Skip to content

Fix uaf of MBSTRG(all_encodings_list) #11822

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Fix uaf of MBSTRG(all_encodings_list) #11822

wants to merge 1 commit into from

Conversation

iluuu1994
Copy link
Member

We need to remove the value from the GC buffer before freeing it. Otherwise shutdown will uaf when running the gc.

@iluuu1994 iluuu1994 requested a review from alexdowad as a code owner July 29, 2023 15:13
@alexdowad
Copy link
Contributor

Thanks very much, @iluuu1994!

iluuu1994
iluuu1994 commented Jul 31, 2023
View reviewed changes
@iluuu1994
Fix uaf of MBSTRG(all_encodings_list)
793f22f 
We need to remove the value from the GC buffer before freeing it. Otherwise
shutdown will uaf when running the gc. Do that by switching from
zend_hash_destroy to zend_array_destroy, which should also be faster for freeing
members due to inlining of i_zval_ptr_dtor.
@iluuu1994 iluuu1994 force-pushed the all_encodings_list-uaf branch from 30570b6 to 793f22f Compare July 31, 2023 10:20
@iluuu1994 iluuu1994 closed this in 7364b7b Jul 31, 2023
jorgsowa pushed a commit to jorgsowa/php-src that referenced this pull request Aug 16, 2023
@iluuu1994
Fix uaf of MBSTRG(all_encodings_list)
65f205a 
We need to remove the value from the GC buffer before freeing it. Otherwise
shutdown will uaf when running the gc. Do that by switching from
zend_hash_destroy to zend_array_destroy, which should also be faster for freeing
members due to inlining of i_zval_ptr_dtor.

Closes phpGH-11822
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexdowad alexdowad alexdowad approved these changes

Assignees
No one assigned
Labels
Extension: mbstring
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@iluuu1994 @alexdowad