PHP :: Bug #71584 :: Possible use-after-free of ZCG(cwd) in Zend Opcache

Bug #71584	Possible use-after-free of ZCG(cwd) in Zend Opcache
Submitted:	2016-02-13 17:43 UTC	Modified:	2016-02-15 02:34 UTC
From:	dev at pp3345 dot net	Assigned:	laruence (profile)
Status:	Closed	Package:	opcache
PHP Version:	master-Git-2016-02-13 (Git)	OS:	Any
Private report:	No	CVE-ID:	None

View Developer Edit

[2016-02-13 17:43 UTC] dev at pp3345 dot net

Description:
------------
Zend Opcache caches the current working directory in ZCG(cwd) and therefore overrides chdir() in order to update the cached directory name when a script switches directories. The hook on chdir() is set in accel_startup() if opcache.enable is true. ZCG(cwd) is free'd in accel_deactivate(), but only if opcache.enable *still* is true. Since Zend extension shutdown functions are called before resetting INI configuration state, a script (or, for example, php_admin_flag in fpm SAPI) may disable Opcache at runtime by setting opcache.enable to false. In this case, the pointer is not correctly free'd and will be reused in the next request, although it became invalid due to being free'd by the Zend allocator. This leads to a use-after-free error and may cause a segmentation fault.

I am going to attach two pull requests that fix the problem by freeing ZCG(cwd) in accel_deactivate() even if Opcache is disabled.

Test script:
---------------
Due to the nature of this bug, it's impossible to create a test script that will *always* crash. For testing, I've set opcache.enable=1 in php.ini and php_admin_flag[opcache_enable]=off in my FPM pool. Afterwards, I've made requests to two scripts that simply chdir() to different directories. At some point of time, the FPM workers segfaulted.

Patches

Pull Requests

Pull requests:

Fix use-after-free of ZCG(cwd) in Zend Optimizer (master) (php-src/1763)
Fix use-after-free of ZCG(cwd) in Zend Optimizer (5.6) (php-src/1762)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-02-15 02:34 UTC] laruence@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence

[2016-02-15 02:34 UTC] laruence@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC