Keep dumped objects alive across __debugInfo() and property hooks#22471
Open
iliaal wants to merge 1 commit into
Open
Keep dumped objects alive across __debugInfo() and property hooks#22471iliaal wants to merge 1 commit into
iliaal wants to merge 1 commit into
Conversation
php_var_dump(), php_debug_zval_dump() and php_var_export() capture the object, invoke a userland callback while holding a raw pointer to it, then read its class, handle, properties or refcount. var_dump() and debug_zval_dump() call __debugInfo() through zend_get_properties_for(ZEND_PROP_PURPOSE_DEBUG); var_export() reads property values, which may run a get hook. A user error handler triggered from any of these can drop the last reference to the object, for example by nulling a reference that aliases the dumped array slot, freeing it before those reads and causing a use-after-free. Hold a reference on the object across the callback and read its identity through the captured zend_object pointer instead of re-dereferencing the zval, whose contents the handler may also have replaced. The debug_zval_dump() output reports the refcount without this temporary reference. Fixes phpGH-21024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
var_dump() and debug_zval_dump() can use-after-free an object when its __debugInfo() triggers a user error handler that frees the object, for example by nulling a reference that aliases the dumped array slot. Both functions hold a raw pointer to the object across the __debugInfo() call and read its class name, handle and properties afterwards.
Fix: hold a reference on the object across zend_get_properties_for() and read its identity through the captured zend_object pointer rather than the zval, releasing the reference after the dump. debug_zval_dump() reports the refcount without the temporary reference.
This crashes with a plain synchronous handler, independent of any error-handler timing change.