Handle resource table reallocation during shutdown

nikic · nikic · commit 2ff496e871aa · 2021-08-20T15:37:46.000+02:00
New resources may be created while closing resources during shutdown. This may result in a reallocation of arData and use after free. This problem was exposed by 7f7a90b, which creates one resources less, and thus moved the reallocation to shutdown for a number of existing tests. However, the general problem already existed previously. We don't try to also close the newly added resources -- we will later perform a graceful reverse destroy of the table, which will catch any remaining cases.
diff --git a/Zend/zend_list.c b/Zend/zend_list.c
@@ -213,13 +213,17 @@ void zend_init_rsrc_plist(void)
 
 void zend_close_rsrc_list(HashTable *ht)
 {
-	zend_resource *res;
-
-	ZEND_HASH_REVERSE_FOREACH_PTR(ht, res) {
-		if (res->type >= 0) {
-			zend_resource_dtor(res);
+	/* Reload ht->arData on each iteration, as it may be reallocated. */
+	uint32_t i = ht->nNumUsed;
+	while (i-- > 0) {
+		Bucket *p = &ht->arData[i];
+		if (Z_TYPE(p->val) != IS_UNDEF) {
+			zend_resource *res = Z_PTR(p->val);
+			if (res->type >= 0) {
+				zend_resource_dtor(res);
+			}
 		}
-	} ZEND_HASH_FOREACH_END();
+	}
 }
 
 
