Fix possible use-after-free in realpath_cache_clean()#7028
Fix possible use-after-free in realpath_cache_clean()#7028DimitryAndric wants to merge 1 commit intophp:masterfrom
Conversation
If ZTS is enabled, this can cause cwd_globals_ctor() to be called multiple times, each with a freshly allocated virtual_cwd_globals instance. At shutdown time however, cwd_globals_dtor() will call realpath_cache_clean(), which then possibly cleans up the same realpath_cache instance more than once. Using AddressSanitzer, this shows up as a heap use-after-free. To avoid this, add a helper function to do the actual work on one instance of a realpath_cache, and call it both from cwd_globals_dtor() and realpath_cache_clean(). The former uses the virtual_cwd_globals parameter passed in via the destructor, the latter uses the CWDG() macro.
|
Alternative approach in 9d38056, but this required adding a |
nikic
left a comment
nikic
left a comment
There was a problem hiding this comment.
I think this looks reasonable for now, though it's rather annoying that you can't use normal global access in globals_dtor, as it may get run from a different thread :/
|
Merged as 99a2085. |
I guess this is because |
2 participants
Fix for https://bugs.php.net/bug.php?id=81068.
If ZTS is enabled, this can cause
cwd_globals_ctor()to be called multiple times, each with a freshly allocatedvirtual_cwd_globalsinstance. At shutdown time however,cwd_globals_dtor()will callrealpath_cache_clean(), which then possibly cleans up the samerealpath_cacheinstance more than once. Using AddressSanitzer, this shows up as a heap use-after-free.To avoid this, add a helper function to do the actual work on one instance of a
realpath_cache, and call it both fromcwd_globals_dtor()andrealpath_cache_clean(). The former uses thevirtual_cwd_globalsparameter passed in via the destructor, the latter uses theCWDG()macro.