php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71584 Possible use-after-free of ZCG(cwd) in Zend Opcache
Submitted: 2016-02-13 17:43 UTC Modified: 2016-02-15 02:34 UTC
From: dev at pp3345 dot net Assigned: laruence
Status: Closed Package: opcache
PHP Version: master-Git-2016-02-13 (Git) OS: Any
Private report: No CVE-ID:
 [2016-02-13 17:43 UTC] dev at pp3345 dot net
Description:
------------
Zend Opcache caches the current working directory in ZCG(cwd) and therefore overrides chdir() in order to update the cached directory name when a script switches directories. The hook on chdir() is set in accel_startup() if opcache.enable is true. ZCG(cwd) is free'd in accel_deactivate(), but only if opcache.enable *still* is true. Since Zend extension shutdown functions are called before resetting INI configuration state, a script (or, for example, php_admin_flag in fpm SAPI) may disable Opcache at runtime by setting opcache.enable to false. In this case, the pointer is not correctly free'd and will be reused in the next request, although it became invalid due to being free'd by the Zend allocator. This leads to a use-after-free error and may cause a segmentation fault.

I am going to attach two pull requests that fix the problem by freeing ZCG(cwd) in accel_deactivate() even if Opcache is disabled.

Test script:
---------------
Due to the nature of this bug, it's impossible to create a test script that will *always* crash. For testing, I've set opcache.enable=1 in php.ini and php_admin_flag[opcache_enable]=off in my FPM pool. Afterwards, I've made requests to two scripts that simply chdir() to different directories. At some point of time, the FPM workers segfaulted.


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-02-15 02:34 UTC] laruence@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence
 [2016-02-15 02:34 UTC] laruence@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC