** Description changed: SRU Justification [ Impact ] Invoking reflection via the observer API on a class with an attribute annotation causes a dangling pointer and segmentation fault. Certain PHP extensions may register an observer of an attribute instantiation using reflection. Since Laravel 9+ and Symfony make use of attribute annotations, it's a fairly common case that can be reproduced using the Datadog PHP extension and any Laravel application. See https://github.com/DataDog/dd-trace-php/issues/1734. This bug was fixed in PHP 8.1.3 https://bugs.php.net/bug.php?id=81430 in the PR https://github.com/php/php-src/pull/7885/files This bug potentially impacts the stability of the LTS release for anyone using Laravel or Symfony which are very popular frameworks alongside tracing extensions. [ Test Plan ] Run the upstream tests included within this fix. To do so, an upstream development/testing PHP extension for zend introspection is required. We will provide the modified package source code so anyone verifying this bug can build it. The new package to be built is named "php8.1-ztest". The modified php8.1 source code to generate the php8.1-ztest package is located in https://code.launchpad.net/~athos- ribeiro/ubuntu/+source/php8.1/+git/php8.1/+ref/zend-test-ext-nofix for a first test to confirm the bug. The test should not meet the described expectation. The following script should allow you to reproduce the bug: ##### BEGIN REPRODUCER ##### #!/bin/bash set -eux trap cleanup EXIT - TEST_CONTAINER=lp-2054621-php-dangling-ptr-reproduce TEMP_DIR=$(mktemp -d) cleanup() { - rm -rf ${TEMP_DIR} - lxc delete -f ${TEST_CONTAINER} + rm -rf ${TEMP_DIR} + lxc delete -f ${TEST_CONTAINER} } pushd ${TEMP_DIR} git ubuntu clone php8.1 pushd php8.1 # git ubuntu remote add athos-ribeiro # let's build the php8.1-ztest packages matching the version from the release pocket git checkout zend-test-ext-nofix git ubuntu export-orig - sbuild -d jammy popd lxc launch ubuntu-daily:jammy ${TEST_CONTAINER} lxc exec ${TEST_CONTAINER} -- mkdir -p /usr/local/src lxc file push php8.1-ztest_8.1.2-1ubuntu2.14_amd64.deb ${TEST_CONTAINER}/var/tmp/ lxc exec ${TEST_CONTAINER} -- apt update lxc exec ${TEST_CONTAINER} -- apt install -y php git quilt lxc exec ${TEST_CONTAINER} -- apt install -y /var/tmp/php8.1-ztest_8.1.2-1ubuntu2.14_amd64.deb # we want the test files shipped with the fix lxc exec ${TEST_CONTAINER} -- git clone -b zend-test-ext --depth=1 https://git.launchpad.net/~athos-ribeiro/ubuntu/+source/php8.1 /usr/local/src/php8.1 lxc exec --cwd /usr/local/src/php8.1 --env QUILT_PATCHES=debian/patches ${TEST_CONTAINER} -- quilt push -a # This should fail lxc exec --cwd /usr/local/src/php8.1 ${TEST_CONTAINER} -- php run-tests.php -P ext/zend_test/tests/observer_bug81430_1.phpt ext/zend_test/tests/observer_bug81430_2.phpt ##### END REPRODUCER ##### The modified php8.1 source code to generate the php8.1-ztest package is located in https://code.launchpad.net/~athos- ribeiro/ubuntu/+source/php8.1/+git/php8.1/+ref/zend-test-ext for a second test to confirm the fix. The test should now meet the expectations described in the test itself. Note that the versions for the packages shipping "php8.1-ztest" are intentionally conflicting with the version in jammy and the version being proposed with the fix. This is because the generated php8.1-ztest requires other packages built from the php8.1 source in its exact same version. Do remember that you should only install "php8.1-ztest" from these custom packages. The remaining php8.1 binaries should be installed from the Ubuntu archive. - The following script should allow you to verify the fix: ##### BEGIN CHECKER ##### #!/bin/bash set -eux trap cleanup EXIT - TEST_CONTAINER=lp-2054621-php-dangling-ptr-verify TEMP_DIR=$(mktemp -d) cleanup() { - rm -rf ${TEMP_DIR} - lxc delete -f ${TEST_CONTAINER} + rm -rf ${TEMP_DIR} + lxc delete -f ${TEST_CONTAINER} } pushd ${TEMP_DIR} cat <<EOF > ubuntu-jammy-proposed.list deb http://archive.ubuntu.com/ubuntu/ jammy-proposed restricted main multiverse universe EOF git ubuntu clone php8.1 pushd php8.1 # git ubuntu remote add athos-ribeiro # let's build the php8.1-ztest packages matching the fixed version git checkout zend-test-ext git ubuntu export-orig sbuild -d jammy popd lxc launch ubuntu-daily:jammy ${TEST_CONTAINER} lxc exec ${TEST_CONTAINER} -- mkdir -p /usr/local/src lxc file push php8.1-ztest_8.1.2-1ubuntu2.15_amd64.deb ${TEST_CONTAINER}/var/tmp/ lxc exec ${TEST_CONTAINER} -- apt update lxc exec ${TEST_CONTAINER} -- apt install -y git quilt # install php from proposed - lxc file push ubuntu-jammy-propoed.list ${TEST_CONTAINER}/etc/apt/sources.list.d/ + lxc file push ubuntu-jammy-proposed.list ${TEST_CONTAINER}/etc/apt/sources.list.d/ lxc exec ${TEST_CONTAINER} -- apt update lxc exec ${TEST_CONTAINER} -- apt install -y php/jammy-proposed lxc exec ${TEST_CONTAINER} -- apt install -y /var/tmp/php8.1-ztest_8.1.2-1ubuntu2.15_amd64.deb # we want the test files shipped with the fix lxc exec ${TEST_CONTAINER} -- git clone -b zend-test-ext --depth=1 https://git.launchpad.net/~athos-ribeiro/ubuntu/+source/php8.1 /usr/local/src/php8.1 lxc exec --cwd /usr/local/src/php8.1 --env QUILT_PATCHES=debian/patches ${TEST_CONTAINER} -- quilt push -a # This should succeed lxc exec --cwd /usr/local/src/php8.1 ${TEST_CONTAINER} -- php run-tests.php -P ext/zend_test/tests/observer_bug81430_1.phpt ext/zend_test/tests/observer_bug81430_2.phpt - ##### END CHECKER ##### [ Where problems could occur ] Could potentially impact the performance or stability of reflection operations, but this is a fairly old patch at this point.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054621 Title: Fix PHP crashes due to accessing dangling pointers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/2054621/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
