[gentoo-commits] repo/gentoo:master commit in: dev-lang/php/files/, dev-lang/php/

["Thomas Deutschmann" <whissi@gentoo.org>]

commit:     280c5e27b96f27eed2f3325576d74361abb36294
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Wed Dec 23 00:38:40 2020 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Wed Dec 23 00:39:05 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=280c5e27

dev-lang/php: fix use-after-free when accessing already destructed backtrace arguments

Bug: https://bugs.gentoo.org/711140
Package-Manager: Portage-3.0.12, Repoman-3.0.2
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

 .../files/php-7.2.34-use-after-free-bug76047.patch | 174 +++++++++++++++++++++
 .../{php-7.2.34.ebuild => php-7.2.34-r1.ebuild}    |   1 +
 2 files changed, 175 insertions(+)

diff --git a/dev-lang/php/files/php-7.2.34-use-after-free-bug76047.patch b/dev-lang/php/files/php-7.2.34-use-after-free-bug76047.patch
new file mode 100644
index 00000000000..b3a864ee82a
--- /dev/null
+++ b/dev-lang/php/files/php-7.2.34-use-after-free-bug76047.patch
@@ -0,0 +1,174 @@
+Backport of https://git.php.net/?p=php-src.git;a=commit;h=ef1e4891b47949c8dc0f9482eef9454a0ecdfa1d
+
+--- a/Zend/tests/bug52361.phpt
++++ b/Zend/tests/bug52361.phpt
+@@ -25,9 +25,8 @@ try {
+ --EXPECTF--
+ 1. Exception: aaa in %sbug52361.php:5
+ Stack trace:
+-#0 %sbug52361.php(13): aaa->__destruct()
+-#1 %sbug52361.php(16): bbb()
+-#2 {main}
++#0 %sbug52361.php(16): aaa->__destruct()
++#1 {main}
+ 2. Exception: bbb in %sbug52361.php:13
+ Stack trace:
+ #0 %sbug52361.php(16): bbb()
+--- /dev/null
++++ b/Zend/tests/bug76047.phpt
+@@ -0,0 +1,68 @@
++--TEST--
++Bug #76047: Use-after-free when accessing already destructed backtrace arguments
++--FILE--
++<?php
++
++class Vuln {
++    public $a;
++    public function __destruct() {
++        unset($this->a);
++        $backtrace = (new Exception)->getTrace();
++        var_dump($backtrace);
++    }
++}
++
++function test($arg) {
++    $arg = str_shuffle(str_repeat('A', 79));
++    $vuln = new Vuln();
++    $vuln->a = $arg;
++}
++
++function test2($arg) {
++    $$arg = 1; // Trigger symbol table
++    $arg = str_shuffle(str_repeat('A', 79));
++    $vuln = new Vuln();
++    $vuln->a = $arg;
++}
++
++test('x');
++test2('x');
++
++?>
++--EXPECTF--
++array(1) {
++  [0]=>
++  array(6) {
++    ["file"]=>
++    string(%d) "%s"
++    ["line"]=>
++    int(%d)
++    ["function"]=>
++    string(10) "__destruct"
++    ["class"]=>
++    string(4) "Vuln"
++    ["type"]=>
++    string(2) "->"
++    ["args"]=>
++    array(0) {
++    }
++  }
++}
++array(1) {
++  [0]=>
++  array(6) {
++    ["file"]=>
++    string(%d) "%s"
++    ["line"]=>
++    int(%d)
++    ["function"]=>
++    string(10) "__destruct"
++    ["class"]=>
++    string(4) "Vuln"
++    ["type"]=>
++    string(2) "->"
++    ["args"]=>
++    array(0) {
++    }
++  }
++}
+--- a/Zend/zend_vm_def.h
++++ b/Zend/zend_vm_def.h
+@@ -2366,9 +2366,9 @@ ZEND_VM_HELPER(zend_leave_helper, ANY, ANY)
+ 	uint32_t call_info = EX_CALL_INFO();
+ 
+ 	if (EXPECTED((call_info & (ZEND_CALL_CODE|ZEND_CALL_TOP|ZEND_CALL_HAS_SYMBOL_TABLE|ZEND_CALL_FREE_EXTRA_ARGS|ZEND_CALL_ALLOCATED)) == 0)) {
++		EG(current_execute_data) = EX(prev_execute_data);
+ 		i_free_compiled_variables(execute_data);
+ 
+-		EG(current_execute_data) = EX(prev_execute_data);
+ 		if (UNEXPECTED(call_info & ZEND_CALL_RELEASE_THIS)) {
+ 			zend_object *object = Z_OBJ(execute_data->This);
+ #if 0
+@@ -2394,12 +2394,12 @@ ZEND_VM_HELPER(zend_leave_helper, ANY, ANY)
+ 		LOAD_NEXT_OPLINE();
+ 		ZEND_VM_LEAVE();
+ 	} else if (EXPECTED((call_info & (ZEND_CALL_CODE|ZEND_CALL_TOP)) == 0)) {
++		EG(current_execute_data) = EX(prev_execute_data);
+ 		i_free_compiled_variables(execute_data);
+ 
+ 		if (UNEXPECTED(call_info & ZEND_CALL_HAS_SYMBOL_TABLE)) {
+ 			zend_clean_and_cache_symbol_table(EX(symbol_table));
+ 		}
+-		EG(current_execute_data) = EX(prev_execute_data);
+ 
+ 		/* Free extra args before releasing the closure,
+ 		 * as that may free the op_array. */
+@@ -2449,6 +2449,7 @@ ZEND_VM_HELPER(zend_leave_helper, ANY, ANY)
+ 		ZEND_VM_LEAVE();
+ 	} else {
+ 		if (EXPECTED((call_info & ZEND_CALL_CODE) == 0)) {
++			EG(current_execute_data) = EX(prev_execute_data);
+ 			i_free_compiled_variables(execute_data);
+ 			if (UNEXPECTED(call_info & (ZEND_CALL_HAS_SYMBOL_TABLE|ZEND_CALL_FREE_EXTRA_ARGS))) {
+ 				if (UNEXPECTED(call_info & ZEND_CALL_HAS_SYMBOL_TABLE)) {
+@@ -2456,7 +2457,6 @@ ZEND_VM_HELPER(zend_leave_helper, ANY, ANY)
+ 				}
+ 				zend_vm_stack_free_extra_args_ex(call_info, execute_data);
+ 			}
+-			EG(current_execute_data) = EX(prev_execute_data);
+ 			if (UNEXPECTED(call_info & ZEND_CALL_CLOSURE)) {
+ 				OBJ_RELEASE((zend_object*)EX(func)->op_array.prototype);
+ 			}
+--- a/Zend/zend_vm_execute.h
++++ b/Zend/zend_vm_execute.h
+@@ -434,9 +434,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_leave_helper_SPEC(ZEND_OPCODE_
+ 	uint32_t call_info = EX_CALL_INFO();
+ 
+ 	if (EXPECTED((call_info & (ZEND_CALL_CODE|ZEND_CALL_TOP|ZEND_CALL_HAS_SYMBOL_TABLE|ZEND_CALL_FREE_EXTRA_ARGS|ZEND_CALL_ALLOCATED)) == 0)) {
++		EG(current_execute_data) = EX(prev_execute_data);
+ 		i_free_compiled_variables(execute_data);
+ 
+-		EG(current_execute_data) = EX(prev_execute_data);
+ 		if (UNEXPECTED(call_info & ZEND_CALL_RELEASE_THIS)) {
+ 			zend_object *object = Z_OBJ(execute_data->This);
+ #if 0
+@@ -462,12 +462,12 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_leave_helper_SPEC(ZEND_OPCODE_
+ 		LOAD_NEXT_OPLINE();
+ 		ZEND_VM_LEAVE();
+ 	} else if (EXPECTED((call_info & (ZEND_CALL_CODE|ZEND_CALL_TOP)) == 0)) {
++		EG(current_execute_data) = EX(prev_execute_data);
+ 		i_free_compiled_variables(execute_data);
+ 
+ 		if (UNEXPECTED(call_info & ZEND_CALL_HAS_SYMBOL_TABLE)) {
+ 			zend_clean_and_cache_symbol_table(EX(symbol_table));
+ 		}
+-		EG(current_execute_data) = EX(prev_execute_data);
+ 
+ 		/* Free extra args before releasing the closure,
+ 		 * as that may free the op_array. */
+@@ -517,6 +517,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_leave_helper_SPEC(ZEND_OPCODE_
+ 		ZEND_VM_LEAVE();
+ 	} else {
+ 		if (EXPECTED((call_info & ZEND_CALL_CODE) == 0)) {
++			EG(current_execute_data) = EX(prev_execute_data);
+ 			i_free_compiled_variables(execute_data);
+ 			if (UNEXPECTED(call_info & (ZEND_CALL_HAS_SYMBOL_TABLE|ZEND_CALL_FREE_EXTRA_ARGS))) {
+ 				if (UNEXPECTED(call_info & ZEND_CALL_HAS_SYMBOL_TABLE)) {
+@@ -524,7 +525,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_leave_helper_SPEC(ZEND_OPCODE_
+ 				}
+ 				zend_vm_stack_free_extra_args_ex(call_info, execute_data);
+ 			}
+-			EG(current_execute_data) = EX(prev_execute_data);
+ 			if (UNEXPECTED(call_info & ZEND_CALL_CLOSURE)) {
+ 				OBJ_RELEASE((zend_object*)EX(func)->op_array.prototype);
+ 			}
+ 

diff --git a/dev-lang/php/php-7.2.34.ebuild b/dev-lang/php/php-7.2.34-r1.ebuild
similarity index 99%
rename from dev-lang/php/php-7.2.34.ebuild
rename to dev-lang/php/php-7.2.34-r1.ebuild
index b7fe1520efb..a534bc594e5 100644
--- a/dev-lang/php/php-7.2.34.ebuild
+++ b/dev-lang/php/php-7.2.34-r1.ebuild
@@ -157,6 +157,7 @@ RESTRICT="!test? ( test )"
 PATCHES=(
 	"${FILESDIR}/php-freetype-2.9.1.patch"
 	"${FILESDIR}/php-7.2.13-intl-use-icu-namespace.patch"
+	"${FILESDIR}/php-7.2.34-use-after-free-bug76047.patch"
 )
 
 PHP_MV="$(ver_cut 1)"