Fix GH-13230: phpdbg use-after-free at shutdown#22111
Open
iliaal wants to merge 1 commit into
Open
Conversation
phpdbg_watch_element back-pointers to phpdbg_watchpoint_t went stale when the watchpoint was freed, defeating the phpGH-13681 NULL guards. phpdbg_destroy_watchpoints also iterated its hashes in MSHUTDOWN, after zend_mm_shutdown freed their emalloc backings: non-ASAN tolerated the read, ZTS ASAN aborted. NULL the back-pointer in phpdbg_clean_watch_element, tolerate NULL in phpdbg_backup_watch_element, unregister the freed element from watch_recreation in phpdbg_free_watch_element, and move the recreation drain and the btree plus hash reset into RSHUTDOWN so the work runs while emalloc memory is alive. Drop the late notices from the existing watch_*, gh15210_*, and bug73927 expected outputs since they were artifacts of reading freed memory. Fixes phpGH-13230
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
phpdbg_watch_element back-pointers to phpdbg_watchpoint_t went stale when the watchpoint was freed, and phpdbg_destroy_watchpoints iterated its hashes in MSHUTDOWN after zend_mm_shutdown freed their backings. Non-ASAN tolerated the read, ZTS ASAN aborted.
Late notices that watch_.phpt and gh15210_.phpt previously expected were artifacts of reading freed memory; they're dropped from the expected outputs.
Fixes #13230