diff options
-rw-r--r-- | bug75579.patch | 76 | ||||
-rw-r--r-- | php.spec | 7 |
2 files changed, 82 insertions, 1 deletions
diff --git a/bug75579.patch b/bug75579.patch new file mode 100644 index 0000000..f69c853 --- /dev/null +++ b/bug75579.patch @@ -0,0 +1,76 @@ +From 841e7a192259e3e8ec34645176a2f4565e7e8877 Mon Sep 17 00:00:00 2001 +From: Dmitry Stogov <dmitry@zend.com> +Date: Thu, 21 Dec 2017 23:34:21 +0300 +Subject: [PATCH] Fixed bug #75579 (Interned strings buffer overflow may cause + crash) + +--- + NEWS | 4 ++++ + ext/opcache/zend_file_cache.c | 32 ++++++++++++++++++++++++++++++-- + 2 files changed, 34 insertions(+), 2 deletions(-) + +diff --git a/ext/opcache/zend_file_cache.c b/ext/opcache/zend_file_cache.c +index fb6827a9fd70..344851ec44a2 100644 +--- a/ext/opcache/zend_file_cache.c ++++ b/ext/opcache/zend_file_cache.c +@@ -227,8 +227,17 @@ static void *zend_file_cache_unserialize_interned(zend_string *str, int in_shm) + if (in_shm) { + ret = accel_new_interned_string(str); + if (ret == str) { ++ /* We have to create new SHM allocated string */ ++ size_t size = _ZSTR_STRUCT_SIZE(ZSTR_LEN(str)); ++ ret = zend_shared_alloc(size); ++ if (!ret) { ++ zend_accel_schedule_restart_if_necessary(ACCEL_RESTART_OOM); ++ LONGJMP(*EG(bailout), FAILURE); ++ } ++ memcpy(ret, str, size); + /* String wasn't interned but we will use it as interned anyway */ +- GC_FLAGS(ret) |= IS_STR_INTERNED | IS_STR_PERMANENT; ++ GC_REFCOUNT(ret) = 1; ++ GC_TYPE_INFO(ret) = IS_STRING | ((IS_STR_INTERNED | IS_STR_PERSISTENT | IS_STR_PERMANENT) << 8); + } + } else { + ret = str; +@@ -1303,6 +1312,7 @@ zend_persistent_script *zend_file_cache_script_load(zend_file_handle *file_handl + zend_accel_hash_entry *bucket; + void *mem, *checkpoint, *buf; + int cache_it = 1; ++ int ok; + + if (!full_path) { + return NULL; +@@ -1395,6 +1405,7 @@ zend_persistent_script *zend_file_cache_script_load(zend_file_handle *file_handl + + if (!ZCG(accel_directives).file_cache_only && + !ZCSG(restart_in_progress) && ++ !ZSMMG(memory_exhausted) && + accelerator_shm_read_lock() == SUCCESS) { + /* exclusive lock */ + zend_shared_alloc_lock(); +@@ -1444,7 +1455,24 @@ zend_persistent_script *zend_file_cache_script_load(zend_file_handle *file_handl + ZCG(mem) = ((char*)mem + info.mem_size); + script = (zend_persistent_script*)((char*)buf + info.script_offset); + script->corrupted = !cache_it; /* used to check if script restored to SHM or process memory */ +- zend_file_cache_unserialize(script, buf); ++ ++ ok = 1; ++ zend_try { ++ zend_file_cache_unserialize(script, buf); ++ } zend_catch { ++ ok = 0; ++ } zend_end_try(); ++ if (!ok) { ++ if (cache_it) { ++ zend_shared_alloc_unlock(); ++ goto use_process_mem; ++ } else { ++ zend_arena_release(&CG(arena), checkpoint); ++ efree(filename); ++ return NULL; ++ } ++ } ++ + script->corrupted = 0; + + if (cache_it) { @@ -130,7 +130,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: %{upver}%{?rcver:~%{rcver}} -Release: 1%{?dist} +Release: 2%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -182,6 +182,7 @@ Patch47: php-5.6.3-phpinfo.patch Patch91: php-7.2.0-oci8conf.patch # Upstream fixes (100+) +Patch100: bug75579.patch # Security fixes (200+) @@ -914,6 +915,7 @@ low-level PHP extension for the libsodium cryptographic library. %patch91 -p1 -b .remi-oci8 # upstream patches +%patch100 -p1 -b .upstream # security patches @@ -1839,6 +1841,9 @@ fi %changelog +* Fri Dec 29 2017 Remi Collet <remi@remirepo.net> - 7.2.1~RC1-2 +- add upstream patch for https://bugs.php.net/75579 + * Wed Dec 13 2017 Remi Collet <remi@remirepo.net> - 7.2.1~RC1-1 - update to 7.2.1RC1 |