Use 64-bit time on 32-bit Windows #18
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
VS 2005 introduced 64-bit time. This was disabled since then to prevent libraries compiled with older versions from causing breaks. Since the current development version of PHP requires a much more modern compiler and 2005 has been long in the past, it makes sense to use 64-bit time by default to prevent Y2038 problems.
ndossche
added a commit
that referenced
this pull request
Jan 23, 2026
This function returns -1 on failure. Not checking this causes a segfault
if `cert_name` is still NULL, i.e. if the failure happens on the first
iteration. If the failure happens on the second iteration, we get a
use-after-free.
NULL deref example:
```
==189347==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f961f6f379d bp 0x7ffdc44afed0 sp 0x7ffdc44af658 T0)
==189347==The signal is caused by a READ memory access.
==189347==Hint: address points to the zero page.
#0 0x7f961f6f379d (/lib/x86_64-linux-gnu/libc.so.6+0x18b79d) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#1 0x7f9620217826 in strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:389
#2 0x560faa92d119 in php_openssl_matches_san_list /work/php-src/ext/openssl/xp_ssl.c:478
#3 0x560faa92e912 in php_openssl_apply_peer_verification_policy /work/php-src/ext/openssl/xp_ssl.c:636
#4 0x560faa93565b in php_openssl_enable_crypto /work/php-src/ext/openssl/xp_ssl.c:1893
#5 0x560faa939c86 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2516
#6 0x560fab74c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
#7 0x560fab7557c1 in php_stream_xport_crypto_enable /work/php-src/main/streams/transports.c:387
#8 0x560faa939f29 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2541
#9 0x560fab74c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
#10 0x560fab754655 in php_stream_xport_connect /work/php-src/main/streams/transports.c:248
#11 0x560fab75365d in _php_stream_xport_create /work/php-src/main/streams/transports.c:145
#12 0x560fab54d725 in zif_stream_socket_client /work/php-src/ext/standard/streamsfuncs.c:158
#13 0x560fab6b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
#14 0x560fab9e024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
#15 0x560fabb40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
#16 0x560fabb558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
#17 0x560fabcba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
#18 0x560fab6ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
#19 0x560fab6ecccb in php_execute_script /work/php-src/main/main.c:2685
#20 0x560fabcbfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
#21 0x560fabcc21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
#22 0x7f961f5921c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#23 0x7f961f59228a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#24 0x560faa809b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
```
UAF example:
```
==190632==ERROR: AddressSanitizer: heap-use-after-free on address 0x5020000690f0 at pc 0x7fc2cdb3596f bp 0x7ffce2ed98d0 sp 0x7ffce2ed9078
READ of size 3 at 0x5020000690f0 thread T0
#0 0x7fc2cdb3596e in strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:391
#1 0x558b6eb2d119 in php_openssl_matches_san_list /work/php-src/ext/openssl/xp_ssl.c:478
#2 0x558b6eb2e912 in php_openssl_apply_peer_verification_policy /work/php-src/ext/openssl/xp_ssl.c:636
#3 0x558b6eb3565b in php_openssl_enable_crypto /work/php-src/ext/openssl/xp_ssl.c:1893
#4 0x558b6eb39c86 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2516
#5 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
#6 0x558b6f9557c1 in php_stream_xport_crypto_enable /work/php-src/main/streams/transports.c:387
#7 0x558b6eb39f29 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2541
#8 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
#9 0x558b6f954655 in php_stream_xport_connect /work/php-src/main/streams/transports.c:248
#10 0x558b6f95365d in _php_stream_xport_create /work/php-src/main/streams/transports.c:145
#11 0x558b6f74d725 in zif_stream_socket_client /work/php-src/ext/standard/streamsfuncs.c:158
#12 0x558b6f8b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
#13 0x558b6fbe024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
#14 0x558b6fd40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
#15 0x558b6fd558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
#16 0x558b6feba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
#17 0x558b6f8ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
#18 0x558b6f8ecccb in php_execute_script /work/php-src/main/main.c:2685
#19 0x558b6febfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
#20 0x558b6fec21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
#21 0x7fc2cceb01c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#22 0x7fc2cceb028a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#23 0x558b6ea09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
0x5020000690f0 is located 0 bytes inside of 9-byte region [0x5020000690f0,0x5020000690f9)
freed by thread T0 here:
#0 0x7fc2cdbb44d8 in free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x558b6eb2d2fa in php_openssl_matches_san_list /work/php-src/ext/openssl/xp_ssl.c:496
#2 0x558b6eb2e912 in php_openssl_apply_peer_verification_policy /work/php-src/ext/openssl/xp_ssl.c:636
#3 0x558b6eb3565b in php_openssl_enable_crypto /work/php-src/ext/openssl/xp_ssl.c:1893
#4 0x558b6eb39c86 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2516
#5 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
#6 0x558b6f9557c1 in php_stream_xport_crypto_enable /work/php-src/main/streams/transports.c:387
#7 0x558b6eb39f29 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2541
#8 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
#9 0x558b6f954655 in php_stream_xport_connect /work/php-src/main/streams/transports.c:248
#10 0x558b6f95365d in _php_stream_xport_create /work/php-src/main/streams/transports.c:145
#11 0x558b6f74d725 in zif_stream_socket_client /work/php-src/ext/standard/streamsfuncs.c:158
#12 0x558b6f8b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
#13 0x558b6fbe024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
#14 0x558b6fd40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
#15 0x558b6fd558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
#16 0x558b6feba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
#17 0x558b6f8ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
#18 0x558b6f8ecccb in php_execute_script /work/php-src/main/main.c:2685
#19 0x558b6febfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
#20 0x558b6fec21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
#21 0x7fc2cceb01c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#22 0x7fc2cceb028a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#23 0x558b6ea09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
previously allocated by thread T0 here:
#0 0x7fc2cdbb59c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fc2cd2faeab in ASN1_mbstring_ncopy (/lib/x86_64-linux-gnu/libcrypto.so.3+0xcceab) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#2 0x7fc2cd2fb2e5 in ASN1_mbstring_copy (/lib/x86_64-linux-gnu/libcrypto.so.3+0xcd2e5) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#3 0x7fc2cd2fe2a5 in ASN1_STRING_to_UTF8 (/lib/x86_64-linux-gnu/libcrypto.so.3+0xd02a5) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#4 0x558b6eb2d0a8 in php_openssl_matches_san_list /work/php-src/ext/openssl/xp_ssl.c:477
#5 0x558b6eb2e912 in php_openssl_apply_peer_verification_policy /work/php-src/ext/openssl/xp_ssl.c:636
#6 0x558b6eb3565b in php_openssl_enable_crypto /work/php-src/ext/openssl/xp_ssl.c:1893
#7 0x558b6eb39c86 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2516
#8 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
#9 0x558b6f9557c1 in php_stream_xport_crypto_enable /work/php-src/main/streams/transports.c:387
#10 0x558b6eb39f29 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2541
#11 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
#12 0x558b6f954655 in php_stream_xport_connect /work/php-src/main/streams/transports.c:248
#13 0x558b6f95365d in _php_stream_xport_create /work/php-src/main/streams/transports.c:145
#14 0x558b6f74d725 in zif_stream_socket_client /work/php-src/ext/standard/streamsfuncs.c:158
#15 0x558b6f8b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
#16 0x558b6fbe024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
#17 0x558b6fd40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
#18 0x558b6fd558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
#19 0x558b6feba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
#20 0x558b6f8ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
#21 0x558b6f8ecccb in php_execute_script /work/php-src/main/main.c:2685
#22 0x558b6febfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
#23 0x558b6fec21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
#24 0x7fc2cceb01c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#25 0x7fc2cceb028a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#26 0x558b6ea09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
```
ndossche
added a commit
that referenced
this pull request
Jan 23, 2026
```
==59541==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7f9fafba9b69 bp 0x7ffe3fd87700 sp 0x7ffe3fd876e8 T0)
==59541==The signal is caused by a WRITE memory access.
==59541==Hint: address points to the zero page.
#0 0x7f9fafba9b69 in BIO_up_ref (/lib/x86_64-linux-gnu/libcrypto.so.3+0xedb69) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#1 0x7f9fafbb4ac2 (/lib/x86_64-linux-gnu/libcrypto.so.3+0xf8ac2) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#2 0x7f9fafc886f0 (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1cc6f0) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#3 0x7f9fafc88aa6 in OSSL_ENCODER_to_bio (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1ccaa6) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#4 0x7f9fafdaeadf in PEM_write_bio_PrivateKey_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2f2adf) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#5 0x7f9fafdaebc7 in PEM_write_bio_PrivateKey (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2f2bc7) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#6 0x555dbe4ff75f in zif_openssl_pkey_export /work/php-src/ext/openssl/openssl.c:2216
#7 0x555dbf2b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
#8 0x555dbf5e024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
#9 0x555dbf740995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
#10 0x555dbf7558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
#11 0x555dbf8ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
#12 0x555dbf2ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
#13 0x555dbf2ecccb in php_execute_script /work/php-src/main/main.c:2685
#14 0x555dbf8bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
#15 0x555dbf8c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
#16 0x7f9faf73e1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#17 0x7f9faf73e28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#18 0x555dbe409b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
```
ndossche
added a commit
that referenced
this pull request
Jan 23, 2026
Example ASAN report:
```
==55442==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7f73a6413b69 bp 0x7ffe666f6010 sp 0x7ffe666f5ff8 T0)
==55442==The signal is caused by a WRITE memory access.
==55442==Hint: address points to the zero page.
#0 0x7f73a6413b69 in BIO_up_ref (/lib/x86_64-linux-gnu/libcrypto.so.3+0xedb69) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#1 0x7f73a641eac2 (/lib/x86_64-linux-gnu/libcrypto.so.3+0xf8ac2) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#2 0x7f73a64f26f0 (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1cc6f0) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#3 0x7f73a64f2aa6 in OSSL_ENCODER_to_bio (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1ccaa6) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#4 0x7f73a6618adf in PEM_write_bio_PrivateKey_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2f2adf) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#5 0x7f73a6618bc7 in PEM_write_bio_PrivateKey (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2f2bc7) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#6 0x559b16af882b in zif_openssl_pkcs12_read /work/php-src/ext/openssl/openssl.c:1520
#7 0x559b178b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
#8 0x559b17be024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
#9 0x559b17d40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
#10 0x559b17d558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
#11 0x559b17eba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
#12 0x559b178ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
#13 0x559b178ecccb in php_execute_script /work/php-src/main/main.c:2685
#14 0x559b17ebfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
#15 0x559b17ec21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
#16 0x7f73a5fa81c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#17 0x7f73a5fa828a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#18 0x559b16a09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
```
ndossche
added a commit
that referenced
this pull request
Jan 24, 2026
When certificate `cert` exists, but is not added to the store, it causes
memory leaks. The error handling was already existing but the freeing
only happened on the success case.
One could also ponder whether it is necessary to inform the user when
adding a certificate failed or signal this in some way.
Part of the leak report:
```
Direct leak of 384 byte(s) in 1 object(s) allocated from:
#0 0x7fdbf1f9e9c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fdbf183a7c4 in CRYPTO_zalloc (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2237c4) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#2 0x7fdbf16f9d13 (/lib/x86_64-linux-gnu/libcrypto.so.3+0xe2d13) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#3 0x7fdbf16f9e19 in ASN1_item_new_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0xe2e19) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#4 0x7fdbf19a59f9 in X509_new_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0x38e9f9) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#5 0x5575bcd295cb in php_openssl_pem_read_bio_x509 /work/php-src/ext/openssl/openssl_backend_v3.c:876
#6 0x5575bcd2ef3d in php_openssl_load_stream_cafile /work/php-src/ext/openssl/xp_ssl.c:855
#7 0x5575bcd2f4da in php_openssl_enable_peer_verification /work/php-src/ext/openssl/xp_ssl.c:912
#8 0x5575bcd33104 in php_openssl_setup_crypto /work/php-src/ext/openssl/xp_ssl.c:1610
#9 0x5575bcd39c18 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2512
#10 0x5575bdb4c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
#11 0x5575bdb5557d in php_stream_xport_crypto_setup /work/php-src/main/streams/transports.c:367
#12 0x5575bcd39f11 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2540
#13 0x5575bdb4c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
#14 0x5575bdb54655 in php_stream_xport_connect /work/php-src/main/streams/transports.c:248
#15 0x5575bdb5365d in _php_stream_xport_create /work/php-src/main/streams/transports.c:145
#16 0x5575bd8d30b1 in php_stream_url_wrap_http_ex /work/php-src/ext/standard/http_fopen_wrapper.c:490
#17 0x5575bd8d857e in php_stream_url_wrap_http /work/php-src/ext/standard/http_fopen_wrapper.c:1204
#18 0x5575bdb5073d in _php_stream_open_wrapper_ex /work/php-src/main/streams/streams.c:2270
#19 0x5575bd878fa6 in zif_file_get_contents /work/php-src/ext/standard/file.c:409
#20 0x5575bd5bfe39 in zif_phar_file_get_contents /work/php-src/ext/phar/func_interceptors.c:226
#21 0x5575bdab7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
#22 0x5575bdde024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
#23 0x5575bdf40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
#24 0x5575bdf558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
#25 0x5575be0ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
#26 0x5575bdaec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
#27 0x5575bdaecccb in php_execute_script /work/php-src/main/main.c:2685
#28 0x5575be0bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
#29 0x5575be0c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
... etc ...
```
ndossche
added a commit
that referenced
this pull request
Jan 25, 2026
…ake() fails to set a version The leaks appears to be at least somewhat dependent on the OpenSSL version, but it is reproducible on an Ubuntu 24.04 container. Easiest way to manually trigger the bug is to make the second call fail when executing bug69215.phpt: ```diff diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 12383ac..6721d841d16 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -2957,7 +2957,9 @@ static zend_result php_openssl_csr_make(struct php_x509_request * req, X509_REQ } } /* setup the version number: version 1 */ - if (X509_REQ_set_version(csr, 0L)) { + static int counter = 0; + counter++; + if (counter!=2&&X509_REQ_set_version(csr, 0L)) { int i, nid; char *type; CONF_VALUE *v; ``` ASAN report: ``` Direct leak of 384 byte(s) in 1 object(s) allocated from: #0 0x7fd75dcb19c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69 #1 0x7fd75d54d7c4 in CRYPTO_zalloc (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2237c4) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #2 0x7fd75d40cd13 (/lib/x86_64-linux-gnu/libcrypto.so.3+0xe2d13) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #3 0x7fd75d40ce19 in ASN1_item_new_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0xe2e19) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #4 0x7fd75d6b89f9 in X509_new_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0x38e9f9) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #5 0x7fd75d8bdb9d (/lib/x86_64-linux-gnu/libssl.so.3+0x7eb9d) (BuildId: 5f3b12d47114f9fbdc7765266cd0bb8f1b5ee8fc) #6 0x7fd75d8a825d (/lib/x86_64-linux-gnu/libssl.so.3+0x6925d) (BuildId: 5f3b12d47114f9fbdc7765266cd0bb8f1b5ee8fc) #7 0x5630a25351d9 in php_openssl_enable_crypto /work/php-src/ext/openssl/xp_ssl.c:1850 #8 0x5630a2539c86 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2516 #9 0x5630a334c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466 #10 0x5630a33557c1 in php_stream_xport_crypto_enable /work/php-src/main/streams/transports.c:387 #11 0x5630a25387be in php_openssl_tcp_sockop_accept /work/php-src/ext/openssl/xp_ssl.c:2279 #12 0x5630a2539fcd in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2551 #13 0x5630a334c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466 #14 0x5630a3354d3a in php_stream_xport_accept /work/php-src/main/streams/transports.c:307 #15 0x5630a3150161 in zif_stream_socket_accept /work/php-src/ext/standard/streamsfuncs.c:298 #16 0x5630a35dacfb in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /work/php-src/Zend/zend_vm_execute.h:1355 #17 0x5630a3740689 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116469 #18 0x5630a37558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962 #19 0x5630a38ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980 #20 0x5630a32ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645 #21 0x5630a32ecccb in php_execute_script /work/php-src/main/main.c:2685 #22 0x5630a38bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951 #23 0x5630a38c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362 #24 0x7fd75cfac1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #25 0x7fd75cfac28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #26 0x5630a2409b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c) ... etc ... ```
ndossche
added a commit
that referenced
this pull request
Jan 27, 2026
This can actually fail because internally this function does stack
management in internal data structures.
Can cause a crash later, e.g.:
```
==239255==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x5652d8f2fe68 bp 0x7ffc99ee8fc0 sp 0x7ffc99ee8ec0 T0)
==239255==The signal is caused by a READ memory access.
==239255==Hint: address points to the zero page.
#0 0x5652d8f2fe68 in php_openssl_limit_handshake_reneg /work/php-src/ext/openssl/xp_ssl.c:1080
#1 0x5652d8f306e2 in php_openssl_info_callback /work/php-src/ext/openssl/xp_ssl.c:1137
#2 0x7f45057b84e5 (/lib/x86_64-linux-gnu/libssl.so.3+0x694e5) (BuildId: 5f3b12d47114f9fbdc7765266cd0bb8f1b5ee8fc)
#3 0x5652d8f351d9 in php_openssl_enable_crypto /work/php-src/ext/openssl/xp_ssl.c:1850
#4 0x5652d8f39c86 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2516
#5 0x5652d9d4c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
#6 0x5652d9d557c1 in php_stream_xport_crypto_enable /work/php-src/main/streams/transports.c:387
#7 0x5652d8f387be in php_openssl_tcp_sockop_accept /work/php-src/ext/openssl/xp_ssl.c:2279
#8 0x5652d8f39fcd in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2551
#9 0x5652d9d4c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
#10 0x5652d9d54d3a in php_stream_xport_accept /work/php-src/main/streams/transports.c:307
#11 0x5652d9b50161 in zif_stream_socket_accept /work/php-src/ext/standard/streamsfuncs.c:298
#12 0x5652d9fdacfb in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /work/php-src/Zend/zend_vm_execute.h:1355
#13 0x5652da140689 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116469
#14 0x5652da1558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
#15 0x5652da2ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
#16 0x5652d9cec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
#17 0x5652d9cecccb in php_execute_script /work/php-src/main/main.c:2685
#18 0x5652da2bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
#19 0x5652da2c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
#20 0x7f4504ebc1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#21 0x7f4504ebc28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#22 0x5652d8e09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
```
ndossche
added a commit
that referenced
this pull request
Jan 27, 2026
`pkey` must be released after it was allocated on the error paths.
Otherwise we get leaks like this:
```
Direct leak of 32 byte(s) in 1 object(s) allocated from:
#0 0x7ff8d76a1340 in calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
#1 0x7ff8d7189136 in EVP_PKEY_new evp/p_lib.c:385
#2 0x7ff8d71178e4 in d2i_PrivateKey asn1/a_pkey.c:80
#3 0x7ff8d719ed07 in PEM_read_bio_PrivateKey pem/pem_pkey.c:135
#4 0x555c54726e80 in php_openssl_pem_read_bio_private_key /work/php-src/ext/openssl/openssl_backend_v1.c:738
#5 0x555c5471ee77 in php_openssl_pkey_from_zval /work/php-src/ext/openssl/openssl_backend_common.c:1297
#6 0x555c54712e3f in zif_openssl_open /work/php-src/ext/openssl/openssl.c:4331
#7 0x555c554b44e5 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
#8 0x555c557dba0b in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2024
#9 0x555c5593cf57 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116514
#10 0x555c55951ec0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
#11 0x555c55ab60cc in zend_execute_script /work/php-src/Zend/zend.c:1980
#12 0x555c554e8ecb in php_execute_script_ex /work/php-src/main/main.c:2645
#13 0x555c554e92db in php_execute_script /work/php-src/main/main.c:2685
#14 0x555c55abbc37 in do_cli /work/php-src/sapi/cli/php_cli.c:951
#15 0x555c55abe204 in main /work/php-src/sapi/cli/php_cli.c:1362
#16 0x7ff8d6d061c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#17 0x7ff8d6d0628a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#18 0x555c54609db4 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609db4) (BuildId: 5cc444a6a9fc1a486ea698e72366c16bd5472605)
```
ndossche
added a commit
that referenced
this pull request
Jan 28, 2026
This is observable in LibreSSL. The code is creating 3 big numbers, but
if one of them failed to create, then DSA_set0_pqg() will have never
executed and there are no references left to the created big numbers,
leaking them in the process.
E.g.:
```
Direct leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x7f4edd402340 in calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
#1 0x7f4edce9d106 in BN_new bn/bn_lib.c:75
#2 0x7f4edce9706c in bn_bin2bn_cbs bn/bn_convert.c:151
#3 0x7f4edce97853 in BN_bin2bn bn/bn_convert.c:206
#4 0x5556bd923e1d in php_openssl_pkey_init_dsa_data /work/php-src/ext/openssl/openssl_backend_v1.c:142
#5 0x5556bd92428f in php_openssl_pkey_init_dsa /work/php-src/ext/openssl/openssl_backend_v1.c:186
#6 0x5556bd8fe079 in zif_openssl_pkey_new /work/php-src/ext/openssl/openssl.c:2042
#7 0x5556be6b44e5 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
#8 0x5556be9dc85a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
#9 0x5556beb3cfa5 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
#10 0x5556beb51ec0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
#11 0x5556becb60cc in zend_execute_script /work/php-src/Zend/zend.c:1980
#12 0x5556be6e8ecb in php_execute_script_ex /work/php-src/main/main.c:2645
#13 0x5556be6e92db in php_execute_script /work/php-src/main/main.c:2685
#14 0x5556becbbc37 in do_cli /work/php-src/sapi/cli/php_cli.c:951
#15 0x5556becbe204 in main /work/php-src/sapi/cli/php_cli.c:1362
#16 0x7f4edca671c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#17 0x7f4edca6728a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#18 0x5556bd809db4 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609db4) (BuildId: 5cc444a6a9fc1a486ea698e72366c16bd5472605)
```
ndossche
added a commit
that referenced
this pull request
Jan 28, 2026
Leak report:
```
Direct leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x7f97cf4cb340 in calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
#1 0x7f97cef66106 in BN_new bn/bn_lib.c:75
#2 0x7f97cef6006c in bn_bin2bn_cbs bn/bn_convert.c:151
#3 0x7f97cef60853 in BN_bin2bn bn/bn_convert.c:206
#4 0x56229112465b in php_openssl_pkey_init_dh_data /work/php-src/ext/openssl/openssl_backend_v1.c:208
#5 0x5622911248be in php_openssl_pkey_init_dh /work/php-src/ext/openssl/openssl_backend_v1.c:246
#6 0x5622910fe1d7 in zif_openssl_pkey_new /work/php-src/ext/openssl/openssl.c:2051
#7 0x562291eb44e5 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
#8 0x5622921dc85a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
#9 0x56229233cfa5 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
#10 0x562292351ec0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
#11 0x5622924b60cc in zend_execute_script /work/php-src/Zend/zend.c:1980
#12 0x562291ee8ecb in php_execute_script_ex /work/php-src/main/main.c:2645
#13 0x562291ee92db in php_execute_script /work/php-src/main/main.c:2685
#14 0x5622924bbc37 in do_cli /work/php-src/sapi/cli/php_cli.c:951
#15 0x5622924be204 in main /work/php-src/sapi/cli/php_cli.c:1362
#16 0x7f97ceb301c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#17 0x7f97ceb3028a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#18 0x562291009db4 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609db4) (BuildId: 5cc444a6a9fc1a486ea698e72366c16bd5472605)
... etc ...
```
ndossche
added a commit
that referenced
this pull request
Jan 28, 2026
Leak report:
```
Direct leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x7f97cf4cb340 in calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
#1 0x7f97cef66106 in BN_new bn/bn_lib.c:75
#2 0x7f97cef6006c in bn_bin2bn_cbs bn/bn_convert.c:151
#3 0x7f97cef60853 in BN_bin2bn bn/bn_convert.c:206
#4 0x56229112465b in php_openssl_pkey_init_dh_data /work/php-src/ext/openssl/openssl_backend_v1.c:208
#5 0x5622911248be in php_openssl_pkey_init_dh /work/php-src/ext/openssl/openssl_backend_v1.c:246
#6 0x5622910fe1d7 in zif_openssl_pkey_new /work/php-src/ext/openssl/openssl.c:2051
#7 0x562291eb44e5 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
#8 0x5622921dc85a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
#9 0x56229233cfa5 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
#10 0x562292351ec0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
#11 0x5622924b60cc in zend_execute_script /work/php-src/Zend/zend.c:1980
#12 0x562291ee8ecb in php_execute_script_ex /work/php-src/main/main.c:2645
#13 0x562291ee92db in php_execute_script /work/php-src/main/main.c:2685
#14 0x5622924bbc37 in do_cli /work/php-src/sapi/cli/php_cli.c:951
#15 0x5622924be204 in main /work/php-src/sapi/cli/php_cli.c:1362
#16 0x7f97ceb301c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#17 0x7f97ceb3028a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#18 0x562291009db4 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609db4) (BuildId: 5cc444a6a9fc1a486ea698e72366c16bd5472605)
... etc ...
```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
VS 2005 introduced 64-bit time. This was disabled since then to prevent libraries compiled with older versions from causing breaks. Since the current development version of PHP requires a much more modern compiler and 2005 has been long in the past, it makes sense to use 64-bit time by default to prevent Y2038 problems.