Add VM reentry limit

nikic · nikic · commit 7d38d0b0f992 · 2020-01-31T12:30:04.000+01:00
diff --git a/Zend/zend.c b/Zend/zend.c
@@ -175,6 +175,7 @@ ZEND_INI_BEGIN()
 	STD_ZEND_INI_BOOLEAN("zend.signal_check", "0", ZEND_INI_SYSTEM, OnUpdateBool, check, zend_signal_globals_t, zend_signal_globals)
 #endif
 	STD_ZEND_INI_BOOLEAN("zend.exception_ignore_args",	"0",	ZEND_INI_ALL,		OnUpdateBool, exception_ignore_args, zend_executor_globals, executor_globals)
+	STD_ZEND_INI_ENTRY("zend.vm_reentry_limit", "1000", ZEND_INI_ALL, OnUpdateLong, vm_reentry_limit, zend_executor_globals, executor_globals)
 ZEND_INI_END()
 
 ZEND_API size_t zend_vspprintf(char **pbuf, size_t max_len, const char *format, va_list ap) /* {{{ */
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
@@ -2009,6 +2009,13 @@ static zend_never_inline ZEND_COLD void ZEND_FASTCALL zend_use_new_element_for_s
 	zend_throw_error(NULL, "[] operator not supported for strings");
 }
 
+static zend_never_inline ZEND_COLD void ZEND_FASTCALL zend_vm_reentry_limit_error()
+{
+	zend_throw_error(NULL,
+		"VM reentry limit of " ZEND_ULONG_FMT " reached. Infinite recursion?",
+		EG(vm_reentry_limit));
+}
+
 static ZEND_COLD void zend_binary_assign_op_dim_slow(zval *container, zval *dim OPLINE_DC EXECUTE_DATA_DC)
 {
 	if (UNEXPECTED(Z_TYPE_P(container) == IS_STRING)) {
diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
@@ -174,6 +174,7 @@ void init_executor(void) /* {{{ */
 
 	EG(fake_scope) = NULL;
 	EG(trampoline).common.function_name = NULL;
+	EG(vm_reentry_count) = 0;
 
 	EG(ht_iterators_count) = sizeof(EG(ht_iterators_slots)) / sizeof(HashTableIterator);
 	EG(ht_iterators_used) = 0;
diff --git a/Zend/zend_globals.h b/Zend/zend_globals.h
@@ -237,6 +237,8 @@ struct _zend_executor_globals {
 	HashTable weakrefs;
 
 	zend_bool exception_ignore_args;
+	zend_ulong vm_reentry_count;
+	zend_ulong vm_reentry_limit;
 
 	void *reserved[ZEND_MAX_RESERVED_RESOURCES];
 };
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
@@ -51683,6 +51683,12 @@ ZEND_API void execute_ex(zend_execute_data *ex)
 	LOAD_OPLINE();
 	ZEND_VM_LOOP_INTERRUPT_CHECK();
 
+	if (EG(vm_reentry_count)++ > EG(vm_reentry_limit)) {
+		zend_vm_reentry_limit_error();
+		LOAD_OPLINE();
+		/* Fall through to handle exception below. */
+	}
+
 	while (1) {
 #if !defined(ZEND_VM_FP_GLOBAL_REG) || !defined(ZEND_VM_IP_GLOBAL_REG)
 			int ret;
@@ -55921,6 +55927,7 @@ ZEND_API void execute_ex(zend_execute_data *ex)
 #ifdef ZEND_VM_IP_GLOBAL_REG
 				opline = orig_opline;
 #endif
+				EG(vm_reentry_count)--;
 				return;
 			HYBRID_DEFAULT:
 				VM_TRACE(ZEND_NULL)
@@ -55941,6 +55948,7 @@ ZEND_API void execute_ex(zend_execute_data *ex)
 # ifdef ZEND_VM_IP_GLOBAL_REG
 				opline = orig_opline;
 # endif
+				EG(vm_reentry_count)--;
 				return;
 			}
 #endif
diff --git a/Zend/zend_vm_execute.skl b/Zend/zend_vm_execute.skl
@@ -16,6 +16,12 @@ ZEND_API void {%EXECUTOR_NAME%}_ex(zend_execute_data *ex)
 	LOAD_OPLINE();
 	ZEND_VM_LOOP_INTERRUPT_CHECK();
 
+	if (EG(vm_reentry_count)++ > EG(vm_reentry_limit)) {
+		zend_vm_reentry_limit_error();
+		LOAD_OPLINE();
+		/* Fall through to handle exception below. */
+	}
+
 	while (1) {
 		{%ZEND_VM_CONTINUE_LABEL%}
 		{%ZEND_VM_DISPATCH%} {
diff --git a/Zend/zend_vm_gen.php b/Zend/zend_vm_gen.php
@@ -1753,6 +1753,7 @@ function gen_executor_code($f, $spec, $kind, $prolog, &$switch_labels = array())
 			out($f,"#ifdef ZEND_VM_IP_GLOBAL_REG\n");
 			out($f,"\t\t\t\topline = orig_opline;\n");
 			out($f,"#endif\n");
+			out($f,"\t\t\t\tEG(vm_reentry_count)--;\n");
 			out($f,"\t\t\t\treturn;\n");
 			out($f,"\t\t\tHYBRID_DEFAULT:\n");
 			out($f,"\t\t\t\tVM_TRACE(ZEND_NULL)\n");
@@ -2158,6 +2159,7 @@ function gen_executor($f, $skl, $spec, $kind, $executor_name, $initializer_name)
 								"# ifdef ZEND_VM_IP_GLOBAL_REG\n" .
 						        $m[1]."\topline = orig_opline;\n" .
 								"# endif\n".
+						        $m[1]."\tEG(vm_reentry_count)--;\n".
 						        $m[1]."\treturn;\n".
 						        $m[1]."}\n".
 								"#endif\n");
diff --git a/php.ini-development b/php.ini-development
@@ -365,6 +365,12 @@ zend.enable_gc = On
 ; Default: Off
 zend.exception_ignore_args = Off
 
+; Limit for recursion via VM reentry, used to prevent stack overflow.
+; This only affects recursion through magic method calls and similar mechanism.
+; Some profiling, debugging or APM extensions might make this limit apply to plain
+; recursion as well, in which case you may wish to raise it.
+;zend.vm_reentry_limit = 1000
+
 ;;;;;;;;;;;;;;;;;
 ; Miscellaneous ;
 ;;;;;;;;;;;;;;;;;
diff --git a/php.ini-production b/php.ini-production
@@ -367,6 +367,12 @@ zend.enable_gc = On
 ; of sensitive information in stack traces
 zend.exception_ignore_args = On
 
+; Limit for recursion via VM reentry, used to prevent stack overflow.
+; This only affects recursion through magic method calls and similar mechanism.
+; Some profiling, debugging or APM extensions might make this limit apply to plain
+; recursion as well, in which case you may wish to raise it.
+;zend.vm_reentry_limit = 1000
+
 ;;;;;;;;;;;;;;;;;
 ; Miscellaneous ;
 ;;;;;;;;;;;;;;;;;

Original file line number	Diff line number	Diff line change
`@@ -2009,6 +2009,13 @@ static zend_never_inline ZEND_COLD void ZEND_FASTCALL zend_use_new_element_for_s`
`2009`	`2009`	`zend_throw_error(NULL, "[] operator not supported for strings");`
`2010`	`2010`	`}`
`2011`	`2011`
	`2012`	`+static zend_never_inline ZEND_COLD void ZEND_FASTCALL zend_vm_reentry_limit_error()`
	`2013`	`+{`
	`2014`	`+ zend_throw_error(NULL,`
	`2015`	`+ "VM reentry limit of " ZEND_ULONG_FMT " reached. Infinite recursion?",`
	`2016`	`+ EG(vm_reentry_limit));`
	`2017`	`+}`
	`2018`	`+`
`2012`	`2019`	`static ZEND_COLD void zend_binary_assign_op_dim_slow(zval container, zval dim OPLINE_DC EXECUTE_DATA_DC)`
`2013`	`2020`	`{`
`2014`	`2021`	`if (UNEXPECTED(Z_TYPE_P(container) == IS_STRING)) {`