Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix GH-13612: Corrupted memory in destructor with weak references #13613

Closed
wants to merge 1 commit into from
Closed

Fix GH-13612: Corrupted memory in destructor with weak references #13613

wants to merge 1 commit into from

Conversation

nielsdos
Copy link
Member

@nielsdos nielsdos commented Mar 6, 2024

Inside zend_object_std_dtor the weakrefs are notified after the destruction of properties already took place. In this test case, the destructor of an anon class will be invoked due to the property destruction. That class has a weak reference to its parent. This means that the destructor can access parent properties that already have been destroyed, resulting in a UAF. Fix this by notifying the weakrefs at the start of the object's destruction.

@nielsdos
Fix phpGH-13612: Corrupted memory in destructor with weak references
f00daa1 
Inside `zend_object_std_dtor` the weakrefs are notified after the destruction
of properties already took place. In this test case, the destructor of an anon
class will be invoked due to the property destruction. That class has a
weak reference to its parent. This means that the destructor can access
parent properties that already have been destroyed, resulting in a UAF.
Fix this by notifying the weakrefs at the start of the object's
destruction.
@nielsdos nielsdos linked an issue Mar 6, 2024 that may be closed by this pull request
Corrupted memory in destructor with weak references #13612
Closed
@mvorisek mvorisek mentioned this pull request Mar 6, 2024
Closed
@nielsdos nielsdos marked this pull request as ready for review March 7, 2024 07:16
@nielsdos nielsdos requested a review from iluuu1994 March 7, 2024 07:17
iluuu1994
iluuu1994 approved these changes Mar 8, 2024
View reviewed changes
Copy link
Member

@iluuu1994 iluuu1994 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @nielsdos!

@nielsdos nielsdos closed this in 39b8d5c Mar 8, 2024
@sebastianbergmann sebastianbergmann mentioned this pull request Mar 10, 2024
Closed
julien-boudry added a commit to julien-boudry/Condorcet that referenced this pull request Apr 23, 2024
@julien-boudry
Fix PHP 8.3.6 backward incompatible change with WeakRef php/php-src#1…
c3fe541 
…3612 + php/php-src#13613

Usage of driver throw an error on Election object destruction..
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iluuu1994 iluuu1994 iluuu1994 approved these changes

Assignees
No one assigned
Labels
Category: Engine
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Corrupted memory in destructor with weak references
2 participants
@nielsdos @iluuu1994