From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1233851-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id AF5CF1382C5
	for <garchives@archives.gentoo.org>; Wed, 23 Dec 2020 00:39:13 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 0E7062BC02F;
	Wed, 23 Dec 2020 00:39:13 +0000 (UTC)
Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id DF8CC2BC02F
	for <gentoo-commits@lists.gentoo.org>; Wed, 23 Dec 2020 00:39:12 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id D6BC7341834
	for <gentoo-commits@lists.gentoo.org>; Wed, 23 Dec 2020 00:39:11 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 7A699309
	for <gentoo-commits@lists.gentoo.org>; Wed, 23 Dec 2020 00:39:10 +0000 (UTC)
From: "Thomas Deutschmann" <whissi@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Thomas Deutschmann" <whissi@gentoo.org>
Message-ID: <1608683945.280c5e27b96f27eed2f3325576d74361abb36294.whissi@gentoo>
Subject: [gentoo-commits] repo/gentoo:master commit in: dev-lang/php/files/, dev-lang/php/
X-VCS-Repository: repo/gentoo
X-VCS-Files: dev-lang/php/files/php-7.2.34-use-after-free-bug76047.patch dev-lang/php/php-7.2.34-r1.ebuild dev-lang/php/php-7.2.34.ebuild
X-VCS-Directories: dev-lang/php/files/ dev-lang/php/
X-VCS-Committer: whissi
X-VCS-Committer-Name: Thomas Deutschmann
X-VCS-Revision: 280c5e27b96f27eed2f3325576d74361abb36294
X-VCS-Branch: master
Date: Wed, 23 Dec 2020 00:39:10 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: d860e9dc-0a63-405f-b97e-5be4e6ca7493
X-Archives-Hash: f7aa10a23fa830f83712a3539f023dc1

commit:     280c5e27b96f27eed2f3325576d74361abb36294
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Wed Dec 23 00:38:40 2020 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Wed Dec 23 00:39:05 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=280c5e27

dev-lang/php: fix use-after-free when accessing already destructed backtrace arguments

Bug: https://bugs.gentoo.org/711140
Package-Manager: Portage-3.0.12, Repoman-3.0.2
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

 .../files/php-7.2.34-use-after-free-bug76047.patch | 174 +++++++++++++++++++++
 .../{php-7.2.34.ebuild => php-7.2.34-r1.ebuild}    |   1 +
 2 files changed, 175 insertions(+)

diff --git a/dev-lang/php/files/php-7.2.34-use-after-free-bug76047.patch b/dev-lang/php/files/php-7.2.34-use-after-free-bug76047.patch
new file mode 100644
index 00000000000..b3a864ee82a
--- /dev/null
+++ b/dev-lang/php/files/php-7.2.34-use-after-free-bug76047.patch
@@ -0,0 +1,174 @@
+Backport of https://git.php.net/?p=php-src.git;a=commit;h=ef1e4891b47949c8dc0f9482eef9454a0ecdfa1d
+
+--- a/Zend/tests/bug52361.phpt
++++ b/Zend/tests/bug52361.phpt
+@@ -25,9 +25,8 @@ try {
+ --EXPECTF--
+ 1. Exception: aaa in %sbug52361.php:5
+ Stack trace:
+-#0 %sbug52361.php(13): aaa->__destruct()
+-#1 %sbug52361.php(16): bbb()
+-#2 {main}
++#0 %sbug52361.php(16): aaa->__destruct()
++#1 {main}
+ 2. Exception: bbb in %sbug52361.php:13
+ Stack trace:
+ #0 %sbug52361.php(16): bbb()
+--- /dev/null
++++ b/Zend/tests/bug76047.phpt
+@@ -0,0 +1,68 @@
++--TEST--
++Bug #76047: Use-after-free when accessing already destructed backtrace arguments
++--FILE--
++<?php
++
++class Vuln {
++    public $a;
++    public function __destruct() {
++        unset($this->a);
++        $backtrace = (new Exception)->getTrace();
++        var_dump($backtrace);
++    }
++}
++
++function test($arg) {
++    $arg = str_shuffle(str_repeat('A', 79));
++    $vuln = new Vuln();
++    $vuln->a = $arg;
++}
++
++function test2($arg) {
++    $$arg = 1; // Trigger symbol table
++    $arg = str_shuffle(str_repeat('A', 79));
++    $vuln = new Vuln();
++    $vuln->a = $arg;
++}
++
++test('x');
++test2('x');
++
++?>
++--EXPECTF--
++array(1) {
++  [0]=>
++  array(6) {
++    ["file"]=>
++    string(%d) "%s"
++    ["line"]=>
++    int(%d)
++    ["function"]=>
++    string(10) "__destruct"
++    ["class"]=>
++    string(4) "Vuln"
++    ["type"]=>
++    string(2) "->"
++    ["args"]=>
++    array(0) {
++    }
++  }
++}
++array(1) {
++  [0]=>
++  array(6) {
++    ["file"]=>
++    string(%d) "%s"
++    ["line"]=>
++    int(%d)
++    ["function"]=>
++    string(10) "__destruct"
++    ["class"]=>
++    string(4) "Vuln"
++    ["type"]=>
++    string(2) "->"
++    ["args"]=>
++    array(0) {
++    }
++  }
++}
+--- a/Zend/zend_vm_def.h
++++ b/Zend/zend_vm_def.h
+@@ -2366,9 +2366,9 @@ ZEND_VM_HELPER(zend_leave_helper, ANY, ANY)
+ 	uint32_t call_info = EX_CALL_INFO();
+ 
+ 	if (EXPECTED((call_info & (ZEND_CALL_CODE|ZEND_CALL_TOP|ZEND_CALL_HAS_SYMBOL_TABLE|ZEND_CALL_FREE_EXTRA_ARGS|ZEND_CALL_ALLOCATED)) == 0)) {
++		EG(current_execute_data) = EX(prev_execute_data);
+ 		i_free_compiled_variables(execute_data);
+ 
+-		EG(current_execute_data) = EX(prev_execute_data);
+ 		if (UNEXPECTED(call_info & ZEND_CALL_RELEASE_THIS)) {
+ 			zend_object *object = Z_OBJ(execute_data->This);
+ #if 0
+@@ -2394,12 +2394,12 @@ ZEND_VM_HELPER(zend_leave_helper, ANY, ANY)
+ 		LOAD_NEXT_OPLINE();
+ 		ZEND_VM_LEAVE();
+ 	} else if (EXPECTED((call_info & (ZEND_CALL_CODE|ZEND_CALL_TOP)) == 0)) {
++		EG(current_execute_data) = EX(prev_execute_data);
+ 		i_free_compiled_variables(execute_data);
+ 
+ 		if (UNEXPECTED(call_info & ZEND_CALL_HAS_SYMBOL_TABLE)) {
+ 			zend_clean_and_cache_symbol_table(EX(symbol_table));
+ 		}
+-		EG(current_execute_data) = EX(prev_execute_data);
+ 
+ 		/* Free extra args before releasing the closure,
+ 		 * as that may free the op_array. */
+@@ -2449,6 +2449,7 @@ ZEND_VM_HELPER(zend_leave_helper, ANY, ANY)
+ 		ZEND_VM_LEAVE();
+ 	} else {
+ 		if (EXPECTED((call_info & ZEND_CALL_CODE) == 0)) {
++			EG(current_execute_data) = EX(prev_execute_data);
+ 			i_free_compiled_variables(execute_data);
+ 			if (UNEXPECTED(call_info & (ZEND_CALL_HAS_SYMBOL_TABLE|ZEND_CALL_FREE_EXTRA_ARGS))) {
+ 				if (UNEXPECTED(call_info & ZEND_CALL_HAS_SYMBOL_TABLE)) {
+@@ -2456,7 +2457,6 @@ ZEND_VM_HELPER(zend_leave_helper, ANY, ANY)
+ 				}
+ 				zend_vm_stack_free_extra_args_ex(call_info, execute_data);
+ 			}
+-			EG(current_execute_data) = EX(prev_execute_data);
+ 			if (UNEXPECTED(call_info & ZEND_CALL_CLOSURE)) {
+ 				OBJ_RELEASE((zend_object*)EX(func)->op_array.prototype);
+ 			}
+--- a/Zend/zend_vm_execute.h
++++ b/Zend/zend_vm_execute.h
+@@ -434,9 +434,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_leave_helper_SPEC(ZEND_OPCODE_
+ 	uint32_t call_info = EX_CALL_INFO();
+ 
+ 	if (EXPECTED((call_info & (ZEND_CALL_CODE|ZEND_CALL_TOP|ZEND_CALL_HAS_SYMBOL_TABLE|ZEND_CALL_FREE_EXTRA_ARGS|ZEND_CALL_ALLOCATED)) == 0)) {
++		EG(current_execute_data) = EX(prev_execute_data);
+ 		i_free_compiled_variables(execute_data);
+ 
+-		EG(current_execute_data) = EX(prev_execute_data);
+ 		if (UNEXPECTED(call_info & ZEND_CALL_RELEASE_THIS)) {
+ 			zend_object *object = Z_OBJ(execute_data->This);
+ #if 0
+@@ -462,12 +462,12 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_leave_helper_SPEC(ZEND_OPCODE_
+ 		LOAD_NEXT_OPLINE();
+ 		ZEND_VM_LEAVE();
+ 	} else if (EXPECTED((call_info & (ZEND_CALL_CODE|ZEND_CALL_TOP)) == 0)) {
++		EG(current_execute_data) = EX(prev_execute_data);
+ 		i_free_compiled_variables(execute_data);
+ 
+ 		if (UNEXPECTED(call_info & ZEND_CALL_HAS_SYMBOL_TABLE)) {
+ 			zend_clean_and_cache_symbol_table(EX(symbol_table));
+ 		}
+-		EG(current_execute_data) = EX(prev_execute_data);
+ 
+ 		/* Free extra args before releasing the closure,
+ 		 * as that may free the op_array. */
+@@ -517,6 +517,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_leave_helper_SPEC(ZEND_OPCODE_
+ 		ZEND_VM_LEAVE();
+ 	} else {
+ 		if (EXPECTED((call_info & ZEND_CALL_CODE) == 0)) {
++			EG(current_execute_data) = EX(prev_execute_data);
+ 			i_free_compiled_variables(execute_data);
+ 			if (UNEXPECTED(call_info & (ZEND_CALL_HAS_SYMBOL_TABLE|ZEND_CALL_FREE_EXTRA_ARGS))) {
+ 				if (UNEXPECTED(call_info & ZEND_CALL_HAS_SYMBOL_TABLE)) {
+@@ -524,7 +525,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_leave_helper_SPEC(ZEND_OPCODE_
+ 				}
+ 				zend_vm_stack_free_extra_args_ex(call_info, execute_data);
+ 			}
+-			EG(current_execute_data) = EX(prev_execute_data);
+ 			if (UNEXPECTED(call_info & ZEND_CALL_CLOSURE)) {
+ 				OBJ_RELEASE((zend_object*)EX(func)->op_array.prototype);
+ 			}
+ 

diff --git a/dev-lang/php/php-7.2.34.ebuild b/dev-lang/php/php-7.2.34-r1.ebuild
similarity index 99%
rename from dev-lang/php/php-7.2.34.ebuild
rename to dev-lang/php/php-7.2.34-r1.ebuild
index b7fe1520efb..a534bc594e5 100644
--- a/dev-lang/php/php-7.2.34.ebuild
+++ b/dev-lang/php/php-7.2.34-r1.ebuild
@@ -157,6 +157,7 @@ RESTRICT="!test? ( test )"
 PATCHES=(
 	"${FILESDIR}/php-freetype-2.9.1.patch"
 	"${FILESDIR}/php-7.2.13-intl-use-icu-namespace.patch"
+	"${FILESDIR}/php-7.2.34-use-after-free-bug76047.patch"
 )
 
 PHP_MV="$(ver_cut 1)"