Skip to content

Fix use-after-free of object through __isset() and globals #18852

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix use-after-free of object through __isset() and globals #18852

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6c2e97b
Fix use-after-free of object through __isset() and globals
iluuu1994 Jun 14, 2025
abfa463
Adjust for lazy proxies
iluuu1994 Jun 23, 2025
File filter

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Adjust for lazy proxies
  • Loading branch information
@iluuu1994
iluuu1994 committed Jun 23, 2025
commit abfa463c3654eb5b454dd3602913ae3424f9de42
6 changes: 4 additions & 2 deletions Zend/tests/gh18845.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,13 @@ var_dump($c->prop ?? 1);

$r = new ReflectionClass(C::class);
$c = $r->newLazyProxy(function () {
throw new Exception('Not reached');
$c = new C();
$c->prop = 2;
return $c;
});
var_dump($c->prop ?? 1);

?>
--EXPECT--
int(1)
int(1)
int(2)
27 changes: 18 additions & 9 deletions Zend/zend_object_handlers.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -733,6 +733,8 @@ ZEND_API zval *zend_std_read_property(zend_object *zobj, zend_string *name, int
uintptr_t property_offset;
const zend_property_info *prop_info = NULL;
uint32_t *guard = NULL;
bool obj_needs_deref = false;
zend_object *prev_zobj;

#if DEBUG_OBJECT_HANDLERS
fprintf(stderr, "Read object #%d property: %s\n", zobj->handle, ZSTR_VAL(name));
Expand Down Expand Up @@ -906,12 +908,8 @@ ZEND_API zval *zend_std_read_property(zend_object *zobj, zend_string *name, int
goto call_getter;
}

bool obj_is_freed = GC_REFCOUNT(zobj) == 1;
OBJ_RELEASE(zobj);
if (UNEXPECTED(obj_is_freed)) {
retval = &EG(uninitialized_zval);
goto exit;
}
obj_needs_deref = true;
prev_zobj = zobj;
} else if (zobj->ce->__get && !((*guard) & IN_GET)) {
goto call_getter_addref;
}
Expand Down Expand Up @@ -960,7 +958,7 @@ ZEND_API zval *zend_std_read_property(zend_object *zobj, zend_string *name, int
zobj = zend_lazy_object_init(zobj);
if (!zobj) {
retval = &EG(uninitialized_zval);
goto exit;
goto exit_slow;
}

if (UNEXPECTED(guard)) {
Expand All @@ -971,11 +969,12 @@ ZEND_API zval *zend_std_read_property(zend_object *zobj, zend_string *name, int
(*guard) |= guard_type;
retval = zend_std_read_property(zobj, name, type, cache_slot, rv);
(*guard) &= ~guard_type;
return retval;
goto exit_slow;
}
}

return zend_std_read_property(zobj, name, type, cache_slot, rv);
retval = zend_std_read_property(zobj, name, type, cache_slot, rv);
goto exit_slow;
}
}
if (type != BP_VAR_IS) {
Expand All @@ -987,6 +986,16 @@ ZEND_API zval *zend_std_read_property(zend_object *zobj, zend_string *name, int
}
retval = &EG(uninitialized_zval);

exit_slow:
if (obj_needs_deref) {
/* Move value to rv in case zobj gets destroyed. */
if (retval != rv) {
ZVAL_COPY(rv, retval);
retval = rv;
}
OBJ_RELEASE(prev_zobj);
}

exit:
return retval;
}
Expand Down