clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-21 18:07:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
306a51951f
php-src/ext/opcache
History
Niels Dossche ded8fb79bd
Fix UAF issues with PCRE after request shutdown 
There are two related issues, each tested.

First problem:
What happens is that on the CLI SAPI we have a per-request pcre cache,
and on there the request shutdown for the pcre module happens prior to
the remaining live object destruction. So when the SPL object wants to
clean up the regular expression object it gets a use-after-free.

Second problem:
Very similarly, the non-persistent resources are destroyed after request
shutdown, so on the CLI SAPI the pcre request cache is already gone, but
if a userspace stream references a regex in the pcre cache, this breaks.

Two things that come immediately to mind:
  -  We could fix it by no longer treating the CLI SAPI special and just use
     the same lifecycle as the module. This simplifies the pcre module code
     a bit too. I wonder why we even have the separation in the first place.
     The downside here is that we're using more the system allocator
     than Zend's allocator for cache entries.
  -  We could modify the shutdown code to not remove regular expressions
     with a refcount>0 and modify php_pcre_pce_decref code such that it
     becomes php_pcre_pce_decref's job to clean up when the refcount
     becomes 0 during shutdown. However, this gets nasty quickly.

I chose the first solution here as it should be reliable and simple.

Closes GH-15064.
2024-09-11 18:49:19 +02:00
..
jit Update IR 2024-09-11 16:03:38 +03:00
tests Fix GH-15657: Segmentation fault in ext/opcache/jit/ir/dynasm/dasm_x86.h 2024-09-11 09:08:51 +02:00
config.m4 Autotools: Mark always-shared extensions with ext_shared variable (#15739) 2024-09-04 23:28:29 +02:00
config.w32 Add date extension to dependencies (#15475) 2024-08-18 16:47:57 +02:00
CREDITS
opcache_arginfo.h Do not generate frameless info items when func info generation is disabled 2024-02-18 11:39:00 +01:00
opcache.stub.php Add more specific array return type hints for various extensions - part 3 (#7467) 2021-09-06 12:27:28 +02:00
shared_alloc_mmap.c Merge branch 'PHP-8.3' 2024-07-23 13:43:25 +02:00
shared_alloc_posix.c opcache: change uses of sprintf into snprintf 2024-06-14 08:12:03 -07:00
shared_alloc_shm.c Make lots of string pointers const (#10646) 2023-02-21 14:01:37 +00:00
shared_alloc_win32.c Use a single version of mempcpy(3) (#12257) 2023-12-20 15:16:32 +00:00
zend_accelerator_blacklist.c Fix gcc-14 Wcalloc-transposed-args warnings 2024-04-01 20:34:14 +02:00
zend_accelerator_blacklist.h
zend_accelerator_debug.c
zend_accelerator_debug.h ext/opcache: C++ compatibility 2023-01-12 15:14:05 +00:00
zend_accelerator_hash.c Mark globals as const (#10303) 2023-01-23 13:46:58 +00:00
zend_accelerator_hash.h Revert GH-10279 2023-01-16 12:25:59 +01:00
zend_accelerator_module.c Sync #if/ifdef/defined (#14520) 2024-06-11 22:47:05 +02:00
zend_accelerator_module.h
zend_accelerator_util_funcs.c Print location on class redeclaration 2024-04-30 14:34:43 +02:00
zend_accelerator_util_funcs.h ext/opcache: C++ compatibility 2022-03-20 20:38:23 +01:00
zend_file_cache.c Remove unused ext/standard/basic_functions.h header inclusions 2024-08-18 18:20:22 +01:00
zend_file_cache.h ext/opcache: merge redundant code and "bool" refactoring (#8237) 2022-03-24 15:03:53 +01:00
zend_persist_calc.c [RFC] Property hooks (#13455) 2024-07-14 11:55:03 +02:00
zend_persist.c Merge branch 'PHP-8.3' 2024-08-30 01:01:33 +03:00
zend_persist.h ext/opcache: C++ compatibility 2023-01-12 15:14:05 +00:00
zend_shared_alloc.c Merge branch 'PHP-8.3' 2024-08-29 23:12:56 +03:00
zend_shared_alloc.h Export opcache shared globals (#15543) 2024-08-26 14:54:36 +02:00
ZendAccelerator.c Fix UAF issues with PCRE after request shutdown 2024-09-11 18:49:19 +02:00
ZendAccelerator.h Ensure proper alignment of zend_accel_shared_globals.interned_strings (#15359) 2024-08-12 21:43:43 +02:00