Commit 1c18267

committed

Destroy temporary module classes in reverse order

We destroy classes of dl()'ed modules in clean_module_classes(), during shutdown. Child classes of a module use structures of the parent class (such as inherited properties), which are destroyed earlier, so we have a use-after-free when destroying a child class. Here I destroy classes in reverse order, as it is done in zend_shutdown() for persistent classes. Fixes GH-17961 Fixes GH-15367

1 parent a7d2703 commit 1c18267Copy full SHA for 1c18267

File tree

5 files changed

+97

-14

lines changed

NEWS
Zend
- zend_API.c
ext/dl_test

5 files changed

+97

-14

lines changed

`‎NEWS‎`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,12 @@ PHP NEWS`
`2`	`2`	`\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|`
`3`	`3`	`?? ??? ????, PHP 8.3.20`
`4`	`4`
	`5`	`+- Core:`
	`6`	`+ . Fixed bug GH-17961 (use-after-free during dl()'ed module class destruction).`
	`7`	`+ (Arnaud)`
	`8`	`+ . Fixed bug GH-15367 (dl() of module with aliased class crashes in shutdown).`
	`9`	`+ (Arnaud)`
	`10`	`+`
`5`	`11`	`- DOM:`
`6`	`12`	`. Fix weird unpack behaviour in DOM. (nielsdos)`
`7`	`13`

`‎Zend/zend_API.c‎`

Lines changed: 10 additions & 13 deletions

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,7 @@`
`22`	`22`	`#include "zend.h"`
`23`	`23`	`#include "zend_execute.h"`
`24`	`24`	`#include "zend_API.h"`
	`25`	`+#include "zend_hash.h"`
`25`	`26`	`#include "zend_modules.h"`
`26`	`27`	`#include "zend_extensions.h"`
`27`	`28`	`#include "zend_constants.h"`
`@@ -3111,21 +3112,17 @@ ZEND_API zend_result zend_get_module_started(const char module_name) / {{{ */`
`3111`	`3112`	`}`
`3112`	`3113`	`/* }}} */`
`3113`	`3114`
`3114`		`-static int clean_module_class(zval el, void arg) /* {{{ */`
`3115`		`-{`
`3116`		`- zend_class_entry ce = (zend_class_entry )Z_PTR_P(el);`
`3117`		`- int module_number = (int )arg;`
`3118`		`- if (ce->type == ZEND_INTERNAL_CLASS && ce->info.internal.module->module_number == module_number) {`
`3119`		`- return ZEND_HASH_APPLY_REMOVE;`
`3120`		`- } else {`
`3121`		`- return ZEND_HASH_APPLY_KEEP;`
`3122`		`- }`
`3123`		`-}`
`3124`		`-/* }}} */`
`3125`		`-`
`3126`	`3115`	`static void clean_module_classes(int module_number) /* {{{ */`
`3127`	`3116`	`{`
`3128`		`- zend_hash_apply_with_argument(EG(class_table), clean_module_class, (void *) &module_number);`
	`3117`	`+ /* Child classes may reuse structures from parent classes, so destroy in reverse order. */`
	`3118`	`+ Bucket *bucket;`
	`3119`	`+ ZEND_HASH_REVERSE_FOREACH_BUCKET(EG(class_table), bucket) {`
	`3120`	`+ zend_class_entry *ce = Z_CE(bucket->val);`
	`3121`	`+ if (ce->type == ZEND_INTERNAL_CLASS && ce->info.internal.module->module_number == module_number) {`
	`3122`	`+ zend_hash_del_bucket(EG(class_table), bucket);`
	`3123`	`+ }`
	`3124`	`+ } ZEND_HASH_FOREACH_END();`
	`3125`	`+`
`3129`	`3126`	`}`
`3130`	`3127`	`/* }}} */`
`3131`	`3128`

`‎ext/dl_test/dl_test.c‎`

Lines changed: 12 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -92,10 +92,22 @@ PHP_METHOD(DlTest, test)`
`92`	`92`	`RETURN_STR(retval);`
`93`	`93`	`}`
`94`	`94`
	`95`	`+PHP_METHOD(DlTestSuperClass, test)`
	`96`	`+{`
	`97`	`+ ZEND_PARSE_PARAMETERS_NONE();`
	`98`	`+`
	`99`	`+ RETURN_NULL();`
	`100`	`+}`
	`101`	`+`
`95`	`102`	`/* {{{ PHP_MINIT_FUNCTION */`
`96`	`103`	`PHP_MINIT_FUNCTION(dl_test)`
`97`	`104`	`{`
	`105`	`+ zend_class_entry *ce;`
	`106`	`+`
`98`	`107`	`register_class_DlTest();`
	`108`	`+ ce = register_class_DlTestSuperClass();`
	`109`	`+ register_class_DlTestSubClass(ce);`
	`110`	`+ register_class_DlTestAliasedClass();`
`99`	`111`
`100`	`112`	`/* Test backwards compatibility */`
`101`	`113`	`if (getenv("PHP_DL_TEST_USE_OLD_REGISTER_INI_ENTRIES")) {`

`‎ext/dl_test/dl_test.stub.php‎`

Lines changed: 12 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -12,3 +12,15 @@ function dl_test_test2(string $str = ""): string {}`
`12`	`12`	`class DlTest {`
`13`	`13`	`public function test(string $str = ""): string {}`
`14`	`14`	`}`
	`15`	`+`
	`16`	`+class DlTestSuperClass {`
	`17`	`+ public int $a;`
	`18`	`+ public function test(string $str = ""): string {}`
	`19`	`+}`
	`20`	`+`
	`21`	`+class DlTestSubClass extends DlTestSuperClass {`
	`22`	`+}`
	`23`	`+`
	`24`	`+/** @alias DlTestClassAlias */`
	`25`	`+class DlTestAliasedClass {`
	`26`	`+}`

`‎ext/dl_test/dl_test_arginfo.h‎`

Lines changed: 57 additions & 1 deletion

Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 1c18267

File tree

5 files changed

5 files changed

`‎NEWS‎`

`‎Zend/zend_API.c‎`

`‎ext/dl_test/dl_test.c‎`

`‎ext/dl_test/dl_test.stub.php‎`

`‎ext/dl_test/dl_test_arginfo.h‎`

0 commit comments