Skip to content

UB when freeing a cloned _ZendTestFiber #16388

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
YuanchengJiang opened this issue Oct 12, 2024 · 1 comment
Closed

UB when freeing a cloned _ZendTestFiber #16388

YuanchengJiang opened this issue Oct 12, 2024 · 1 comment
Assignees
@cmb69
Labels
Bug Extension: zend_test Status: Verified

Comments

@YuanchengJiang
Copy link

Description

The following code:

<?php
$fiber = new _ZendTestFiber(function (): int {
});
$fusion = $fiber;
clone $fusion;

Resulted in this output:

/php-src/ext/zend_test/fiber.c:205:3: runtime error: member access within misaligned address 0x736574646e657a5f for type 'zend_test_fiber' (aka 'struct _zend_test_fiber'), which requires 8 byte alignment

To reproduce:

-d "zend_extension=/php-src/modules/opcache.so" -d "opcache.enable_cli=1"

There are some similar issues, not sure if it is a dup.

PHP Version

nightly

Operating System

ubuntu 22.04
@cmb69
Copy link
Member

cmb69 commented Oct 12, 2024

Unless there is the need to clone instances of _ZendTestFiber, we can just disallow this:

 ext/zend_test/fiber.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ext/zend_test/fiber.c b/ext/zend_test/fiber.c
index 30dbfa06e5..fa285aa2d6 100644
--- a/ext/zend_test/fiber.c
+++ b/ext/zend_test/fiber.c
@@ -352,4 +352,5 @@ void zend_test_fiber_init(void)
 	zend_test_fiber_handlers = std_object_handlers;
 	zend_test_fiber_handlers.dtor_obj = zend_test_fiber_object_destroy;
 	zend_test_fiber_handlers.free_obj = zend_test_fiber_object_free;
+	zend_test_fiber_handlers.clone_obj = NULL;
 }

@cmb69 cmb69 self-assigned this Oct 12, 2024
cmb69 added a commit to cmb69/php-src that referenced this issue Oct 12, 2024
@cmb69
Fix phpGH-16388: UB when freeing a cloned _ZendTestFiber
53cc149 
Since there is no need to clone instances of this test class, we
prevent cloning in the first place.
@cmb69 cmb69 linked a pull request Oct 12, 2024 that will close this issue
Fix GH-16388: UB when freeing a cloned _ZendTestFiber #16400
Closed
@cmb69 cmb69 changed the title Member access within misaligned address in ext/zend_test/fiber.c:205 UB when freeing a cloned _ZendTestFiber Oct 12, 2024
cmb69 added a commit that referenced this issue Oct 12, 2024
@cmb69
Merge branch 'PHP-8.2' into PHP-8.3
41d75f4 
* PHP-8.2:
  Fix GH-16388: UB when freeing a cloned _ZendTestFiber
cmb69 added a commit that referenced this issue Oct 12, 2024
@cmb69
Merge branch 'PHP-8.3' into PHP-8.4
8a5c716 
* PHP-8.3:
  Fix GH-16388: UB when freeing a cloned _ZendTestFiber
@cmb69 cmb69 closed this as completed in a3eb1fd Oct 12, 2024
cmb69 added a commit that referenced this issue Oct 12, 2024
@cmb69
Merge branch 'PHP-8.4'
7a1f4b6 
* PHP-8.4:
  Fix GH-16388: UB when freeing a cloned _ZendTestFiber
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cmb69 cmb69

Labels
Bug Extension: zend_test Status: Verified
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix GH-16388: UB when freeing a cloned _ZendTestFiber cmb69/php-src
2 participants
@cmb69 @YuanchengJiang