php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71584 Possible use-after-free of ZCG(cwd) in Zend Opcache
Submitted: 2016-02-13 17:43 UTC Modified: 2016-02-15 02:34 UTC
From: dev at pp3345 dot net Assigned: laruence (profile)
Status: Closed Package: opcache
PHP Version: master-Git-2016-02-13 (Git) OS: Any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: dev at pp3345 dot net
New email:
PHP Version: OS:

 

 [2016-02-13 17:43 UTC] dev at pp3345 dot net
Description:
------------
Zend Opcache caches the current working directory in ZCG(cwd) and therefore overrides chdir() in order to update the cached directory name when a script switches directories. The hook on chdir() is set in accel_startup() if opcache.enable is true. ZCG(cwd) is free'd in accel_deactivate(), but only if opcache.enable *still* is true. Since Zend extension shutdown functions are called before resetting INI configuration state, a script (or, for example, php_admin_flag in fpm SAPI) may disable Opcache at runtime by setting opcache.enable to false. In this case, the pointer is not correctly free'd and will be reused in the next request, although it became invalid due to being free'd by the Zend allocator. This leads to a use-after-free error and may cause a segmentation fault.

I am going to attach two pull requests that fix the problem by freeing ZCG(cwd) in accel_deactivate() even if Opcache is disabled.

Test script:
---------------
Due to the nature of this bug, it's impossible to create a test script that will *always* crash. For testing, I've set opcache.enable=1 in php.ini and php_admin_flag[opcache_enable]=off in my FPM pool. Afterwards, I've made requests to two scripts that simply chdir() to different directories. At some point of time, the FPM workers segfaulted.


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-02-15 02:34 UTC] laruence@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence
 [2016-02-15 02:34 UTC] laruence@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Apr 10 07:01:23 2020 UTC