[Bug 2054621] Re: Fix PHP crashes due to accessing dangling pointers
This bug was fixed in the package php8.1 - 8.1.2-1ubuntu2.15 --- php8.1 (8.1.2-1ubuntu2.15) jammy; urgency=medium * d/p/fix-attribute-instantion-dangling-pointer.patch: Fix sigsegv from dangling pointer on attribute observer. (LP: #2054621) * d/p/fix-attribute-instantion-memory-overflow-recovery.patch: Fix sigsegv during memory overflow recovery on attribute observer. -- Brian Morton Fri, 23 Feb 2024 12:26:53 -0500 ** Changed in: php8.1 (Ubuntu Jammy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054621 Title: Fix PHP crashes due to accessing dangling pointers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/2054621/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2054621] Re: Fix PHP crashes due to accessing dangling pointers
hoteldruid/3.0.3-1 (arm64) mediawiki/1:1.35.6-1 (arm64) php-imagick/3.6.0-4ubuntu1 (amd64, arm64, armhf, ppc64el, s390x) php8.1/8.1.2-1ubuntu2.15 (arm64, i386) These were either flaky tests (re-triggering fixed the issue) or failures unrelated to this SRU (migration-reference/0 runs failed). We should proceed with the SRU. ** Tags removed: verification-needed verification-needed-jammy ** Tags added: verification-done verification-done-jammy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054621 Title: Fix PHP crashes due to accessing dangling pointers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/2054621/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2054621] Re: Fix PHP crashes due to accessing dangling pointers
I verified this change by running the script described in the test plan above. with php8.1 8.1.2-1ubuntu2.14, the two tests run fail. With the version in proposed, 8.1.2-1ubuntu2.15, they pass: Running selected tests. PASS Bug #81430 (Attribute instantiation frame accessing invalid frame pointer) [ext/zend_test/tests/observer_bug81430_1.phpt] PASS Bug #81430 (Attribute instantiation leaves dangling execute_data pointer) [ext/zend_test/tests/observer_bug81430_2.phpt] Before marking this bug as verified, I will investigate the autopkgtest issues listed above. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054621 Title: Fix PHP crashes due to accessing dangling pointers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/2054621/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2054621] Re: Fix PHP crashes due to accessing dangling pointers
** Description changed: SRU Justification [ Impact ] Invoking reflection via the observer API on a class with an attribute annotation causes a dangling pointer and segmentation fault. Certain PHP extensions may register an observer of an attribute instantiation using reflection. Since Laravel 9+ and Symfony make use of attribute annotations, it's a fairly common case that can be reproduced using the Datadog PHP extension and any Laravel application. See https://github.com/DataDog/dd-trace-php/issues/1734. This bug was fixed in PHP 8.1.3 https://bugs.php.net/bug.php?id=81430 in the PR https://github.com/php/php-src/pull/7885/files This bug potentially impacts the stability of the LTS release for anyone using Laravel or Symfony which are very popular frameworks alongside tracing extensions. [ Test Plan ] Run the upstream tests included within this fix. To do so, an upstream development/testing PHP extension for zend introspection is required. We will provide the modified package source code so anyone verifying this bug can build it. The new package to be built is named "php8.1-ztest". The modified php8.1 source code to generate the php8.1-ztest package is located in https://code.launchpad.net/~athos- ribeiro/ubuntu/+source/php8.1/+git/php8.1/+ref/zend-test-ext-nofix for a first test to confirm the bug. The test should not meet the described expectation. The following script should allow you to reproduce the bug: # BEGIN REPRODUCER # #!/bin/bash set -eux trap cleanup EXIT - TEST_CONTAINER=lp-2054621-php-dangling-ptr-reproduce TEMP_DIR=$(mktemp -d) cleanup() { - rm -rf ${TEMP_DIR} - lxc delete -f ${TEST_CONTAINER} + rm -rf ${TEMP_DIR} + lxc delete -f ${TEST_CONTAINER} } pushd ${TEMP_DIR} git ubuntu clone php8.1 pushd php8.1 # git ubuntu remote add athos-ribeiro # let's build the php8.1-ztest packages matching the version from the release pocket git checkout zend-test-ext-nofix git ubuntu export-orig - sbuild -d jammy popd lxc launch ubuntu-daily:jammy ${TEST_CONTAINER} lxc exec ${TEST_CONTAINER} -- mkdir -p /usr/local/src lxc file push php8.1-ztest_8.1.2-1ubuntu2.14_amd64.deb ${TEST_CONTAINER}/var/tmp/ lxc exec ${TEST_CONTAINER} -- apt update lxc exec ${TEST_CONTAINER} -- apt install -y php git quilt lxc exec ${TEST_CONTAINER} -- apt install -y /var/tmp/php8.1-ztest_8.1.2-1ubuntu2.14_amd64.deb # we want the test files shipped with the fix lxc exec ${TEST_CONTAINER} -- git clone -b zend-test-ext --depth=1 https://git.launchpad.net/~athos-ribeiro/ubuntu/+source/php8.1 /usr/local/src/php8.1 lxc exec --cwd /usr/local/src/php8.1 --env QUILT_PATCHES=debian/patches ${TEST_CONTAINER} -- quilt push -a # This should fail lxc exec --cwd /usr/local/src/php8.1 ${TEST_CONTAINER} -- php run-tests.php -P ext/zend_test/tests/observer_bug81430_1.phpt ext/zend_test/tests/observer_bug81430_2.phpt # END REPRODUCER # The modified php8.1 source code to generate the php8.1-ztest package is located in https://code.launchpad.net/~athos- ribeiro/ubuntu/+source/php8.1/+git/php8.1/+ref/zend-test-ext for a second test to confirm the fix. The test should now meet the expectations described in the test itself. Note that the versions for the packages shipping "php8.1-ztest" are intentionally conflicting with the version in jammy and the version being proposed with the fix. This is because the generated php8.1-ztest requires other packages built from the php8.1 source in its exact same version. Do remember that you should only install "php8.1-ztest" from these custom packages. The remaining php8.1 binaries should be installed from the Ubuntu archive. - The following script should allow you to verify the fix: # BEGIN CHECKER # #!/bin/bash set -eux trap cleanup EXIT - TEST_CONTAINER=lp-2054621-php-dangling-ptr-verify TEMP_DIR=$(mktemp -d) cleanup() { - rm -rf ${TEMP_DIR} - lxc delete -f ${TEST_CONTAINER} + rm -rf ${TEMP_DIR} + lxc delete -f ${TEST_CONTAINER} } pushd ${TEMP_DIR} cat < ubuntu-jammy-proposed.list deb http://archive.ubuntu.com/ubuntu/ jammy-proposed restricted main multiverse universe EOF git ubuntu clone php8.1 pushd php8.1 # git ubuntu remote add athos-ribeiro # let's build the php8.1-ztest packages matching the fixed version git checkout zend-test-ext git ubuntu export-orig sbuild -d jammy popd lxc launch ubuntu-daily:jammy ${TEST_CONTAINER} lxc exec ${TEST_CONTAINER} -- mkdir -p /usr/local/src lxc file push php8.1-ztest_8.1.2-1ubuntu2.15_amd64.deb ${TEST_CONTAINER}/var/tmp/ lxc exec ${TEST_CONTAINER} -- apt update lxc exec ${TEST_CONTAINER} -- apt install -y git quilt # install php from proposed - lxc file push ubuntu-jammy-propoed.list
[Bug 2054621] Re: Fix PHP crashes due to accessing dangling pointers
I see some: # git ubuntu remote add athos-ribeiro # let's build the php8.1-ztest packages matching the version from the release pocket git checkout zend-test-ext-nofix I suppose you didn't mean to comment the remote add? Also, this requires the git-ubuntu snap being installed. Which is fine, it's just not in the instructions, so beware. ** Changed in: php8.1 (Ubuntu Jammy) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-jammy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054621 Title: Fix PHP crashes due to accessing dangling pointers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/2054621/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2054621] Re: Fix PHP crashes due to accessing dangling pointers
** Changed in: php8.1 (Ubuntu Jammy) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054621 Title: Fix PHP crashes due to accessing dangling pointers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/2054621/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2054621] Re: Fix PHP crashes due to accessing dangling pointers
Test plan updated. ** Description changed: SRU Justification [ Impact ] Invoking reflection via the observer API on a class with an attribute annotation causes a dangling pointer and segmentation fault. Certain PHP extensions may register an observer of an attribute instantiation using reflection. Since Laravel 9+ and Symfony make use of attribute annotations, it's a fairly common case that can be reproduced using the Datadog PHP extension and any Laravel application. See https://github.com/DataDog/dd-trace-php/issues/1734. This bug was fixed in PHP 8.1.3 https://bugs.php.net/bug.php?id=81430 in the PR https://github.com/php/php-src/pull/7885/files This bug potentially impacts the stability of the LTS release for anyone using Laravel or Symfony which are very popular frameworks alongside tracing extensions. [ Test Plan ] Run the upstream tests included within this fix. To do so, an upstream development/testing PHP extension for zend introspection is required. We will provide the modified package source code so anyone verifying this bug can build it. The new package to be built is named "php8.1-ztest". The modified php8.1 source code to generate the php8.1-ztest package is located in https://code.launchpad.net/~athos- ribeiro/ubuntu/+source/php8.1/+git/php8.1/+ref/zend-test-ext-nofix for a first test to confirm the bug. The test should not meet the described expectation. + The following script should allow you to reproduce the bug: + + # BEGIN REPRODUCER # + + #!/bin/bash + + set -eux + + trap cleanup EXIT + + + TEST_CONTAINER=lp-2054621-php-dangling-ptr-reproduce + TEMP_DIR=$(mktemp -d) + + cleanup() { + rm -rf ${TEMP_DIR} + lxc delete -f ${TEST_CONTAINER} + } + + pushd ${TEMP_DIR} + + git ubuntu clone php8.1 + pushd php8.1 + # git ubuntu remote add athos-ribeiro + # let's build the php8.1-ztest packages matching the version from the release pocket + git checkout zend-test-ext-nofix + git ubuntu export-orig + + + sbuild -d jammy + popd + + lxc launch ubuntu-daily:jammy ${TEST_CONTAINER} + lxc exec ${TEST_CONTAINER} -- mkdir -p /usr/local/src + + lxc file push php8.1-ztest_8.1.2-1ubuntu2.14_amd64.deb ${TEST_CONTAINER}/var/tmp/ + lxc exec ${TEST_CONTAINER} -- apt update + lxc exec ${TEST_CONTAINER} -- apt install -y php git quilt + lxc exec ${TEST_CONTAINER} -- apt install -y /var/tmp/php8.1-ztest_8.1.2-1ubuntu2.14_amd64.deb + # we want the test files shipped with the fix + lxc exec ${TEST_CONTAINER} -- git clone -b zend-test-ext --depth=1 https://git.launchpad.net/~athos-ribeiro/ubuntu/+source/php8.1 /usr/local/src/php8.1 + lxc exec --cwd /usr/local/src/php8.1 --env QUILT_PATCHES=debian/patches ${TEST_CONTAINER} -- quilt push -a + + # This should fail + lxc exec --cwd /usr/local/src/php8.1 ${TEST_CONTAINER} -- php run-tests.php -P ext/zend_test/tests/observer_bug81430_1.phpt ext/zend_test/tests/observer_bug81430_2.phpt + + # END REPRODUCER # + The modified php8.1 source code to generate the php8.1-ztest package is located in https://code.launchpad.net/~athos- ribeiro/ubuntu/+source/php8.1/+git/php8.1/+ref/zend-test-ext for a second test to confirm the fix. The test should now meet the expectations described in the test itself. Note that the versions for the packages shipping "php8.1-ztest" are intentionally conflicting with the version in jammy and the version being proposed with the fix. This is because the generated php8.1-ztest requires other packages built from the php8.1 source in its exact same version. Do remember that you should only install "php8.1-ztest" from these custom packages. The remaining php8.1 binaries should be installed from the Ubuntu archive. + + The following script should allow you to verify the fix: + + # BEGIN CHECKER # + + #!/bin/bash + + set -eux + + trap cleanup EXIT + + + TEST_CONTAINER=lp-2054621-php-dangling-ptr-verify + TEMP_DIR=$(mktemp -d) + + cleanup() { + rm -rf ${TEMP_DIR} + lxc delete -f ${TEST_CONTAINER} + } + + pushd ${TEMP_DIR} + + cat < ubuntu-jammy-proposed.list + deb http://archive.ubuntu.com/ubuntu/ jammy-proposed restricted main multiverse universe + EOF + + git ubuntu clone php8.1 + pushd php8.1 + # git ubuntu remote add athos-ribeiro + # let's build the php8.1-ztest packages matching the fixed version + git checkout zend-test-ext + git ubuntu export-orig + + sbuild -d jammy + popd + + lxc launch ubuntu-daily:jammy ${TEST_CONTAINER} + lxc exec ${TEST_CONTAINER} -- mkdir -p /usr/local/src + + lxc file push php8.1-ztest_8.1.2-1ubuntu2.15_amd64.deb ${TEST_CONTAINER}/var/tmp/ + lxc exec ${TEST_CONTAINER} -- apt update + lxc exec ${TEST_CONTAINER} -- apt install -y git quilt + # install php from proposed + lxc file push ubuntu-jammy-propoed.list ${TEST_CONTAINER}/etc/apt/sources.list.d/ + lxc exec ${TEST_CONTAINER} -- apt update + lxc exec ${TEST_CONTAINER} -- apt install -y
[Bug 2054621] Re: Fix PHP crashes due to accessing dangling pointers
This is fixed in PHP >= 8.1.3 (https://github.com/php/php- src/commit/2f6a06ccb0ef78e6122bb9e67f9b8b1ad07776e1) I will update the test plan. Thanks, Robie. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054621 Title: Fix PHP crashes due to accessing dangling pointers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/2054621/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2054621] Re: Fix PHP crashes due to accessing dangling pointers
8.2 and 8.3 are unaffected. I'll let Athos chime in with the steps necessary. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054621 Title: Fix PHP crashes due to accessing dangling pointers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/2054621/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2054621] Re: Fix PHP crashes due to accessing dangling pointers
What's the status of this bug in Mantic and Noble please? Were 8.2 and 8.3 ever affected, and if so, in which versions were they fixed? I couldn't figure this out within a few minutes - sorry! > [ Test Plan ] > Run the upstream tests included within this fix. To do so, an upstream development/testing PHP extension for zend introspection is required. Please could you provide the steps to follow to run the upstream tests included in this fix? This should be in enough detail that a developer who is not familiar with this package should be able to follow it. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054621 Title: Fix PHP crashes due to accessing dangling pointers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/2054621/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2054621] Re: Fix PHP crashes due to accessing dangling pointers
** Summary changed: - PHP crashes on Laravel 9+ with certain extensions + Fix PHP crashes due to accessing dangling pointers -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054621 Title: Fix PHP crashes due to accessing dangling pointers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/2054621/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs