Commit f744c82

committed

Fix GH-19706: dba stream resource mismanagement

This regressed in 8.4 when dba started mixing objects and resources (streams). The streams are first destroyed at a first step in shutdown, and in slow shutdown then the symbol table is destroyed which destroys the dba objects. The dba objects still use the streams but they have been destroyed already, causing a UAF. Using dtor_obj instead of free_obj would work around this but would cause issues like memory leaks because dtor_obj may be skipped while free_obj may not be. Instead, use the same solution as mysqlnd uses in that we fully manage the stream lifecycle ourselves. This also avoids users from meddling with the stream through get_resources(). This would be fixed 'automatically' in the future when we are using objects for everything. Closes GH-19710.

1 parent c583124 commit f744c82Copy full SHA for f744c82

File tree

3 files changed

+45

-2

lines changed

NEWS
ext/dba
- dba.c
- tests
  - gh19706.phpt

3 files changed

+45

-2

lines changed

`‎NEWS`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,9 @@ PHP NEWS`
`23`	`23`	`. Fixed date_sunrise() and date_sunset() with partial-hour UTC offset.`
`24`	`24`	`(ilutov)`
`25`	`25`
	`26`	`+- DBA:`
	`27`	`+ . Fixed bug GH-19706 (dba stream resource mismanagement). (nielsdos)`
	`28`	`+`
`26`	`29`	`- DOM:`
`27`	`30`	`. Fixed bug GH-19612 (Mitigate libxml2 tree dictionary bug). (nielsdos)`
`28`	`31`

`‎ext/dba/dba.c`

Lines changed: 22 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -256,14 +256,14 @@ static void dba_close_info(dba_info *info)`
`256`	`256`	`if (info->flags & DBA_PERSISTENT) {`
`257`	`257`	`php_stream_pclose(info->fp);`
`258`	`258`	`} else {`
`259`		`- php_stream_close(info->fp);`
	`259`	`+ php_stream_free(info->fp, PHP_STREAM_FREE_CLOSE \| PHP_STREAM_FREE_RSRC_DTOR);`
`260`	`260`	`}`
`261`	`261`	`}`
`262`	`262`	`if (info->lock.fp) {`
`263`	`263`	`if (info->flags & DBA_PERSISTENT) {`
`264`	`264`	`php_stream_pclose(info->lock.fp);`
`265`	`265`	`} else {`
`266`		`- php_stream_close(info->lock.fp);`
	`266`	`+ php_stream_free(info->lock.fp, PHP_STREAM_FREE_CLOSE \| PHP_STREAM_FREE_RSRC_DTOR);`
`267`	`267`	`}`
`268`	`268`	`}`
`269`	`269`
`@@ -518,6 +518,17 @@ static zend_always_inline zend_string *php_dba_zend_string_dup_safe(zend_string`
`518`	`518`	`}`
`519`	`519`	`}`
`520`	`520`
	`521`	`+/* See mysqlnd_fixup_regular_list */`
	`522`	`+static void php_dba_fixup_regular_list(php_stream *stream)`
	`523`	`+{`
	`524`	`+ dtor_func_t origin_dtor = EG(regular_list).pDestructor;`
	`525`	`+ EG(regular_list).pDestructor = NULL;`
	`526`	`+ zend_hash_index_del(&EG(regular_list), stream->res->handle);`
	`527`	`+ EG(regular_list).pDestructor = origin_dtor;`
	`528`	`+ efree(stream->res);`
	`529`	`+ stream->res = NULL;`
	`530`	`+}`
	`531`	`+`
`521`	`532`	`/* {{{ php_dba_open */`
`522`	`533`	`static void php_dba_open(INTERNAL_FUNCTION_PARAMETERS, bool persistent)`
`523`	`534`	`{`
`@@ -831,6 +842,9 @@ static void php_dba_open(INTERNAL_FUNCTION_PARAMETERS, bool persistent)`
`831`	`842`	`/* do not log errors for .lck file while in read only mode on .lck file */`
`832`	`843`	`lock_file_mode = "rb";`
`833`	`844`	`connection->info->lock.fp = php_stream_open_wrapper(lock_name, lock_file_mode, STREAM_MUST_SEEK\|IGNORE_PATH\|persistent_flag, &opened_path);`
	`845`	`+ if (connection->info->lock.fp && !persistent_flag) {`
	`846`	`+ php_dba_fixup_regular_list(connection->info->lock.fp);`
	`847`	`+ }`
`834`	`848`	`if (opened_path) {`
`835`	`849`	`zend_string_release_ex(opened_path, 0);`
`836`	`850`	`}`
`@@ -844,6 +858,9 @@ static void php_dba_open(INTERNAL_FUNCTION_PARAMETERS, bool persistent)`
`844`	`858`	`zend_string *opened_path = NULL;`
`845`	`859`	`connection->info->lock.fp = php_stream_open_wrapper(lock_name, lock_file_mode, STREAM_MUST_SEEK\|REPORT_ERRORS\|IGNORE_PATH\|persistent_flag, &opened_path);`
`846`	`860`	`if (connection->info->lock.fp) {`
	`861`	`+ if (!persistent_flag) {`
	`862`	`+ php_dba_fixup_regular_list(connection->info->lock.fp);`
	`863`	`+ }`
`847`	`864`	`if (is_db_lock) {`
`848`	`865`	`if (opened_path) {`
`849`	`866`	`/* replace the path info with the real path of the opened file */`
`@@ -880,6 +897,9 @@ static void php_dba_open(INTERNAL_FUNCTION_PARAMETERS, bool persistent)`
`880`	`897`	`connection->info->fp = connection->info->lock.fp; /* use the same stream for locking and database access */`
`881`	`898`	`} else {`
`882`	`899`	`connection->info->fp = php_stream_open_wrapper(ZSTR_VAL(connection->info->path), file_mode, STREAM_MUST_SEEK\|REPORT_ERRORS\|IGNORE_PATH\|persistent_flag, NULL);`
	`900`	`+ if (connection->info->fp && !persistent_flag) {`
	`901`	`+ php_dba_fixup_regular_list(connection->info->fp);`
	`902`	`+ }`
`883`	`903`	`}`
`884`	`904`	`if (!connection->info->fp) {`
`885`	`905`	`/* stream operation already wrote an error message */`

`‎ext/dba/tests/gh19706.phpt`

Lines changed: 20 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,20 @@`
	`1`	`+--TEST--`
	`2`	`+GH-19706 (dba stream resource mismanagement)`
	`3`	`+--EXTENSIONS--`
	`4`	`+dba`
	`5`	`+--FILE--`
	`6`	`+<?php`
	`7`	`+// Must be in the global scope such that it's part of the symbol table cleanup`
	`8`	`+$db = dba_open(__DIR__ . '/gh19706.cdb', 'n', 'cdb_make');`
	`9`	`+$db2 = $db;`
	`10`	`+var_dump($db, $db2);`
	`11`	`+?>`
	`12`	`+--CLEAN--`
	`13`	`+<?php`
	`14`	`+@unlink(__DIR__ . '/gh19706.cdb');`
	`15`	`+?>`
	`16`	`+--EXPECT--`
	`17`	`+object(Dba\Connection)#1 (0) {`
	`18`	`+}`
	`19`	`+object(Dba\Connection)#1 (0) {`
	`20`	`+}`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit f744c82

File tree

3 files changed

3 files changed

`‎NEWS`

`‎ext/dba/dba.c`

`‎ext/dba/tests/gh19706.phpt`

0 commit comments