Fix use-after-free on object released in hook

iluuu1994 · iluuu1994 · commit a431df83099f · 2024-09-25T17:54:33.000+02:00
Fixes GH-16040
diff --git a/Zend/tests/property_hooks/gh16040.phpt b/Zend/tests/property_hooks/gh16040.phpt
@@ -0,0 +1,20 @@
+--TEST--
+GH-16040: Use-after-free on object released in hook
+--FILE--
+<?php
+
+class A {
+    public $bar {
+        get {
+            $GLOBALS['a'] = null;
+            return 42;
+        }
+    }
+}
+
+$a = new A();
+var_dump($a->bar);
+
+?>
+--EXPECT--
+int(42)
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -684,22 +684,6 @@ static ZEND_COLD void zend_throw_no_prop_backing_value_access(zend_string *class
 		ZSTR_VAL(class_name), ZSTR_VAL(prop_name));
 }
 
-static bool zend_call_get_hook(
-	const zend_property_info *prop_info, zend_string *prop_name,
-	zend_function *get, zend_object *zobj, zval *rv)
-{
-	if (!zend_should_call_hook(prop_info, zobj)) {
-		if (UNEXPECTED(prop_info->flags & ZEND_ACC_VIRTUAL)) {
-			zend_throw_no_prop_backing_value_access(zobj->ce->name, prop_name, /* is_read */ true);
-		}
-		return false;
-	}
-
-	zend_call_known_instance_method_with_0_params(get, zobj, rv);
-
-	return true;
-}
-
 ZEND_API zval *zend_std_read_property(zend_object *zobj, zend_string *name, int type, void **cache_slot, zval *rv) /* {{{ */
 {
 	zval *retval;
@@ -808,8 +792,9 @@ ZEND_API zval *zend_std_read_property(zend_object *zobj, zend_string *name, int
 
 		zend_class_entry *ce = zobj->ce;
 
-		if (!zend_call_get_hook(prop_info, name, get, zobj, rv)) {
-			if (EG(exception)) {
+		if (!zend_should_call_hook(prop_info, zobj)) {
+			if (UNEXPECTED(prop_info->flags & ZEND_ACC_VIRTUAL)) {
+				zend_throw_no_prop_backing_value_access(zobj->ce->name, name, /* is_read */ true);
 				return &EG(uninitialized_zval);
 			}
 
@@ -826,12 +811,19 @@ ZEND_API zval *zend_std_read_property(zend_object *zobj, zend_string *name, int
 			goto try_again;
 		}
 
-		if (EXPECTED(cache_slot
+		/* Compute simple get before calling hook, as the hook may release zobj. */
+		bool cache_simple_get = cache_slot
 		 && zend_execute_ex == execute_ex
 		 && zobj->ce->default_object_handlers->read_property == zend_std_read_property
 		 && !zobj->ce->create_object
 		 && !zend_is_in_hook(prop_info)
-		 && !(prop_info->hooks[ZEND_PROPERTY_HOOK_GET]->common.fn_flags & ZEND_ACC_RETURN_REFERENCE))) {
+		 && !(prop_info->hooks[ZEND_PROPERTY_HOOK_GET]->common.fn_flags & ZEND_ACC_RETURN_REFERENCE);
+
+		zend_call_known_instance_method_with_0_params(get, zobj, rv);
+
+		/* Only cache simple get after calling the hook to provide better error
+		 * messages for accidentally recursive hooks. */
+		if (EXPECTED(cache_simple_get)) {
 			ZEND_SET_PROPERTY_HOOK_SIMPLE_GET(cache_slot);
 		}
 
@@ -2229,14 +2221,17 @@ ZEND_API int zend_std_has_property(zend_object *zobj, zend_string *name, int has
 		}
 
 		zval rv;
-		if (!zend_call_get_hook(prop_info, name, get, zobj, &rv)) {
-			if (EG(exception)) {
+		if (!zend_should_call_hook(prop_info, zobj)) {
+			if (UNEXPECTED(prop_info->flags & ZEND_ACC_VIRTUAL)) {
+				zend_throw_no_prop_backing_value_access(zobj->ce->name, name, /* is_read */ true);
 				return 0;
 			}
 			property_offset = prop_info->offset;
 			goto try_again;
 		}
 
+		zend_call_known_instance_method_with_0_params(get, zobj, &rv);
+
 		if (has_set_exists == ZEND_PROPERTY_NOT_EMPTY) {
 			result = zend_is_true(&rv);
 		} else {
