FAQ
Hi Wez & Jani,
Following snippet causes double free of memory, corrupts the symbol
table.
<?php
$pk=false;//As openssl_get_publickey($nonsense) can give false
openssl_public_encrypt("Test",$encrypted,$pk);
$pk=false;
?>

The culprit is php_openssl_evp_from_zval which is called by
openssl_public_encrypt.
openssl_public_encrypt reduces the refcount of $pk from 2 to 1.
zend_ptr_stack_clear_multiple reduces it again to 0 as a normal cleanup
upon return from openssl_public_encrypt.
And hence zval associated with $pk is getting freed.
But symbol table still refers to freed pointer.

The patch for 5.0 Tree is available at,
http://puggy.symonds.net/~kameshj/openssl.c.patch.5.0

With regards
Kamesh Jayachandran

Search Discussions

  • Wez Furlong at May 25, 2005 at 7:26 pm
    The patch doesn't look quite right.

    - convert_to_string_ex(val);
    + zval tmpz;
    + zval *tmpzp;
    + tmpz = *(*val);
    + zval_copy_ctor(&tmpz);
    + tmpz.refcount=1;
    + tmpzp = &tmpz;

    I think that this is a place where convert_to_string(val) should be
    used instead.

    - in = BIO_new_mem_buf(Z_STRVAL_PP(val), Z_STRLEN_PP(val));
    + in = BIO_new_mem_buf(Z_STRVAL_PP(&tmpzp),
    Z_STRLEN_PP(&tmpzp));

    If you still need to use zval* instead of zval**, you can use
    Z_STRVAL_P(tmpzp) instead of taking the address and using
    Z_STRVAL_PP().

    Can you check your patch again using convert_to_string() instead?

    --Wez.
    On 5/25/05, Kamesh Jayachandran wrote:
    Hi Wez & Jani,
    Following snippet causes double free of memory, corrupts the symbol
    table.
    <?php
    $pk=false;//As openssl_get_publickey($nonsense) can give false
    openssl_public_encrypt("Test",$encrypted,$pk);
    $pk=false;
    ?>

    The culprit is php_openssl_evp_from_zval which is called by
    openssl_public_encrypt.
    openssl_public_encrypt reduces the refcount of $pk from 2 to 1.
    zend_ptr_stack_clear_multiple reduces it again to 0 as a normal cleanup
    upon return from openssl_public_encrypt.
    And hence zval associated with $pk is getting freed.
    But symbol table still refers to freed pointer.

    The patch for 5.0 Tree is available at,
    http://puggy.symonds.net/~kameshj/openssl.c.patch.5.0

    With regards
    Kamesh Jayachandran

    --
    PHP Internals - PHP Runtime Development Mailing List
    To unsubscribe, visit: http://www.php.net/unsub.php
  • Kamesh Jayachandran at May 26, 2005 at 8:00 am
    Thanks Wez for pointing out.
    New patch is available at,
    http://puggy.symonds.net/~kameshj/openssl.c.patch.5.0
    convert_to_string_ex is needed but not on val but on &tmpzp.(Got lost
    while manually copying the changes from my NetWare build environment to
    Linux).

    With regards
    Kamesh Jayachandran
    On Wed, 25 May 2005 15:20:25 -0400, "Wez Furlong" <kingwez@gmail.com>
    said:
    The patch doesn't look quite right.

    - convert_to_string_ex(val);
    + zval tmpz;
    + zval *tmpzp;
    + tmpz = *(*val);
    + zval_copy_ctor(&tmpz);
    + tmpz.refcount=1;
    + tmpzp = &tmpz;

    I think that this is a place where convert_to_string(val) should be
    used instead.

    - in = BIO_new_mem_buf(Z_STRVAL_PP(val),
    Z_STRLEN_PP(val));
    + in = BIO_new_mem_buf(Z_STRVAL_PP(&tmpzp),
    Z_STRLEN_PP(&tmpzp));

    If you still need to use zval* instead of zval**, you can use
    Z_STRVAL_P(tmpzp) instead of taking the address and using
    Z_STRVAL_PP().

    Can you check your patch again using convert_to_string() instead?

    --Wez.
    On 5/25/05, Kamesh Jayachandran wrote:
    Hi Wez & Jani,
    Following snippet causes double free of memory, corrupts the symbol
    table.
    <?php
    $pk=false;//As openssl_get_publickey($nonsense) can give false
    openssl_public_encrypt("Test",$encrypted,$pk);
    $pk=false;
    ?>

    The culprit is php_openssl_evp_from_zval which is called by
    openssl_public_encrypt.
    openssl_public_encrypt reduces the refcount of $pk from 2 to 1.
    zend_ptr_stack_clear_multiple reduces it again to 0 as a normal cleanup
    upon return from openssl_public_encrypt.
    And hence zval associated with $pk is getting freed.
    But symbol table still refers to freed pointer.

    The patch for 5.0 Tree is available at,
    http://puggy.symonds.net/~kameshj/openssl.c.patch.5.0

    With regards
    Kamesh Jayachandran

    --
    PHP Internals - PHP Runtime Development Mailing List
    To unsubscribe, visit: http://www.php.net/unsub.php

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupphp-internals @
categoriesphp
postedMay 25, '05 at 2:26p
activeMay 26, '05 at 8:00a
posts3
users2
websitephp.net

People

Translate

site design / logo © 2022 Grokbase