Skip to content

Fix GH-13891: memleak and segfault when using ini_set with session.trans_sid_hosts #13892

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 6, 2024
Merged

Fix GH-13891: memleak and segfault when using ini_set with session.trans_sid_hosts #13892

merged 4 commits into from
Apr 6, 2024

Conversation

nielsdos
Copy link
Member

@nielsdos nielsdos commented Apr 5, 2024
edited
Loading

The hash tables used are allocated via the persistent allocator. When using ini_set, the allocation happens via the non-persistent allocator. When the table is then freed in GSHUTDOWN, we get a crash because the allocators are mismatched.

As a side note, it is strange that this is designed this way, because it means that ini_sets persist between requests...

Test credits go to Kamil Tekiela.

@nielsdos
Fix phpGH-13891: memleak and segfault when using ini_set with session…
c248081 
….trans_sid_hosts

The hash tables used are allocated via the persistent allocator.
When using ini_set, the allocation happens via the non-persistent
allocator. When the table is then freed in GSHUTDOWN, we get a crash
because the allocators are mismatched.

As a side note, it is strange that this is designed this way, because it
means that ini_sets persist between requests...

Test credits go to Kamil Tekiela.
@nielsdos nielsdos requested review from bukka and Girgias as code owners April 5, 2024 19:49
@nielsdos nielsdos linked an issue Apr 5, 2024 that may be closed by this pull request
=== Total 1 memory leaks detected === zend_mm_heap corrupted Segmentation fault #13891
Closed
@nielsdos nielsdos requested a review from kamil-tekiela April 5, 2024 19:52
kamil-tekiela
kamil-tekiela reviewed Apr 5, 2024
View reviewed changes
@kamil-tekiela
Copy link
Member

According to the documentation:

Sets the value of the given configuration option. The configuration option will keep this new value during the script's execution, and will be restored at the script's ending.

Why is the hash table persistent then? Isn't that the bug?

kamil-tekiela
kamil-tekiela reviewed Apr 5, 2024
View reviewed changes
@nielsdos
Copy link
Member Author

nielsdos commented Apr 5, 2024
edited
Loading

According to the documentation:

Sets the value of the given configuration option. The configuration option will keep this new value during the script's execution, and will be restored at the script's ending.

Why is the hash table persistent then? Isn't that the bug?

I also thought about that, and I could fix that up.
The problem I think is that this has been the case since forever, so this would be a BC break. I wouldn't be surprised if people actually depended on this even without them knowing.

EDIT: wait, let me double check

@nielsdos
Copy link
Member Author

nielsdos commented Apr 5, 2024
edited
Loading

Okay, I double checked with Apache and I see that my claim that this is persisted between requests is false. Sorry for the mess. EDIT: to clarify why this is: this is because the ini message handler first clears the hash table, so when resetting the ini values this will clean up whatever was set in the previous request.

However, the hashtable has to be persistent though because the ini message handler can be called outside of a request, so the strings should be persistent as well. (e.g. it can be called in ZEND_INI_STAGE_STARTUP)

nielsdos and others added 2 commits April 5, 2024 22:53
@nielsdos @kamil-tekiela
Update ext/standard/url_scanner_ex.re
cce8ccb 
Co-authored-by: Kamil Tekiela <tekiela246@gmail.com>
@nielsdos
Further review comment fixes
0316664
kamil-tekiela
kamil-tekiela approved these changes Apr 5, 2024
View reviewed changes
Copy link
Member

@kamil-tekiela kamil-tekiela left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@kamil-tekiela
Copy link
Member

Side note: shouldn't it be possible to trigger this bug not during runtime?

@nielsdos
Copy link
Member Author

nielsdos commented Apr 5, 2024

Side note: shouldn't it be possible to trigger this bug not during runtime?

I think so, because you're using request memory outside of request context.

@nielsdos nielsdos merged commit 5ce9687 into php:PHP-8.2 Apr 6, 2024
nielsdos added a commit that referenced this pull request Apr 6, 2024
@nielsdos
Merge branch 'PHP-8.2' into PHP-8.3
eb244fc 
* PHP-8.2:
  [ci skip] NEWS
  Fix GH-13891: memleak and segfault when using ini_set with session.trans_sid_hosts (#13892)
nielsdos added a commit that referenced this pull request Apr 6, 2024
@nielsdos
Merge branch 'PHP-8.3'
cf31332 
* PHP-8.3:
  [ci skip] NEWS
  Fix GH-13891: memleak and segfault when using ini_set with session.trans_sid_hosts (#13892)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kamil-tekiela kamil-tekiela kamil-tekiela approved these changes

@bukka bukka Awaiting requested review from bukka bukka is a code owner

@Girgias Girgias Awaiting requested review from Girgias Girgias is a code owner

Assignees
No one assigned
Labels
Extension: session Extension: standard
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

=== Total 1 memory leaks detected === zend_mm_heap corrupted Segmentation fault
2 participants
@nielsdos @kamil-tekiela