-
Notifications
You must be signed in to change notification settings - Fork 7.9k
Refresh zend mm shadow key on fork #16765
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
dc9808b to
af56c6e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can these corruption cases be tested with a help of zend_test easily?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried, but this results in a fragile test
af56c6e to
c7f7412
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense, see my remarks
I can't test LiteSpeed either, but looking at all "fork" usages in PHP now, the CRIU checkpoint system in LiteSpeed may fork too:
https://github.com/php/php-src/blob/master/sapi/litespeed/lsapi_main.c#L1540 initializes CRIU support
php-src/sapi/litespeed/lscriu.c
Line 517 in b30ccf9
Anyway, this is likely not critical.
I didn't notice that, thank you. I will call php_child_init() on restore.
The memory manager is cleaned up after each request by calling shutdown_memory_manager(). At the same time, this prepares the manager for the next request, and the shadow key is refreshed. In forking SAPIs the first request of every child process inherits the memory manager of the parent process, including the shadow key. As a result, a leak of the shadow key during the first request of one process gives away the shadow key used during the first request of other processes. This makes the key refresh mechanism less useful. Here I ensure that we refresh the shadow key after a fork. The memory manager is not empty at this point (we perform allocations after shutdown_memory_manager()), so we have to recompute any shadow pointers with the new key. We assume that the parent process had only one PHP thread running, as anything else would be unsafe. If a SAPI forks a process running more than one PHP thread, it is its responsibility to call refresh_memory_manager() in each PHP thread of the child process. Closes phpGH-16765
ae7364b to
2f13ece
Compare
Uh oh!
There was an error while loading. Please reload this page.
The memory manager is cleaned up after each request by calling
shutdown_memory_manager(). At the same time, this prepares the manager for the next request, and the shadow key is refreshed.Unfortunately, in forking SAPIs the first request of every child process inherits the memory manager of the parent process, including the shadow key. As a result, a leak of the shadow key during the first request of one process gives away the shadow key used during the first request of other processes. This does not defeat shadow pointers, but this makes the key refresh mechanism less useful.
Here I ensure that we refresh the shadow key after a fork. The memory manager is not empty at this point (we perform allocations after
shutdown_memory_manager()), so we have to recompute any shadow pointers with the new key.I'm targeting 8.4, but this is too risky and not critical enough for the last RC. I would like to merge this in 8.4.1.
Edit: now targeting 8.5.
ZTS: We assume that the forked process has only one thread, as anything else would be unsafe. If a SAPI forks a process running more than one thread, it is its responsibility to call
refresh_memory_manager()in each PHP thread of the child process.NB: I can't test litespeed.
UPGRADING.INTERNALS:
Credits: This was a known issue (#14054 (comment)), but this was also independently discovered and reported by @GhostFrankWu @KpwnZ.