Fixed GH-16233: Observer segfault when calling user function in internal function via trampoline

nielsdos · nielsdos · commit e9a74479b6a9 · 2024-10-05T22:55:09.000+02:00
In the test, I have an internal `__call` function for `_ZendTestMagicCallForward` that calls the global function with name `$name` via `call_user_function`.
Note that observer writes the pointer to the previously observed frame in the last temporary of the new call frame (`*prev_observed_frame`).

The following happens:
First, we call `$test-&gt;callee`, this will be handled via a trampoline with T=2 for the two arguments. The call frame is allocated at this point. This call frame is not observed because it has `ZEND_ACC_CALL_VIA_TRAMPOLINE` set. Next we use ZEND_CALL_TRAMPOLINE to call the trampoline, this reuses the stack frame allocated earlier with T=2, but this time it is observed. The pointer to the previous frame is written outside of the call frame because `T` is too small (should be 3). We are now in the internal function `_ZendTestMagicCallForward::__call` where we call the global function `callee`. This will push a new call frame which will overlap `*prev_observed_frame`. This value gets overwritten by `zend_init_func_execute_data` when `EX(opline)` is set because `*prev_observed_frame` overlaps with `EX(opline)`. From now on, `*prev_observed_frame` is corrupted. When `zend_observer_fcall_end` is called this will result in reading wrong value `*prev_observed_frame` into `current_observed_frame`. This causes issues in `zend_observer_fcall_end_all` leading to the segfault we observe.

Despite function with `ZEND_ACC_CALL_VIA_TRAMPOLINE` not being observed, the reuse of call frames makes problems when `T` is not large enough.
To fix this, we make sure to add 1 to `T` if `ZEND_OBSERVER_ENABLED` is true.
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -30,6 +30,7 @@
 #include "zend_closures.h"
 #include "zend_compile.h"
 #include "zend_hash.h"
+#include "zend_observer.h"
 
 #define DEBUG_OBJECT_HANDLERS 0
 
@@ -1294,7 +1295,8 @@ ZEND_API zend_function *zend_get_call_trampoline_func(zend_class_entry *ce, zend
 	 * value so that it doesn't contain garbage when the engine allocates space for the next stack
 	 * frame. This didn't cause any issues until now due to "lucky" structure layout. */
 	func->last_var = 0;
-	func->T = (fbc->type == ZEND_USER_FUNCTION)? MAX(fbc->op_array.last_var + fbc->op_array.T, 2) : 2;
+	size_t min_T = 2 + ZEND_OBSERVER_ENABLED;
+	func->T = (fbc->type == ZEND_USER_FUNCTION)? MAX(fbc->op_array.last_var + fbc->op_array.T, min_T) : min_T;
 	func->filename = (fbc->type == ZEND_USER_FUNCTION)? fbc->op_array.filename : ZSTR_EMPTY_ALLOC();
 	func->line_start = (fbc->type == ZEND_USER_FUNCTION)? fbc->op_array.line_start : 0;
 	func->line_end = (fbc->type == ZEND_USER_FUNCTION)? fbc->op_array.line_end : 0;
diff --git a/ext/zend_test/test.c b/ext/zend_test/test.c
@@ -879,6 +879,23 @@ static ZEND_METHOD(_ZendTestMagicCall, __call)
 	RETURN_ARR(zend_new_pair(&name_zv, arguments));
 }
 
+static ZEND_METHOD(_ZendTestMagicCallForward, __call)
+{
+	zend_string *name;
+	zval *arguments;
+
+	ZEND_PARSE_PARAMETERS_START(2, 2)
+		Z_PARAM_STR(name)
+		Z_PARAM_ARRAY(arguments)
+	ZEND_PARSE_PARAMETERS_END();
+
+	ZEND_IGNORE_VALUE(arguments);
+
+	zval func;
+	ZVAL_STR(&func, name);
+	call_user_function(NULL, NULL, &func, return_value, 0, NULL);
+}
+
 PHP_INI_BEGIN()
 	STD_PHP_INI_BOOLEAN("zend_test.replace_zend_execute_ex", "0", PHP_INI_SYSTEM, OnUpdateBool, replace_zend_execute_ex, zend_zend_test_globals, zend_test_globals)
 	STD_PHP_INI_BOOLEAN("zend_test.register_passes", "0", PHP_INI_SYSTEM, OnUpdateBool, register_passes, zend_zend_test_globals, zend_test_globals)
@@ -993,6 +1010,8 @@ PHP_MINIT_FUNCTION(zend_test)
 
 	zend_test_magic_call = register_class__ZendTestMagicCall();
 
+	register_class__ZendTestMagicCallForward();
+
 	zend_register_functions(NULL, ext_function_legacy, NULL, EG(current_module)->type);
 
 	// Loading via dl() not supported with the observer API
diff --git a/ext/zend_test/test.stub.php b/ext/zend_test/test.stub.php
@@ -52,6 +52,11 @@ class _ZendTestMagicCall
         public function __call(string $name, array $args): mixed {}
     }
 
+    class _ZendTestMagicCallForward
+    {
+        public function __call(string $name, array $args): mixed {}
+    }
+
     class _ZendTestChildClass extends _ZendTestClass
     {
         public function returnsThrowable(): Exception {}
diff --git a/ext/zend_test/test_arginfo.h b/ext/zend_test/test_arginfo.h
diff --git a/ext/zend_test/tests/gh16233.phpt b/ext/zend_test/tests/gh16233.phpt
@@ -0,0 +1,32 @@
+--TEST--
+GH-16233 (Observer segfault when calling user function in internal function via trampoline)
+--EXTENSIONS--
+zend_test
+--INI--
+zend_test.observer.enabled=1
+zend_test.observer.show_output=1
+zend_test.observer.observe_all=1
+--FILE--
+<?php
+
+function callee() {
+    echo "in callee\n";
+}
+
+$test = new _ZendTestMagicCallForward;
+$test->callee();
+echo "done\n";
+
+?>
+--EXPECTF--
+<!-- init '%sgh16233.php' -->
+<file '%sgh16233.php'>
+  <!-- init _ZendTestMagicCallForward::__call() -->
+  <_ZendTestMagicCallForward::__call>
+    <!-- init callee() -->
+    <callee>
+in callee
+    </callee>
+  </_ZendTestMagicCallForward::__call>
+done
+</file '%sgh16233.php'>

Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,11 @@ class _ZendTestMagicCall`
`52`	`52`	`public function __call(string $name, array $args): mixed {}`
`53`	`53`	`}`
`54`	`54`
	`55`	`+ class _ZendTestMagicCallForward`
	`56`	`+ {`
	`57`	`+ public function __call(string $name, array $args): mixed {}`
	`58`	`+ }`
	`59`	`+`
`55`	`60`	`class _ZendTestChildClass extends _ZendTestClass`
`56`	`61`	`{`
`57`	`62`	`public function returnsThrowable(): Exception {}`