Skip to content

Prevent direct instantiation of com_safearray_proxy#10278

Merged
cmb69 merged 3 commits intophp:masterfrom
cmb69:cmb/saproxy
Oct 7, 2024
Merged

Prevent direct instantiation of com_safearray_proxy#10278
cmb69 merged 3 commits intophp:masterfrom
cmb69:cmb/saproxy

Conversation

@cmb69
Copy link
Member

@cmb69 cmb69 commented Jan 10, 2023

The com_safearray_proxy class is meant for internal usage, but so far it was possible to instantiate it from userland, although that made no sense. However, a while ago there was a relevant change[1], namely that its default_object_handlers are now assigned when the class is registered, while previously they only have been assigned when an instance had been created internally. So now when freeing a manually created object, free_obj() is called, although the object never has been properly initialized (causing segfaults).

We fix this by introducing a create_object() handler which properly initializes the object with dummy values. Since a manually created com_safearray_proxy still does not make sense, we disallow its instantiation.

[1] 94ee4f9

@cmb69 cmb69 mentioned this pull request Jan 10, 2023
Open
33 tasks
Girgias
Girgias approved these changes Jan 10, 2023
View reviewed changes
Copy link
Member

@Girgias Girgias left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me

@cmb69
Copy link
Member Author

cmb69 commented Jan 10, 2023

Needs more work, though.

@cmb69 cmb69 marked this pull request as draft January 10, 2023 14:41
@cmb69 cmb69 mentioned this pull request Aug 10, 2024
Merged
This was referenced Sep 29, 2024
Closed
Draft
cmb69 added 2 commits October 6, 2024 19:09
@cmb69
Prevent direct instantiation of com_safearray_proxy
046fce2 
The `com_safearray_proxy` class is meant for internal usage, but so far
it was possible to instantiate it from userland, although that made no
sense.  However, a while ago there was a relevant change[1], namely
that its `default_object_handlers` are now assigned when the class is
registered, while previously they only have been assigned when an
instance had been created internally.  So now when freeing a manually
created object, `free_obj()` is called, although the object never has
been properly initialized (causing segfaults).

We fix this by introducing a `create_object()` handler which properly
initializes the object with dummy values.  Since a manually created
`com_safearray_proxy` still does not make sense, we disallow its
instantiation.

[1] <php@94ee4f9>
@cmb69
Fix object instantiation
e5e8d17 
com_dotnet objects are special, since they still have the `zend_object`
as first member, so we need to use a somewhat different initialization.
@cmb69
Copy link
Member Author

cmb69 commented Oct 6, 2024

Needs more work, though.

That was because ASan complained about the new test. To get the latest goodies (such as Windows ASan running in CI ;), I've rebased onto master, and added a commit that fixes the problem.

@cmb69 cmb69 marked this pull request as ready for review October 6, 2024 20:21
ndossche
ndossche reviewed Oct 6, 2024
View reviewed changes
ndossche
ndossche reviewed Oct 6, 2024
View reviewed changes
ext/com_dotnet/com_saproxy.c

zend_object *php_com_saproxy_create_object(zend_class_entry *class_type)
{
php_com_saproxy *intern = emalloc(sizeof(*intern));
Copy link
Member

@ndossche ndossche Oct 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use zend_object_alloc which will do the allocation and memset

Copy link
Member Author

@cmb69 cmb69 Oct 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That would't zero the last sizeof(zend_object) bytes of the structure, due to com_dotnet objects having the zend_object as first member, not as last, as usual. I'm planning to change this soonish.

Copy link
Member

@ndossche ndossche Oct 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, that's weird...

Copy link
Member Author

@cmb69 cmb69 Oct 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That was the standard struct layout in PHP 5; all bundled extension had been changed for PHP 7, but com_dotnet had been overlooked.

@cmb69 @ndossche
Update ext/com_dotnet/com_saproxy.c
af6b429 
Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
@cmb69 cmb69 merged commit 2f52dbd into php:master Oct 7, 2024
@cmb69 cmb69 deleted the cmb/saproxy branch October 7, 2024 09:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ndossche ndossche ndossche approved these changes

@Girgias Girgias Girgias approved these changes

Assignees

No one assigned

Labels

Extension: com_dotnet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cmb69 @ndossche @Girgias