Fix GH-13612: Corrupted memory in destructor with weak references

nielsdos · nielsdos · commit 39b8d5c871a4 · 2024-03-08T18:26:17.000+01:00
Inside `zend_object_std_dtor` the weakrefs are notified after the destruction of properties already took place. In this test case, the destructor of an anon class will be invoked due to the property destruction. That class has a weak reference to its parent. This means that the destructor can access parent properties that already have been destroyed, resulting in a UAF. Fix this by notifying the weakrefs at the start of the object's destruction. Closes GH-13613.
diff --git a/NEWS b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.2.18
 
+- Core:
+  . Fixed bug GH-13612 (Corrupted memory in destructor with weak references).
+    (nielsdos)
+
 - Gettext:
   - Fixed sigabrt raised with dcgettext/dcngettext calls with gettext 0.22.5
     with category set to LC_ALL. (David Carlier)
diff --git a/Zend/tests/weakrefs/gh13612.phpt b/Zend/tests/weakrefs/gh13612.phpt
@@ -0,0 +1,39 @@
+--TEST--
+GH-13612 (Corrupted memory in destructor with weak references)
+--FILE--
+<?php
+
+class WeakAnalysingMapRepro
+{
+    public array $destroyed = [];
+    public array $ownerDestructorHandlers = [];
+
+    public function __construct()
+    {
+        $handler = new class($this) {
+            private \WeakReference $weakAnalysingMap;
+
+            public function __construct(WeakAnalysingMapRepro $analysingMap)
+            {
+                $this->weakAnalysingMap = \WeakReference::create($analysingMap);
+            }
+
+            public function __destruct()
+            {
+                var_dump($this->weakAnalysingMap->get());
+            }
+        };
+
+        $this->destroyed[] = 1;
+        $this->ownerDestructorHandlers[] = $handler;
+    }
+}
+
+new WeakAnalysingMapRepro();
+
+echo "Done\n";
+
+?>
+--EXPECT--
+NULL
+Done
diff --git a/Zend/zend_objects.c b/Zend/zend_objects.c
@@ -47,6 +47,10 @@ ZEND_API void zend_object_std_dtor(zend_object *object)
 {
 	zval *p, *end;
 
+	if (UNEXPECTED(GC_FLAGS(object) & IS_OBJ_WEAKLY_REFERENCED)) {
+		zend_weakrefs_notify(object);
+	}
+
 	if (object->properties) {
 		if (EXPECTED(!(GC_FLAGS(object->properties) & IS_ARRAY_IMMUTABLE))) {
 			if (EXPECTED(GC_DELREF(object->properties) == 0)
@@ -85,10 +89,6 @@ ZEND_API void zend_object_std_dtor(zend_object *object)
 			FREE_HASHTABLE(guards);
 		}
 	}
-
-	if (UNEXPECTED(GC_FLAGS(object) & IS_OBJ_WEAKLY_REFERENCED)) {
-		zend_weakrefs_notify(object);
-	}
 }
 
 ZEND_API void zend_objects_destroy_object(zend_object *object)

Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,10 @@ ZEND_API void zend_object_std_dtor(zend_object *object)`
`47`	`47`	`{`
`48`	`48`	`zval p, end;`
`49`	`49`
	`50`	`+ if (UNEXPECTED(GC_FLAGS(object) & IS_OBJ_WEAKLY_REFERENCED)) {`
	`51`	`+ zend_weakrefs_notify(object);`
	`52`	`+ }`
	`53`	`+`
`50`	`54`	`if (object->properties) {`
`51`	`55`	`if (EXPECTED(!(GC_FLAGS(object->properties) & IS_ARRAY_IMMUTABLE))) {`
`52`	`56`	`if (EXPECTED(GC_DELREF(object->properties) == 0)`
`@@ -85,10 +89,6 @@ ZEND_API void zend_object_std_dtor(zend_object *object)`
`85`	`89`	`FREE_HASHTABLE(guards);`
`86`	`90`	`}`
`87`	`91`	`}`
`88`		`-`
`89`		`- if (UNEXPECTED(GC_FLAGS(object) & IS_OBJ_WEAKLY_REFERENCED)) {`
`90`		`- zend_weakrefs_notify(object);`
`91`		`- }`
`92`	`92`	`}`
`93`	`93`
`94`	`94`	`ZEND_API void zend_objects_destroy_object(zend_object *object)`