From f4b2497ad8c366d276689dd1c7e3a84c33c11d9b Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Mon, 7 Sep 2020 12:30:43 +0200 Subject: [PATCH] Allocate temporary PCRE match data using ZMM Create a separate general context that uses ZMM as allocator and use it to allocate temporary PCRE match data (there is still one global match data). There is no requirement that the match data and the compiled regex / match context use the same general context. This makes sure that we do not leak persistent memory on bailout and fixes oss-fuzz #25296, on which half the libfuzzer runs currently get stuck. --- ext/pcre/php_pcre.c | 40 ++++++++++++++----- ext/pcre/php_pcre.h | 2 + ...reg_replace_callback_fatal_error_leak.phpt | 18 +++++++++ 3 files changed, 49 insertions(+), 11 deletions(-) create mode 100644 ext/pcre/tests/preg_replace_callback_fatal_error_leak.phpt diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c index 801d19fc4f..99ab36e84f 100644 --- a/ext/pcre/php_pcre.c +++ b/ext/pcre/php_pcre.c @@ -59,6 +59,7 @@ PHPAPI ZEND_DECLARE_MODULE_GLOBALS(pcre) #define PCRE_JIT_STACK_MAX_SIZE (192 * 1024) ZEND_TLS pcre2_jit_stack *jit_stack = NULL; #endif +/* General context using (infallible) system allocator. */ ZEND_TLS pcre2_general_context *gctx = NULL; /* These two are global per thread for now. Though it is possible to use these per pattern. Either one can copy it and use in pce, or one does no global @@ -173,15 +174,24 @@ static void php_efree_pcre_cache(zval *data) /* {{{ */ /* }}} */ static void *php_pcre_malloc(PCRE2_SIZE size, void *data) -{/*{{{*/ - void *p = pemalloc(size, 1); - return p; -}/*}}}*/ +{ + return pemalloc(size, 1); +} static void php_pcre_free(void *block, void *data) -{/*{{{*/ +{ pefree(block, 1); -}/*}}}*/ +} + +static void *php_pcre_emalloc(PCRE2_SIZE size, void *data) +{ + return emalloc(size); +} + +static void php_pcre_efree(void *block, void *data) +{ + efree(block); +} #define PHP_PCRE_PREALLOC_MDATA_SIZE 32 @@ -476,6 +486,11 @@ static PHP_RINIT_FUNCTION(pcre) mdata_used = 0; #endif + PCRE_G(gctx_zmm) = pcre2_general_context_create(php_pcre_emalloc, php_pcre_efree, NULL); + if (!PCRE_G(gctx_zmm)) { + return FAILURE; + } + if (PCRE_G(per_request_cache)) { zend_hash_init(&PCRE_G(pcre_cache), 0, NULL, php_efree_pcre_cache, 0); } @@ -486,6 +501,9 @@ static PHP_RINIT_FUNCTION(pcre) static PHP_RSHUTDOWN_FUNCTION(pcre) { + pcre2_general_context_free(PCRE_G(gctx_zmm)); + PCRE_G(gctx_zmm) = NULL; + if (PCRE_G(per_request_cache)) { zend_hash_destroy(&PCRE_G(pcre_cache)); } @@ -1246,7 +1264,7 @@ PHPAPI void php_pcre_match_impl(pcre_cache_entry *pce, zend_string *subject_str, if (!mdata_used && num_subpats <= PHP_PCRE_PREALLOC_MDATA_SIZE) { match_data = mdata; } else { - match_data = pcre2_match_data_create_from_pattern(pce->re, gctx); + match_data = pcre2_match_data_create_from_pattern(pce->re, PCRE_G(gctx_zmm)); if (!match_data) { PCRE_G(error_code) = PHP_PCRE_INTERNAL_ERROR; if (subpat_names) { @@ -1617,7 +1635,7 @@ PHPAPI zend_string *php_pcre_replace_impl(pcre_cache_entry *pce, zend_string *su if (!mdata_used && num_subpats <= PHP_PCRE_PREALLOC_MDATA_SIZE) { match_data = mdata; } else { - match_data = pcre2_match_data_create_from_pattern(pce->re, gctx); + match_data = pcre2_match_data_create_from_pattern(pce->re, PCRE_G(gctx_zmm)); if (!match_data) { PCRE_G(error_code) = PHP_PCRE_INTERNAL_ERROR; return NULL; @@ -1871,7 +1889,7 @@ static zend_string *php_pcre_replace_func_impl(pcre_cache_entry *pce, zend_strin mdata_used = 1; match_data = mdata; } else { - match_data = pcre2_match_data_create_from_pattern(pce->re, gctx); + match_data = pcre2_match_data_create_from_pattern(pce->re, PCRE_G(gctx_zmm)); if (!match_data) { PCRE_G(error_code) = PHP_PCRE_INTERNAL_ERROR; if (subpat_names) { @@ -2519,7 +2537,7 @@ PHPAPI void php_pcre_split_impl(pcre_cache_entry *pce, zend_string *subject_str, if (!mdata_used && num_subpats <= PHP_PCRE_PREALLOC_MDATA_SIZE) { match_data = mdata; } else { - match_data = pcre2_match_data_create_from_pattern(pce->re, gctx); + match_data = pcre2_match_data_create_from_pattern(pce->re, PCRE_G(gctx_zmm)); if (!match_data) { PCRE_G(error_code) = PHP_PCRE_INTERNAL_ERROR; zval_ptr_dtor(return_value); @@ -2853,7 +2871,7 @@ PHPAPI void php_pcre_grep_impl(pcre_cache_entry *pce, zval *input, zval *return if (!mdata_used && num_subpats <= PHP_PCRE_PREALLOC_MDATA_SIZE) { match_data = mdata; } else { - match_data = pcre2_match_data_create_from_pattern(pce->re, gctx); + match_data = pcre2_match_data_create_from_pattern(pce->re, PCRE_G(gctx_zmm)); if (!match_data) { PCRE_G(error_code) = PHP_PCRE_INTERNAL_ERROR; return; diff --git a/ext/pcre/php_pcre.h b/ext/pcre/php_pcre.h index 808b671bb8..e9f5e34ab9 100644 --- a/ext/pcre/php_pcre.h +++ b/ext/pcre/php_pcre.h @@ -84,6 +84,8 @@ ZEND_BEGIN_MODULE_GLOBALS(pcre) /* Used for unmatched subpatterns in OFFSET_CAPTURE mode */ zval unmatched_null_pair; zval unmatched_empty_pair; + /* General context using per-request allocator (ZMM). */ + pcre2_general_context *gctx_zmm; ZEND_END_MODULE_GLOBALS(pcre) PHPAPI ZEND_EXTERN_MODULE_GLOBALS(pcre) diff --git a/ext/pcre/tests/preg_replace_callback_fatal_error_leak.phpt b/ext/pcre/tests/preg_replace_callback_fatal_error_leak.phpt new file mode 100644 index 0000000000..5ea3d4081e --- /dev/null +++ b/ext/pcre/tests/preg_replace_callback_fatal_error_leak.phpt @@ -0,0 +1,18 @@ +--TEST-- +preg_replace_callback() should not leak persistent memory on fatal error +--FILE-- + +--EXPECTF-- +Fatal error: Cannot redeclare test() (previously declared in %s on line %d -- 2.40.0