Fix phpGH-22060 and phpGH-22122: pin object/closure in callback dispatch

iliaal · iliaal · commit d6ac8ec596e5 · 2026-05-24T21:22:36.000-04:00
zend_call_known_fcc and the SPL autoload loop both forward the callback's bound object and closure into the call frame without addref'ing, on the convention that the caller pins them for the call duration. The convention breaks whenever the pointer is borrowed from persistent storage that the callback can mutate: a method-bound autoloader self-unregistering via spl_autoload_unregister, or a SQLite3 authorizer callback calling setAuthorizer(null) both release the only refcount holder mid-call and the method body dereferences freed memory. GC_ADDREF object and closure before the call and OBJ_RELEASE after, in both dispatch sites. Initialize fcc.closure in ReflectionFunction::invoke and invokeArgs alongside the other fields, since the new pin reads it. Fixes phpGH-22060 Fixes phpGH-22122
diff --git a/Zend/zend_API.h b/Zend/zend_API.h
@@ -849,7 +849,21 @@ static zend_always_inline void zend_call_known_fcc(
 		memcpy(func, fcc->function_handler, sizeof(zend_function));
 		zend_string_addref(func->op_array.function_name);
 	}
+	zend_object *pinned_object = fcc->object;
+	zend_object *pinned_closure = fcc->closure;
+	if (pinned_object) {
+		GC_ADDREF(pinned_object);
+	}
+	if (pinned_closure) {
+		GC_ADDREF(pinned_closure);
+	}
 	zend_call_known_function(func, fcc->object, fcc->called_scope, retval_ptr, param_count, params, named_params);
+	if (pinned_object) {
+		OBJ_RELEASE(pinned_object);
+	}
+	if (pinned_closure) {
+		OBJ_RELEASE(pinned_closure);
+	}
 }
 
 /* Call the provided zend_function instance method on an object. */
diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
@@ -2074,6 +2074,7 @@ ZEND_METHOD(ReflectionFunction, invoke)
 	fcc.function_handler = fptr;
 	fcc.called_scope = NULL;
 	fcc.object = NULL;
+	fcc.closure = NULL;
 
 	if (!Z_ISUNDEF(intern->obj)) {
 		Z_OBJ_HT(intern->obj)->get_closure(
@@ -2113,6 +2114,7 @@ ZEND_METHOD(ReflectionFunction, invokeArgs)
 	fcc.function_handler = fptr;
 	fcc.called_scope = NULL;
 	fcc.object = NULL;
+	fcc.closure = NULL;
 
 	if (!Z_ISUNDEF(intern->obj)) {
 		Z_OBJ_HT(intern->obj)->get_closure(
diff --git a/ext/spl/php_spl.c b/ext/spl/php_spl.c
@@ -439,7 +439,21 @@ static zend_class_entry *spl_perform_autoload(zend_string *class_name, zend_stri
 
 		zval param;
 		ZVAL_STR(&param, class_name);
+		zend_object *pinned_obj = alfi->obj;
+		zend_object *pinned_closure = alfi->closure;
+		if (pinned_obj) {
+			GC_ADDREF(pinned_obj);
+		}
+		if (pinned_closure) {
+			GC_ADDREF(pinned_closure);
+		}
 		zend_call_known_function(func, alfi->obj, alfi->ce, NULL, 1, &param, NULL);
+		if (pinned_obj) {
+			OBJ_RELEASE(pinned_obj);
+		}
+		if (pinned_closure) {
+			OBJ_RELEASE(pinned_closure);
+		}
 		if (EG(exception)) {
 			break;
 		}
diff --git a/ext/spl/tests/gh22060.phpt b/ext/spl/tests/gh22060.phpt
@@ -0,0 +1,27 @@
+--TEST--
+GH-22060 (Class autoloader $this freed via spl_autoload_unregister during dispatch)
+--FILE--
+<?php
+
+class Loader {
+    public string $data = "loader-data";
+
+    public function load(string $class): void {
+        spl_autoload_unregister([$this, 'load']);
+        echo $this->data, "\n";
+    }
+}
+
+$obj = new Loader();
+spl_autoload_register([$obj, 'load']);
+unset($obj);
+
+try {
+    new NonExistentClass42();
+} catch (\Throwable $e) {
+    echo $e::class, ": ", $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+loader-data
+Error: Class "NonExistentClass42" not found
diff --git a/ext/sqlite3/tests/gh22122.phpt b/ext/sqlite3/tests/gh22122.phpt
@@ -0,0 +1,54 @@
+--TEST--
+GH-22122 (Use-after-free in SQLite3 authorizer when callback releases the authorizer)
+--EXTENSIONS--
+sqlite3
+--FILE--
+<?php
+$db = new SQLite3(':memory:');
+
+/* Method receiver - the reported UAF shape. */
+class Auth {
+    public string $state = "alive";
+
+    public function authorize(int $action, ...$args): int {
+        global $db;
+        $db->setAuthorizer(null);
+        echo "method: ", $this->state, "\n";
+        return SQLite3::OK;
+    }
+}
+$auth = new Auth();
+$db->setAuthorizer([$auth, 'authorize']);
+unset($auth);
+$db->exec('SELECT 1');
+
+/* Closure receiver - exercises the saved_closure release path. */
+$capture = "closure-alive";
+$closure = function (int $action, ...$args) use (&$capture, $db): int {
+    $db->setAuthorizer(null);
+    echo "closure: ", $capture, "\n";
+    return SQLite3::OK;
+};
+$db->setAuthorizer($closure);
+unset($closure);
+$db->exec('SELECT 2');
+
+/* Confirm the authorizer was actually disabled by the callback (setAuthorizer null). */
+$db->exec('SELECT 3');
+echo "post-disable query ok\n";
+
+/* Throwing callback should propagate the user's exception without redundant warnings. */
+$db->setAuthorizer(function () { throw new RuntimeException("from authorizer"); });
+try {
+    @$db->exec('SELECT 4');
+} catch (RuntimeException $e) {
+    echo "throw: ", $e->getMessage(), "\n";
+}
+echo "done\n";
+?>
+--EXPECT--
+method: alive
+closure: closure-alive
+post-disable query ok
+throw: from authorizer
+done
