Skip to content

Fix GH-9945: Reject shmop/sysvshm keys outside key_t range #22423

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
LamentXU123 merged 1 commit into from
Jun 24, 2026
+67 −7
Merged

Fix GH-9945: Reject shmop/sysvshm keys outside key_t range #22423

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions NEWS
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,10 @@ PHP NEWS
. Changed defaults of session.use_strict_mode (now 1), session.cookie_httponly
(now 1) and session.cookie_samesite (now "Lax"). (jorgsowa)

- Shmop:
. Fixed bug GH-9945 (shmop_open() silently truncates keys outside the key_t
range). (Weilin Du)

- Soap:
. Soap::__setCookie() when cookie name is a digit is now not stored and
represented as a string anymore but a int. (David Carlier)
Expand Down Expand Up @@ -236,6 +240,10 @@ PHP NEWS
. Fix bug GH-22062 (SplDoublyLinkedList iterator UAF
via destructor releasing next node). (David Carlier)

- Sysvshm:
. Fixed shm_attach() to throw ValueError for keys outside the key_t range.
(Weilin Du)

- Sqlite3:
. Fix NUL byte truncation in sqlite3 TEXT column handling. (ndossche)

Expand Down
11 changes: 9 additions & 2 deletions ext/shmop/shmop.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,13 +129,20 @@ PHP_MINFO_FUNCTION(shmop)
/* {{{ gets and attaches a shared memory segment */
PHP_FUNCTION(shmop_open)
{
zend_long key, mode, size;
zend_long key_arg, mode, size;
key_t key;
php_shmop *shmop;
struct shmid_ds shm;
char *flags;
size_t flags_len;

if (zend_parse_parameters(ZEND_NUM_ARGS(), "lsll", &key, &flags, &flags_len, &mode, &size) == FAILURE) {
if (zend_parse_parameters(ZEND_NUM_ARGS(), "lsll", &key_arg, &flags, &flags_len, &mode, &size) == FAILURE) {
RETURN_THROWS();
}

key = (key_t) key_arg;
if ((zend_long) key != key_arg) {
zend_argument_value_error(1, "is out of range");
RETURN_THROWS();
}

Expand Down
19 changes: 19 additions & 0 deletions ext/shmop/tests/gh9945.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
--TEST--
GH-9945: shmop_open() must reject keys outside the key_t range
--EXTENSIONS--
shmop
--SKIPIF--
<?php
if (PHP_INT_SIZE !== 8) die('skip only for 64-bit');
if (PHP_OS_FAMILY !== 'Linux' && PHP_OS_FAMILY !== 'Windows') die('skip only for platforms with 32-bit key_t');
?>
--FILE--
<?php
try {
shmop_open(0x100000000, '', 0644, 1);
} catch (ValueError $exception) {
echo $exception->getMessage(), "\n";
}
?>
--EXPECT--
shmop_open(): Argument #1 ($key) is out of range
17 changes: 12 additions & 5 deletions ext/sysvshm/sysvshm.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,10 +126,17 @@ PHP_FUNCTION(shm_attach)
sysvshm_shm *shm_list_ptr;
char *shm_ptr;
sysvshm_chunk_head *chunk_ptr;
zend_long shm_key, shm_id, shm_size, shm_flag = 0666;
zend_long shm_key_arg, shm_id, shm_size, shm_flag = 0666;
key_t shm_key;
bool shm_size_is_null = true;

if (SUCCESS != zend_parse_parameters(ZEND_NUM_ARGS(), "l|l!l", &shm_key, &shm_size, &shm_size_is_null, &shm_flag)) {
if (SUCCESS != zend_parse_parameters(ZEND_NUM_ARGS(), "l|l!l", &shm_key_arg, &shm_size, &shm_size_is_null, &shm_flag)) {
RETURN_THROWS();
}

shm_key = (key_t) shm_key_arg;
if ((zend_long) shm_key != shm_key_arg) {
zend_argument_value_error(1, "is out of range");
RETURN_THROWS();
}

Expand All @@ -145,17 +152,17 @@ PHP_FUNCTION(shm_attach)
/* get the id from a specified key or create new shared memory */
if ((shm_id = shmget(shm_key, 0, 0)) < 0) {
if (shm_size < (zend_long)sizeof(sysvshm_chunk_head)) {
php_error_docref(NULL, E_WARNING, "Failed for key 0x" ZEND_XLONG_FMT ": memorysize too small", shm_key);
php_error_docref(NULL, E_WARNING, "Failed for key 0x" ZEND_XLONG_FMT ": memorysize too small", shm_key_arg);
RETURN_FALSE;
}
if ((shm_id = shmget(shm_key, shm_size, shm_flag | IPC_CREAT | IPC_EXCL)) < 0) {
php_error_docref(NULL, E_WARNING, "Failed for key 0x" ZEND_XLONG_FMT ": %s", shm_key, strerror(errno));
php_error_docref(NULL, E_WARNING, "Failed for key 0x" ZEND_XLONG_FMT ": %s", shm_key_arg, strerror(errno));
RETURN_FALSE;
}
}

if ((shm_ptr = shmat(shm_id, NULL, 0)) == (void *) -1) {
php_error_docref(NULL, E_WARNING, "Failed for key 0x" ZEND_XLONG_FMT ": %s", shm_key, strerror(errno));
php_error_docref(NULL, E_WARNING, "Failed for key 0x" ZEND_XLONG_FMT ": %s", shm_key_arg, strerror(errno));
RETURN_FALSE;
}

Expand Down
19 changes: 19 additions & 0 deletions ext/sysvshm/tests/gh9945.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
--TEST--
GH-9945: shm_attach() must reject keys outside the key_t range
--EXTENSIONS--
sysvshm
--SKIPIF--
<?php
if (PHP_INT_SIZE !== 8) die('skip only for 64-bit');
if (PHP_OS_FAMILY !== 'Linux' && PHP_OS_FAMILY !== 'Windows') die('skip only for platforms with 32-bit key_t');
?>
--FILE--
<?php
try {
shm_attach(0x100000000, 0);
} catch (ValueError $exception) {
echo $exception->getMessage(), "\n";
}
?>
--EXPECT--
shm_attach(): Argument #1 ($key) is out of range
Loading