Skip to content

SEGV Zend/zend_API.h:2316 dl #17211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
YuanchengJiang opened this issue Dec 18, 2024 · 3 comments
Closed

SEGV Zend/zend_API.h:2316 dl #17211

YuanchengJiang opened this issue Dec 18, 2024 · 3 comments
Assignees
@arnaud-lb
Labels
Bug Status: Needs Triage

Comments

@YuanchengJiang
Copy link

YuanchengJiang commented Dec 18, 2024
edited
Loading

Description

The following code:

<?php
$loaded = dl('dl_test.so');
var_dump(dl_test_test2("World!"));

Resulted in this output:

/home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.h:2316:11: runtime error: member access within null pointer of type 'zend_string' (aka 'struct _zend_string')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.h:2316:11

To reproduce:

-d "extension_dir=/home/phpfuzz/WorkSpace/flowfusion/php-src/modules/" -d "zend_test.observer.enabled=1" -d "zend_test.observer.observe_functions=1"

PHP Version

nightly

Operating System

No response
@cmb69
Copy link
Member

cmb69 commented Dec 18, 2024

This either has the same root cause as #16811 or #9196, I think.

@arnaud-lb
Copy link
Member

arnaud-lb commented Dec 19, 2024
edited
Loading

What is happening is that after ZEND_SEND_VAL_EX "World!", the arg is overridden here:

php-src/Zend/zend_observer.c

Line 270 in 4b1c3cf

*prev_observed_frame(execute_data) = EG(current_observed_frame);

prev_observed_frame() miscomputes the address of the frame because the function doesn't have a temporary to store the previous frame. Normally, we add the temporary in zend_observer_post_startup(), but this is not executed for dl'ed functions:

php-src/Zend/zend_observer.c

Lines 86 to 96 in 4b1c3cf

// Add an observer temporary to store previous observed frames
zend_internal_function *zif;
ZEND_HASH_FOREACH_PTR(CG(function_table), zif) {
++zif->T;
} ZEND_HASH_FOREACH_END();
zend_class_entry *ce;
ZEND_HASH_MAP_FOREACH_PTR(CG(class_table), ce) {
ZEND_HASH_MAP_FOREACH_PTR(&ce->function_table, zif) {
++zif->T;
} ZEND_HASH_FOREACH_END();
} ZEND_HASH_FOREACH_END();

@arnaud-lb arnaud-lb self-assigned this Dec 19, 2024
@arnaud-lb arnaud-lb mentioned this issue Dec 19, 2024
Closed
@arnaud-lb
Copy link
Member

Thank you @YuanchengJiang!

charmitro pushed a commit to wasix-org/php that referenced this issue Mar 13, 2025
@arnaud-lb @charmitro
Add observer temporary to dl'ed functions
7c10956 
When observer is enabled, we normally add an extra temporary to all
functions, to store the previously observed frame. However, this is done in
zend_observer_post_startup() so it doesn't happen to dl'ed() functions.

One possible fix would be to move that from zend_observer_post_startup()
to zend_register_functions(), but this would be too early: Observer may
not be enabled when zend_register_functions() is called, and may still be
enabled later.

However, when zend_register_functions() is called at run-time (during dl()),
we know definitively whether observer is enabled.

Here I update zend_register_functions() to add a temporary to dl'ed()
functions when observer is enabled.

Fixes: phpGH-17211
Closes: phpGH-17220
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arnaud-lb arnaud-lb

Labels
Bug Status: Needs Triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@arnaud-lb @cmb69 @YuanchengJiang