Fix GH-19548: Add defensive copy-on-write for hooks inheritance when CE is part of opcache shared memory

Author: alexandre-daubois

Zend/tests/property_hooks/gh19548.phpt

@@ -0,0 +1,24 @@
+--TEST--
+GH-19548: SEGV do_inherit_property zend_inheritance.c with opcache.protect_memory=1
+--EXTENSIONS--
+opcache
+--INI--
+opcache.enable_cli=1
+opcache.protect_memory=1
+--FILE--
+<?php
+
+interface I {
+    public mixed $i { get; }
+}
+class P {
+    public mixed $i;
+}
+
+class C extends P implements I {}
+
+echo "Test passed - no segmentation fault\n";
+
+?>
+--EXPECT--
+Test passed - no segmentation fault

Zend/tests/property_hooks/gh19548_002.phpt

@@ -0,0 +1,34 @@
+--TEST--
+GH-19548: SEGV do_inherit_property zend_inheritance.c with opcache.protect_memory=1 (multiple properties)
+--EXTENSIONS--
+opcache
+--INI--
+opcache.enable_cli=1
+opcache.protect_memory=1
+--FILE--
+<?php
+
+interface I1 {
+    public mixed $a { get; }
+    public mixed $b { get; }
+}
+class P1 {
+    public mixed $a;
+    public mixed $b;
+}
+class C1 extends P1 implements I1 {}
+
+interface I2 {
+    public mixed $prop { get; }
+}
+class P2 {
+    public mixed $prop;
+}
+class Q2 extends P2 {}
+class C2 extends Q2 implements I2 {}
+
+echo "Multiple property test passed - no segmentation fault\n";
+
+?>
+--EXPECT--
+Multiple property test passed - no segmentation fault

Zend/zend_inheritance.c

@@ -1382,6 +1382,16 @@ static void inherit_property_hook(
 	if (child
 	 && (child->common.fn_flags & ZEND_ACC_OVERRIDE)
 	 && property_has_operation(parent_info, kind)) {
+		/* Duplicate child function if it comes from opcache-protected memory */
+		if (child->common.scope != ce) {
+			child = zend_duplicate_function(child, ce);
+			if (!child_info->hooks) {
+				ce->num_hooked_props++;
+				child_info->hooks = zend_arena_alloc(&CG(arena), ZEND_PROPERTY_HOOK_STRUCT_SIZE);
+				memset(child_info->hooks, 0, ZEND_PROPERTY_HOOK_STRUCT_SIZE);
+			}
+			child_info->hooks[kind] = child;
+		}
 		child->common.fn_flags &= ~ZEND_ACC_OVERRIDE;
 	}
 
@@ -1406,6 +1416,17 @@ static void inherit_property_hook(
 		return;
 	}
 
+	/* Duplicate child function if it comes from opcache-protected memory */
+	if (child->common.scope != ce) {
+		child = zend_duplicate_function(child, ce);
+		if (!child_info->hooks) {
+			ce->num_hooked_props++;
+			child_info->hooks = zend_arena_alloc(&CG(arena), ZEND_PROPERTY_HOOK_STRUCT_SIZE);
+			memset(child_info->hooks, 0, ZEND_PROPERTY_HOOK_STRUCT_SIZE);
+		}
+		child_info->hooks[kind] = child;
+	}
+
 	child->common.prototype = parent->common.prototype ? parent->common.prototype : parent;
 
 	uint32_t parent_flags = parent->common.fn_flags;
@@ -1543,6 +1564,25 @@ static void do_inherit_property(zend_property_info *parent_info, zend_string *ke
 				child_info->flags &= ~ZEND_ACC_VIRTUAL;
 			}
 
+			/* Create a copy if this property comes from opcache-protected memory */
+			if (child_info->ce != ce) {
+				zend_property_info *new_prop_info = zend_arena_alloc(&CG(arena), sizeof(zend_property_info));
+				memcpy(new_prop_info, child_info, sizeof(zend_property_info));
+				new_prop_info->ce = ce;
+				/* Deep copy the type information */
+				zend_type_copy_ctor(&new_prop_info->type, /* use_arena */ true, /* persistent */ false);
+				if (new_prop_info->hooks) {
+					new_prop_info->hooks = zend_arena_alloc(&CG(arena), ZEND_PROPERTY_HOOK_STRUCT_SIZE);
+					memcpy(new_prop_info->hooks, child_info->hooks, ZEND_PROPERTY_HOOK_STRUCT_SIZE);
+				}
+				/* Re-fetch and update the child entry in the hash table */
+				child = zend_hash_find_known_hash(&ce->properties_info, key);
+				if (EXPECTED(child)) {
+					Z_PTR_P(child) = new_prop_info;
+					child_info = new_prop_info;
+				}
+			}
+
 			if (parent_info->hooks || child_info->hooks) {
 				for (uint32_t i = 0; i < ZEND_PROPERTY_HOOK_COUNT; i++) {
 					inherit_property_hook(ce, parent_info, child_info, i);