Fix GH-16321: UAF in list_entry_destructor when resource dtor adds references#24
Closed
Fix GH-16321: UAF in list_entry_destructor when resource dtor adds references#24
Conversation
… references list_entry_destructor() freed the resource struct unconditionally after calling its destructor. If user code ran during the destructor (e.g. a stream filter callback) and something captured a new reference to the resource (e.g. an exception backtrace), the struct was freed while still referenced, causing a heap-use-after-free in _build_trace_args(). Bump the resource refcount before calling the destructor so reentrant calls to zend_list_free() can't trigger a premature free. After the destructor returns, skip the free if the refcount is still elevated. Add a fallback path in zend_list_free() to free directly when the resource has already been removed from the list. Closes phpGH-16321
Owner
Author
|
Submitted upstream as php#21686 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes php#16321
list_entry_destructor()freed the resource struct unconditionally after calling its destructor. If user code ran during the destructor (e.g. a stream filter callback) and something captured a new reference to the resource (e.g. an exception backtrace), the struct was freed while still referenced, causing a heap-use-after-free in_build_trace_args().Bumps the resource refcount before calling the destructor so reentrant calls to
zend_list_free()can't trigger a premature free. After the destructor returns, skips the free if the refcount is still elevated. Adds a fallback path inzend_list_free()to free directly when the resource has already been removed from the list.