Fix PHP crashes due to accessing dangling pointers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php8.1 (Ubuntu) |
Fix Released
|
High
|
Athos Ribeiro | ||
Jammy |
Fix Released
|
High
|
Athos Ribeiro |
Bug Description
SRU Justification
[ Impact ]
Invoking reflection via the observer API on a class with an attribute annotation causes a dangling pointer and segmentation fault. Certain PHP extensions may register an observer of an attribute instantiation using reflection. Since Laravel 9+ and Symfony make use of attribute annotations, it's a fairly common case that can be reproduced using the Datadog PHP extension and any Laravel application. See https:/
This bug was fixed in PHP 8.1.3 https:/
This bug potentially impacts the stability of the LTS release for anyone using Laravel or Symfony which are very popular frameworks alongside tracing extensions.
[ Test Plan ]
Run the upstream tests included within this fix. To do so, an upstream development/testing PHP extension for zend introspection is required. We will provide the modified package source code so anyone verifying this bug can build it.
The new package to be built is named "php8.1-ztest".
The modified php8.1 source code to generate the php8.1-ztest package is located in https:/
The following script should allow you to reproduce the bug:
##### BEGIN REPRODUCER #####
#!/bin/bash
set -eux
trap cleanup EXIT
TEST_CONTAINER=
TEMP_DIR=$(mktemp -d)
cleanup() {
rm -rf ${TEMP_DIR}
lxc delete -f ${TEST_CONTAINER}
}
pushd ${TEMP_DIR}
git ubuntu clone php8.1
pushd php8.1
# git ubuntu remote add athos-ribeiro
# let's build the php8.1-ztest packages matching the version from the release pocket
git checkout zend-test-ext-nofix
git ubuntu export-orig
sbuild -d jammy
popd
lxc launch ubuntu-daily:jammy ${TEST_CONTAINER}
lxc exec ${TEST_CONTAINER} -- mkdir -p /usr/local/src
lxc file push php8.1-
lxc exec ${TEST_CONTAINER} -- apt update
lxc exec ${TEST_CONTAINER} -- apt install -y php git quilt
lxc exec ${TEST_CONTAINER} -- apt install -y /var/tmp/
# we want the test files shipped with the fix
lxc exec ${TEST_CONTAINER} -- git clone -b zend-test-ext --depth=1 https:/
lxc exec --cwd /usr/local/
# This should fail
lxc exec --cwd /usr/local/
##### END REPRODUCER #####
The modified php8.1 source code to generate the php8.1-ztest package is located in https:/
Note that the versions for the packages shipping "php8.1-ztest" are intentionally conflicting with the version in jammy and the version being proposed with the fix. This is because the generated php8.1-ztest requires other packages built from the php8.1 source in its exact same version.
Do remember that you should only install "php8.1-ztest" from these custom packages. The remaining php8.1 binaries should be installed from the Ubuntu archive.
The following script should allow you to verify the fix:
##### BEGIN CHECKER #####
#!/bin/bash
set -eux
trap cleanup EXIT
TEST_CONTAINER=
TEMP_DIR=$(mktemp -d)
cleanup() {
rm -rf ${TEMP_DIR}
lxc delete -f ${TEST_CONTAINER}
}
pushd ${TEMP_DIR}
cat <<EOF > ubuntu-
deb http://
EOF
git ubuntu clone php8.1
pushd php8.1
# git ubuntu remote add athos-ribeiro
# let's build the php8.1-ztest packages matching the fixed version
git checkout zend-test-ext
git ubuntu export-orig
sbuild -d jammy
popd
lxc launch ubuntu-daily:jammy ${TEST_CONTAINER}
lxc exec ${TEST_CONTAINER} -- mkdir -p /usr/local/src
lxc file push php8.1-
lxc exec ${TEST_CONTAINER} -- apt update
lxc exec ${TEST_CONTAINER} -- apt install -y git quilt
# install php from proposed
lxc file push ubuntu-
lxc exec ${TEST_CONTAINER} -- apt update
lxc exec ${TEST_CONTAINER} -- apt install -y php/jammy-proposed
lxc exec ${TEST_CONTAINER} -- apt install -y /var/tmp/
# we want the test files shipped with the fix
lxc exec ${TEST_CONTAINER} -- git clone -b zend-test-ext --depth=1 https:/
lxc exec --cwd /usr/local/
# This should succeed
lxc exec --cwd /usr/local/
##### END CHECKER #####
[ Where problems could occur ]
Could potentially impact the performance or stability of reflection operations, but this is a fairly old patch at this point.
Related branches
- git-ubuntu bot: Approve
- Bryce Harrington (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 242 lines (+214/-0)4 files modifieddebian/changelog (+9/-0)
debian/patches/fix-attribute-instantion-dangling-pointer.patch (+115/-0)
debian/patches/fix-attribute-instantion-memory-overflow-recovery.patch (+88/-0)
debian/patches/series (+2/-0)
- Canonical Server Reporter: Pending requested
-
Diff: 3205 lines (+2921/-0) (has conflicts)23 files modifieddebian/changelog (+146/-0)
debian/patches/0046-Fix-ssl3-unexpected-eof.patch (+76/-0)
debian/patches/0047-Update-gcc-func-attr-macro.patch (+29/-0)
debian/patches/0048-Clear-recorded-errors-before-executing-shutdown-func.patch (+461/-0)
debian/patches/0049-Preserve-file-position-when-php-temp-switches.patch (+64/-0)
debian/patches/CVE-2021-21708.patch (+49/-0)
debian/patches/CVE-2022-31625.patch (+70/-0)
debian/patches/CVE-2022-31626.patch (+21/-0)
debian/patches/CVE-2022-31627.patch (+353/-0)
debian/patches/CVE-2022-31628-1.patch (+92/-0)
debian/patches/CVE-2022-31628-2.patch (+54/-0)
debian/patches/CVE-2022-31629.patch (+74/-0)
debian/patches/CVE-2022-31630.patch (+69/-0)
debian/patches/CVE-2022-37454.patch (+142/-0)
debian/patches/CVE-2023-0662-1.patch (+58/-0)
debian/patches/CVE-2023-3247-1.patch (+79/-0)
debian/patches/CVE-2023-3247-2.patch (+21/-0)
debian/patches/CVE-2023-3823.patch (+552/-0)
debian/patches/CVE-2023-3824.patch (+83/-0)
debian/patches/fix-attribute-instantion-dangling-pointer.patch (+115/-0)
debian/patches/fix-attribute-instantion-memory-overflow-recovery.patch (+88/-0)
debian/patches/fix-map-ptr-mem-leak.patch (+199/-0)
debian/patches/series (+26/-0)
tags: | added: server-todo |
Changed in php8.1 (Ubuntu): | |
status: | New → Triaged |
assignee: | nobody → Athos Ribeiro (athos-ribeiro) |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
summary: |
- PHP crashes on Laravel 9+ with certain extensions + Fix PHP crashes due to accessing dangling pointers |
Changed in php8.1 (Ubuntu Jammy): | |
status: | Triaged → In Progress |
description: | updated |
It is also the cause of this bug in Symfony when using annotations https:/ /bugs.php. net/bug. php?id= 81648