Fix use-after-free during lazy object initialization

arnaud-lb · arnaud-lb · commit 34f1c416fe08 · 2024-09-23T19:45:13.000+02:00
diff --git a/Zend/tests/lazy_objects/gh15999.phpt b/Zend/tests/lazy_objects/gh15999.phpt
@@ -0,0 +1,65 @@
+--TEST--
+Lazy Objects: GH-15999: Object is released during initialization
+--FILE--
+<?php
+
+class C {
+    public $s;
+    public function __destruct() {
+        var_dump(__METHOD__);
+    }
+}
+
+print "# Ghost:\n";
+
+$r = new ReflectionClass(C::class);
+
+$o = $r->newLazyGhost(function ($obj) {
+    global $o;
+    $o = null;
+});
+
+try {
+    $o->s = $o;
+} catch (Error $e) {
+    printf("%s: %s\n", $e::class, $e->getMessage());
+}
+
+print "# Proxy:\n";
+
+$o = $r->newLazyProxy(function ($obj) {
+    global $o;
+    $o = null;
+    return new C();
+});
+
+try {
+    $o->s = $o;
+} catch (Error $e) {
+    printf("%s: %s\n", $e::class, $e->getMessage());
+}
+
+print "# GC cycle:\n";
+
+$o = $r->newLazyGhost(function ($obj) {
+    global $o;
+    $o->s = $o;
+    $o = null;
+    gc_collect_cycles();
+});
+
+$o->s = $o;
+gc_collect_cycles();
+
+?>
+==DONE==
+--EXPECT--
+# Ghost:
+string(13) "C::__destruct"
+Error: Object was released during initialization
+# Proxy:
+string(13) "C::__destruct"
+Error: Object was released during initialization
+# GC cycle:
+string(13) "C::__destruct"
+==DONE==
diff --git a/Zend/zend_lazy_objects.c b/Zend/zend_lazy_objects.c
@@ -429,6 +429,9 @@ static zend_object *zend_lazy_object_init_proxy(zend_object *obj)
 	ZEND_ASSERT(zend_object_is_lazy_proxy(obj));
 	ZEND_ASSERT(!zend_lazy_object_initialized(obj));
 
+	/* Prevent object from being released during initialization */
+	GC_ADDREF(obj);
+
 	zend_lazy_object_info *info = zend_lazy_object_get_info(obj);
 
 	/* prevent reentrant initialization */
@@ -447,6 +450,7 @@ static zend_object *zend_lazy_object_init_proxy(zend_object *obj)
 
 	if (UNEXPECTED(EG(exception))) {
 		OBJ_EXTRA_FLAGS(obj) |= IS_OBJ_LAZY_UNINITIALIZED|IS_OBJ_LAZY_PROXY;
+		GC_DELREF(obj);
 		return NULL;
 	}
 
@@ -456,6 +460,7 @@ static zend_object *zend_lazy_object_init_proxy(zend_object *obj)
 				ZSTR_VAL(obj->ce->name),
 				zend_zval_value_name(&retval));
 		zval_ptr_dtor(&retval);
+		GC_DELREF(obj);
 		return NULL;
 
 	}
@@ -466,13 +471,15 @@ static zend_object *zend_lazy_object_init_proxy(zend_object *obj)
 				zend_zval_value_name(&retval),
 				ZSTR_VAL(obj->ce->name));
 		zval_ptr_dtor(&retval);
+		GC_DELREF(obj);
 		return NULL;
 	}
 
 	if (UNEXPECTED(Z_OBJ(retval) == obj || zend_object_is_lazy(Z_OBJ(retval)))) {
 		OBJ_EXTRA_FLAGS(obj) |= IS_OBJ_LAZY_UNINITIALIZED|IS_OBJ_LAZY_PROXY;
 		zend_throw_error(NULL, "Lazy proxy factory must return a non-lazy object");
 		zval_ptr_dtor(&retval);
+		GC_DELREF(obj);
 		return NULL;
 	}
 
@@ -495,6 +502,14 @@ static zend_object *zend_lazy_object_init_proxy(zend_object *obj)
 		}
 	}
 
+	if (UNEXPECTED(GC_DELREF(obj) == 0)) {
+		zend_throw_error(NULL, "Object was released during initialization");
+		zend_objects_store_del(obj);
+		return NULL;
+	} else {
+		gc_check_possible_root((zend_refcounted*) obj);
+	}
+
 	return Z_OBJ(retval);
 }
 
@@ -529,6 +544,9 @@ ZEND_API zend_object *zend_lazy_object_init(zend_object *obj)
 		return zend_lazy_object_init_proxy(obj);
 	}
 
+	/* Prevent object from being released during initialization */
+	GC_ADDREF(obj);
+
 	zend_fcall_info_cache *initializer = zend_lazy_object_get_initializer_fcc(obj);
 
 	/* Prevent reentrant initialization */
@@ -569,13 +587,15 @@ ZEND_API zend_object *zend_lazy_object_init(zend_object *obj)
 
 	if (EG(exception)) {
 		zend_lazy_object_revert_init(obj, properties_table_snapshot, properties_snapshot);
+		GC_DELREF(obj);
 		return NULL;
 	}
 
 	if (Z_TYPE(retval) != IS_NULL) {
 		zend_lazy_object_revert_init(obj, properties_table_snapshot, properties_snapshot);
 		zval_ptr_dtor(&retval);
 		zend_type_error("Lazy object initializer must return NULL or no value");
+		GC_DELREF(obj);
 		return NULL;
 	}
 
@@ -598,6 +618,14 @@ ZEND_API zend_object *zend_lazy_object_init(zend_object *obj)
 	 * zend_lazy_object_has_stale_info() check */
 	zend_lazy_object_del_info(obj);
 
+	if (UNEXPECTED(GC_DELREF(obj) == 0)) {
+		zend_throw_error(NULL, "Object was released during initialization");
+		zend_objects_store_del(obj);
+		return NULL;
+	} else {
+		gc_check_possible_root((zend_refcounted*) obj);
+	}
+
 	return obj;
 }
 
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -1189,6 +1189,10 @@ found:;
 		variable_ptr = &EG(error_zval);
 		goto exit;
 	}
+	/* value may have changed during initialization */
+	if (UNEXPECTED(Z_ISREF_P(value))) {
+		value = Z_REFVAL_P(value);
+	}
 	return zend_std_write_property(zobj, name, value, cache_slot);
 }
 /* }}} */

Original file line number	Diff line number	Diff line change
`@@ -1189,6 +1189,10 @@ found:;`
`1189`	`1189`	`variable_ptr = &EG(error_zval);`
`1190`	`1190`	`goto exit;`
`1191`	`1191`	`}`
	`1192`	`+ /* value may have changed during initialization */`
	`1193`	`+ if (UNEXPECTED(Z_ISREF_P(value))) {`
	`1194`	`+ value = Z_REFVAL_P(value);`
	`1195`	`+ }`
`1192`	`1196`	`return zend_std_write_property(zobj, name, value, cache_slot);`
`1193`	`1197`	`}`
`1194`	`1198`	`/* }}} */`