Skip to content

reset global pointers to prevent use-after-free in zend_jit_status() #19212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: PHP-8.3
Choose a base branch
from
Open

reset global pointers to prevent use-after-free in zend_jit_status() #19212

wants to merge 2 commits into from
+8 −0

Conversation

realFlowControl
Copy link
Contributor

We have seen crashes in calls to zend_jit_status() purely in Apache mod_php environments. The only place where I could possibly see something could crash is the dereference of dasm_ptr in:

php-src/ext/opcache/jit/zend_jit.c

Line 825 in 37bc8f9

add_assoc_long(&stats, "buffer_free", (char*)dasm_end - (char*)*dasm_ptr);

I traced it further down and it looks to be the following (rare) situation:

  • JIT is enabled and active
  • Apache with mod_php handling requests
  • callling apache2ctl graceful will trigger a MSHUTDOWN -> MINIT in the same process
  • JIT goes through accel_post_startup() again and for "reasons" does not call zend_jit_startup().
    This leaves dasm_ptr, dasm_buf, dasm_end and dasm_size with dangling values.

Those reasons could be:

  • INI file changes on disk while Apache is running (flipping opcache.jit from tracing to disable/off)
  • an extension registering user opcode handlers after accel_post_startup() was run

How to reproduce:

  • run docker image php:apache
  • enable JIT and start using apache2-foreground
  • add a index.php file serving var_dump(opcache_get_status())
  • you see that ['jit']['buffer_size'] is a non-0 integer and JIT enabled
  • disable JIT in INI file and exec apache2ctl graceful
  • send another request to that server:
  ["jit"]=>
  array(7) {
    ["enabled"]=>
    bool(false)
    ["on"]=>
    bool(false)
    ["kind"]=>
    int(0)
    ["opt_level"]=>
    int(0)
    ["opt_flags"]=>
    int(0)
    ["buffer_size"]=>
    int(67108848)
    ["buffer_free"]=>
    int(281473177354224)
  }

Now JIT is disabled, but still has a size and buffer_free is "huge" suggesting uninitialised memory.

@realFlowControl realFlowControl requested a review from dstogov as a code owner July 22, 2025 10:53
@realFlowControl realFlowControl changed the base branch from master to PHP-8.3 July 22, 2025 10:54
nielsdos
nielsdos reviewed Jul 22, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nielsdos nielsdos nielsdos approved these changes

@dstogov dstogov Awaiting requested review from dstogov dstogov is a code owner

Assignees
No one assigned
Labels
Extension: opcache
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@realFlowControl @nielsdos
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy