[Bug 2054621] Re: Fix PHP crashes due to accessing dangling pointers
This bug was fixed in the package php8.1 - 8.1.2-1ubuntu2.15 --- php8.1 (8.1.2-1ubuntu2.15) jammy; urgency=medium * d/p/fix-attribute-instantion-dangling-pointer.patch: Fix sigsegv from dangling pointer on attribute observer. (LP: #2054621) * d/p/fix-attribute-instantion-memory-overflow-recovery.patch: Fix sigsegv during memory overflow recovery on attribute observer. -- Brian Morton Fri, 23 Feb 2024 12:26:53 -0500 ** Changed in: php8.1 (Ubuntu Jammy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054621 Title: Fix PHP crashes due to accessing dangling pointers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/2054621/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2054621] Re: Fix PHP crashes due to accessing dangling pointers
hoteldruid/3.0.3-1 (arm64) mediawiki/1:1.35.6-1 (arm64) php-imagick/3.6.0-4ubuntu1 (amd64, arm64, armhf, ppc64el, s390x) php8.1/8.1.2-1ubuntu2.15 (arm64, i386) These were either flaky tests (re-triggering fixed the issue) or failures unrelated to this SRU (migration-reference/0 runs failed). We should proceed with the SRU. ** Tags removed: verification-needed verification-needed-jammy ** Tags added: verification-done verification-done-jammy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054621 Title: Fix PHP crashes due to accessing dangling pointers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/2054621/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2054621] Re: Fix PHP crashes due to accessing dangling pointers
I verified this change by running the script described in the test plan above. with php8.1 8.1.2-1ubuntu2.14, the two tests run fail. With the version in proposed, 8.1.2-1ubuntu2.15, they pass: Running selected tests. PASS Bug #81430 (Attribute instantiation frame accessing invalid frame pointer) [ext/zend_test/tests/observer_bug81430_1.phpt] PASS Bug #81430 (Attribute instantiation leaves dangling execute_data pointer) [ext/zend_test/tests/observer_bug81430_2.phpt] Before marking this bug as verified, I will investigate the autopkgtest issues listed above. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054621 Title: Fix PHP crashes due to accessing dangling pointers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/2054621/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2054621] Re: Fix PHP crashes due to accessing dangling pointers
** Description changed:
SRU Justification
[ Impact ]
Invoking reflection via the observer API on a class with an attribute
annotation causes a dangling pointer and segmentation fault. Certain PHP
extensions may register an observer of an attribute instantiation using
reflection. Since Laravel 9+ and Symfony make use of attribute
annotations, it's a fairly common case that can be reproduced using the
Datadog PHP extension and any Laravel application. See
https://github.com/DataDog/dd-trace-php/issues/1734.
This bug was fixed in PHP 8.1.3 https://bugs.php.net/bug.php?id=81430 in
the PR https://github.com/php/php-src/pull/7885/files
This bug potentially impacts the stability of the LTS release for anyone
using Laravel or Symfony which are very popular frameworks alongside
tracing extensions.
[ Test Plan ]
Run the upstream tests included within this fix. To do so, an upstream
development/testing PHP extension for zend introspection is required. We
will provide the modified package source code so anyone verifying this
bug can build it.
The new package to be built is named "php8.1-ztest".
The modified php8.1 source code to generate the php8.1-ztest package is
located in https://code.launchpad.net/~athos-
ribeiro/ubuntu/+source/php8.1/+git/php8.1/+ref/zend-test-ext-nofix for a
first test to confirm the bug. The test should not meet the described
expectation.
The following script should allow you to reproduce the bug:
# BEGIN REPRODUCER #
#!/bin/bash
set -eux
trap cleanup EXIT
-
TEST_CONTAINER=lp-2054621-php-dangling-ptr-reproduce
TEMP_DIR=$(mktemp -d)
cleanup() {
- rm -rf ${TEMP_DIR}
- lxc delete -f ${TEST_CONTAINER}
+ rm -rf ${TEMP_DIR}
+ lxc delete -f ${TEST_CONTAINER}
}
pushd ${TEMP_DIR}
git ubuntu clone php8.1
pushd php8.1
# git ubuntu remote add athos-ribeiro
# let's build the php8.1-ztest packages matching the version from the release
pocket
git checkout zend-test-ext-nofix
git ubuntu export-orig
-
sbuild -d jammy
popd
lxc launch ubuntu-daily:jammy ${TEST_CONTAINER}
lxc exec ${TEST_CONTAINER} -- mkdir -p /usr/local/src
lxc file push php8.1-ztest_8.1.2-1ubuntu2.14_amd64.deb
${TEST_CONTAINER}/var/tmp/
lxc exec ${TEST_CONTAINER} -- apt update
lxc exec ${TEST_CONTAINER} -- apt install -y php git quilt
lxc exec ${TEST_CONTAINER} -- apt install -y
/var/tmp/php8.1-ztest_8.1.2-1ubuntu2.14_amd64.deb
# we want the test files shipped with the fix
lxc exec ${TEST_CONTAINER} -- git clone -b zend-test-ext --depth=1
https://git.launchpad.net/~athos-ribeiro/ubuntu/+source/php8.1
/usr/local/src/php8.1
lxc exec --cwd /usr/local/src/php8.1 --env QUILT_PATCHES=debian/patches
${TEST_CONTAINER} -- quilt push -a
# This should fail
lxc exec --cwd /usr/local/src/php8.1 ${TEST_CONTAINER} -- php run-tests.php
-P ext/zend_test/tests/observer_bug81430_1.phpt
ext/zend_test/tests/observer_bug81430_2.phpt
# END REPRODUCER #
The modified php8.1 source code to generate the php8.1-ztest package is
located in https://code.launchpad.net/~athos-
ribeiro/ubuntu/+source/php8.1/+git/php8.1/+ref/zend-test-ext for a
second test to confirm the fix. The test should now meet the
expectations described in the test itself.
Note that the versions for the packages shipping "php8.1-ztest" are
intentionally conflicting with the version in jammy and the version
being proposed with the fix. This is because the generated php8.1-ztest
requires other packages built from the php8.1 source in its exact same
version.
Do remember that you should only install "php8.1-ztest" from these
custom packages. The remaining php8.1 binaries should be installed from
the Ubuntu archive.
-
The following script should allow you to verify the fix:
# BEGIN CHECKER #
#!/bin/bash
set -eux
trap cleanup EXIT
-
TEST_CONTAINER=lp-2054621-php-dangling-ptr-verify
TEMP_DIR=$(mktemp -d)
cleanup() {
- rm -rf ${TEMP_DIR}
- lxc delete -f ${TEST_CONTAINER}
+ rm -rf ${TEMP_DIR}
+ lxc delete -f ${TEST_CONTAINER}
}
pushd ${TEMP_DIR}
cat < ubuntu-jammy-proposed.list
deb http://archive.ubuntu.com/ubuntu/ jammy-proposed restricted main
multiverse universe
EOF
git ubuntu clone php8.1
pushd php8.1
# git ubuntu remote add athos-ribeiro
# let's build the php8.1-ztest packages matching the fixed version
git checkout zend-test-ext
git ubuntu export-orig
sbuild -d jammy
popd
lxc launch ubuntu-daily:jammy ${TEST_CONTAINER}
lxc exec ${TEST_CONTAINER} -- mkdir -p /usr/local/src
lxc file push php8.1-ztest_8.1.2-1ubuntu2.15_amd64.deb
${TEST_CONTAINER}/var/tmp/
lxc exec ${TEST_CONTAINER} -- apt update
lxc exec ${TEST_CONTAINER} -- apt install -y git quilt
# install php from proposed
- lxc file push ubuntu-jammy-propoed.list
[Bug 2054621] Re: Fix PHP crashes due to accessing dangling pointers
I see some: # git ubuntu remote add athos-ribeiro # let's build the php8.1-ztest packages matching the version from the release pocket git checkout zend-test-ext-nofix I suppose you didn't mean to comment the remote add? Also, this requires the git-ubuntu snap being installed. Which is fine, it's just not in the instructions, so beware. ** Changed in: php8.1 (Ubuntu Jammy) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-jammy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054621 Title: Fix PHP crashes due to accessing dangling pointers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/2054621/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2054621] Re: Fix PHP crashes due to accessing dangling pointers
** Changed in: php8.1 (Ubuntu Jammy) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054621 Title: Fix PHP crashes due to accessing dangling pointers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/2054621/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2054621] Re: Fix PHP crashes due to accessing dangling pointers
Test plan updated.
** Description changed:
SRU Justification
[ Impact ]
Invoking reflection via the observer API on a class with an attribute
annotation causes a dangling pointer and segmentation fault. Certain PHP
extensions may register an observer of an attribute instantiation using
reflection. Since Laravel 9+ and Symfony make use of attribute
annotations, it's a fairly common case that can be reproduced using the
Datadog PHP extension and any Laravel application. See
https://github.com/DataDog/dd-trace-php/issues/1734.
This bug was fixed in PHP 8.1.3 https://bugs.php.net/bug.php?id=81430 in
the PR https://github.com/php/php-src/pull/7885/files
This bug potentially impacts the stability of the LTS release for anyone
using Laravel or Symfony which are very popular frameworks alongside
tracing extensions.
[ Test Plan ]
Run the upstream tests included within this fix. To do so, an upstream
development/testing PHP extension for zend introspection is required. We
will provide the modified package source code so anyone verifying this
bug can build it.
The new package to be built is named "php8.1-ztest".
The modified php8.1 source code to generate the php8.1-ztest package is
located in https://code.launchpad.net/~athos-
ribeiro/ubuntu/+source/php8.1/+git/php8.1/+ref/zend-test-ext-nofix for a
first test to confirm the bug. The test should not meet the described
expectation.
+ The following script should allow you to reproduce the bug:
+
+ # BEGIN REPRODUCER #
+
+ #!/bin/bash
+
+ set -eux
+
+ trap cleanup EXIT
+
+
+ TEST_CONTAINER=lp-2054621-php-dangling-ptr-reproduce
+ TEMP_DIR=$(mktemp -d)
+
+ cleanup() {
+ rm -rf ${TEMP_DIR}
+ lxc delete -f ${TEST_CONTAINER}
+ }
+
+ pushd ${TEMP_DIR}
+
+ git ubuntu clone php8.1
+ pushd php8.1
+ # git ubuntu remote add athos-ribeiro
+ # let's build the php8.1-ztest packages matching the version from the release
pocket
+ git checkout zend-test-ext-nofix
+ git ubuntu export-orig
+
+
+ sbuild -d jammy
+ popd
+
+ lxc launch ubuntu-daily:jammy ${TEST_CONTAINER}
+ lxc exec ${TEST_CONTAINER} -- mkdir -p /usr/local/src
+
+ lxc file push php8.1-ztest_8.1.2-1ubuntu2.14_amd64.deb
${TEST_CONTAINER}/var/tmp/
+ lxc exec ${TEST_CONTAINER} -- apt update
+ lxc exec ${TEST_CONTAINER} -- apt install -y php git quilt
+ lxc exec ${TEST_CONTAINER} -- apt install -y
/var/tmp/php8.1-ztest_8.1.2-1ubuntu2.14_amd64.deb
+ # we want the test files shipped with the fix
+ lxc exec ${TEST_CONTAINER} -- git clone -b zend-test-ext --depth=1
https://git.launchpad.net/~athos-ribeiro/ubuntu/+source/php8.1
/usr/local/src/php8.1
+ lxc exec --cwd /usr/local/src/php8.1 --env QUILT_PATCHES=debian/patches
${TEST_CONTAINER} -- quilt push -a
+
+ # This should fail
+ lxc exec --cwd /usr/local/src/php8.1 ${TEST_CONTAINER} -- php run-tests.php
-P ext/zend_test/tests/observer_bug81430_1.phpt
ext/zend_test/tests/observer_bug81430_2.phpt
+
+ # END REPRODUCER #
+
The modified php8.1 source code to generate the php8.1-ztest package is
located in https://code.launchpad.net/~athos-
ribeiro/ubuntu/+source/php8.1/+git/php8.1/+ref/zend-test-ext for a
second test to confirm the fix. The test should now meet the
expectations described in the test itself.
Note that the versions for the packages shipping "php8.1-ztest" are
intentionally conflicting with the version in jammy and the version
being proposed with the fix. This is because the generated php8.1-ztest
requires other packages built from the php8.1 source in its exact same
version.
Do remember that you should only install "php8.1-ztest" from these
custom packages. The remaining php8.1 binaries should be installed from
the Ubuntu archive.
+
+ The following script should allow you to verify the fix:
+
+ # BEGIN CHECKER #
+
+ #!/bin/bash
+
+ set -eux
+
+ trap cleanup EXIT
+
+
+ TEST_CONTAINER=lp-2054621-php-dangling-ptr-verify
+ TEMP_DIR=$(mktemp -d)
+
+ cleanup() {
+ rm -rf ${TEMP_DIR}
+ lxc delete -f ${TEST_CONTAINER}
+ }
+
+ pushd ${TEMP_DIR}
+
+ cat < ubuntu-jammy-proposed.list
+ deb http://archive.ubuntu.com/ubuntu/ jammy-proposed restricted main
multiverse universe
+ EOF
+
+ git ubuntu clone php8.1
+ pushd php8.1
+ # git ubuntu remote add athos-ribeiro
+ # let's build the php8.1-ztest packages matching the fixed version
+ git checkout zend-test-ext
+ git ubuntu export-orig
+
+ sbuild -d jammy
+ popd
+
+ lxc launch ubuntu-daily:jammy ${TEST_CONTAINER}
+ lxc exec ${TEST_CONTAINER} -- mkdir -p /usr/local/src
+
+ lxc file push php8.1-ztest_8.1.2-1ubuntu2.15_amd64.deb
${TEST_CONTAINER}/var/tmp/
+ lxc exec ${TEST_CONTAINER} -- apt update
+ lxc exec ${TEST_CONTAINER} -- apt install -y git quilt
+ # install php from proposed
+ lxc file push ubuntu-jammy-propoed.list
${TEST_CONTAINER}/etc/apt/sources.list.d/
+ lxc exec ${TEST_CONTAINER} -- apt update
+ lxc exec ${TEST_CONTAINER} -- apt install -y
[Bug 2054621] Re: Fix PHP crashes due to accessing dangling pointers
This is fixed in PHP >= 8.1.3 (https://github.com/php/php- src/commit/2f6a06ccb0ef78e6122bb9e67f9b8b1ad07776e1) I will update the test plan. Thanks, Robie. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054621 Title: Fix PHP crashes due to accessing dangling pointers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/2054621/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2054621] Re: Fix PHP crashes due to accessing dangling pointers
8.2 and 8.3 are unaffected. I'll let Athos chime in with the steps necessary. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054621 Title: Fix PHP crashes due to accessing dangling pointers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/2054621/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2054621] Re: Fix PHP crashes due to accessing dangling pointers
What's the status of this bug in Mantic and Noble please? Were 8.2 and 8.3 ever affected, and if so, in which versions were they fixed? I couldn't figure this out within a few minutes - sorry! > [ Test Plan ] > Run the upstream tests included within this fix. To do so, an upstream development/testing PHP extension for zend introspection is required. Please could you provide the steps to follow to run the upstream tests included in this fix? This should be in enough detail that a developer who is not familiar with this package should be able to follow it. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054621 Title: Fix PHP crashes due to accessing dangling pointers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/2054621/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2054621] Re: Fix PHP crashes due to accessing dangling pointers
** Summary changed: - PHP crashes on Laravel 9+ with certain extensions + Fix PHP crashes due to accessing dangling pointers -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054621 Title: Fix PHP crashes due to accessing dangling pointers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/2054621/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
