowing traits in an extension is something that should be supported, it might be ideal to have at least one internal trait somewhere to catch these sort of issues, but that's outside the scope of this bug report.

Test script:
---------------
Unfortunately, it's in an extension, so to reproduce compile https://github.com/jbboehr/php-psr/tree/php7 and run
TEST_PHP_ARGS=-m make test

Actual result:
--------------
Valgrind output:

==15151== Invalid read of size 8
==15151==    at 0x8FA68D: zend_traits_copy_functions (zend_inheritance.c:1184)
==15151==    by 0x8FB15F: zend_do_traits_method_binding (zend_inheritance.c:1387)
==15151==    by 0x8FBA08: zend_do_bind_traits (zend_inheritance.c:1588)
==15151==    by 0x907AD1: ZEND_BIND_TRAITS_SPEC_HANDLER (zend_vm_execute.h:1451)
==15151==    by 0x903F0F: execute_ex (zend_vm_execute.h:394)
==15151==    by 0x9040D3: zend_execute (zend_vm_execute.h:434)
==15151==    by 0x8A73B4: zend_execute_scripts (zend.c:1389)
==15151==    by 0x7F79CA: php_execute_script (main.c:2468)
==15151==    by 0x972711: do_cli (php_cli.c:967)
==15151==    by 0x973A30: main (php_cli.c:1334)
==15151==  Address 0xd919a70 is 0 bytes after a block of size 64 alloc'd
==15151==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15151==    by 0x8B1B93: zend_register_functions (zend_API.c:2272)
==15151==    by 0x8B31C1: do_register_internal_class (zend_API.c:2687)
==15151==    by 0x8B33AD: zend_register_internal_class (zend_API.c:2735)
==15151==    by 0xE247F2E: php_psr_register_LoggerTrait (psr.c:308)
==15151==    by 0xE24823C: zm_startup_psr (psr.c:360)
==15151==    by 0x8B0362: zend_startup_module_ex (zend_API.c:1878)
==15151==    by 0x8B03E0: zend_startup_module_zval (zend_API.c:1893)
==15151==    by 0x8BE50F: zend_hash_apply (zend_hash.c:1437)
==15151==    by 0x8B09F7: zend_startup_modules (zend_API.c:2004)
==15151==    by 0x7F6ECD: php_module_startup (main.c:2190)
==15151==    by 0x97136A: php_cli_startup (php_cli.c:419)
==15151== 
==15151== Invalid free() / delete / delete[] / realloc()
==15151==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15151==    by 0x892466: zend_function_dtor (zend_opcode.c:128)
==15151==    by 0x8BDA20: zend_hash_destroy (zend_hash.c:1182)
==15151==    by 0x892DD5: destroy_zend_class (zend_opcode.c:285)
==15151==    by 0x8BD103: _zend_hash_del_el_ex (zend_hash.c:938)
==15151==    by 0x8BD1E3: _zend_hash_del_el (zend_hash.c:962)
==15151==    by 0x8BE978: zend_hash_reverse_apply (zend_hash.c:1532)
==15151==    by 0x88BFFF: shutdown_executor (zend_execute_API.c:351)
==15151==    by 0x8A5C7A: zend_deactivate (zend.c:964)
==15151==    by 0x7F60C1: php_request_shutdown (main.c:1806)
==15151==    by 0x973110: do_cli (php_cli.c:1135)
==15151==    by 0x973A30: main (php_cli.c:1334)
==15151==  Address 0xd9bb498 is 4,568 bytes inside a block of size 65,536 alloc'd
==15151==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15151==    by 0x86E752: _emalloc (zend_alloc.c:2195)
==15151==    by 0x870240: zend_arena_create (zend_arena.h:36)
==15151==    by 0x8714A1: init_compiler (zend_compile.c:324)
==15151==    by 0x8A5ACD: zend_activate (zend.c:940)
==15151==    by 0x7F4F3D: php_request_startup (main.c:1564)
==15151==    by 0x972542: do_cli (php_cli.c:938)
==15151==    by 0x973A30: main (php_cli.c:1334)
==15151==

Patches

extension_trait_issue_2.patch (last revision 2015-05-06 02:20 UTC by jbboehr at gmail dot com)

Pull Requests

Pull requests:

Fix #69579: Invalid free with internal trait (2) (php-src/2139)
Extension trait issue 2 (php-src/1262)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-07-07 17:30 UTC] jbboehr at gmail dot com

I found a hack-ey workaround, so previous commit can reproduce:
https://github.com/jbboehr/php-psr/commit/a21297aabb936b7b0c22b4cc216affbc99f3be33

[2015-07-10 14:33 UTC] laruence@php.net

the invalid read part is fixed in : https://github.com/php/php-src/commit/8e709d7f5d30d35397a31eb4ba3e836772c6eb0d

thanks

[2016-09-22 03:29 UTC] jbboehr at gmail dot com

I sent a new PR2139 that includes the change from PR1262, plus a test case and an internal test trait.

> If you are fixing a bug, then please submit your PR against the lowest branch of PHP that the bug affects

https://github.com/php/php-src/pull/2139/commits/0f5e99876a42aff4da5adba78be82d4ffd71c517 works in 7.0, but https://github.com/php/php-src/pull/2139/commits/fe9b40cb632e1428a12b6c4d53968021934019f6 needs https://github.com/php/php-src/commit/2ee73ee094ab33b917e350b7171a543bd2b24947

I set up a Travis build to demonstrate what happens without the code:
https://travis-ci.org/jbboehr/php-psr/jobs/161807370#L956
https://travis-ci.org/jbboehr/php-psr/jobs/161807373#L954

[2016-09-22 10:36 UTC] nikic@php.net

Automatic comment on behalf of jbboehr@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8e313becf4190a8cdc4ef52a1efdbce475f51ae0
Log: Fix bug #69579

[2016-09-22 10:36 UTC] nikic@php.net

-Status: Open +Status: Closed

[2016-09-22 10:39 UTC] nikic@php.net

Automatic comment on behalf of jbboehr@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=68e602ff0a31f1c90ba3ad8717ae3a86d10854c7
Log: Fix bug #69579

[2016-10-17 10:08 UTC] bwoebi@php.net

Automatic comment on behalf of jbboehr@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=68e602ff0a31f1c90ba3ad8717ae3a86d10854c7
Log: Fix bug #69579

[2016-10-17 10:08 UTC] bwoebi@php.net

Automatic comment on behalf of jbboehr@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8e313becf4190a8cdc4ef52a1efdbce475f51ae0
Log: Fix bug #69579

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 10:01:29 2024 UTC