Fixes

danog · danog · commit 8cc29afe7827 · 2025-06-16T13:20:01.000+02:00
diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c
@@ -182,12 +182,16 @@ static size_t _real_page_size = ZEND_MM_PAGE_SIZE;
 	if (UNEXPECTED(((size_t) (_ptr)) & ((size_t)7))) { \
 		zend_mm_panic("Wrong alignment"); \
 	} \
+	fprintf(stderr, "Poisoning %p - %p in %d\n", (_ptr), ((size_t)_ptr)+((size_t)_size), __LINE__); \
+	fflush(stderr); \
 	ASAN_POISON_MEMORY_REGION((_ptr), (_size));\
 } while (0);
 #define ZEND_MM_UNPOISON(_ptr, _size) do { \
 	if (UNEXPECTED(((size_t) (_ptr)) & ((size_t)7))) { \
 		zend_mm_panic("Wrong alignment"); \
 	} \
+	fprintf(stderr, "Unpoisoning %p - %p in %d\n", (_ptr), ((size_t)_ptr)+((size_t)_size), __LINE__); \
+	fflush(stderr); \
 	ASAN_UNPOISON_MEMORY_REGION((_ptr), (_size));\
 } while (0);
 
@@ -928,6 +932,7 @@ static zend_always_inline void zend_mm_chunk_init(zend_mm_heap *heap, zend_mm_ch
 	chunk->heap = heap;
 	chunk->next = heap->main_chunk;
 	ZEND_MM_UNPOISON_CHUNK_HDR(heap->main_chunk);
+	ZEND_MM_UNPOISON_CHUNK_HDR(heap->main_chunk->prev);
 	chunk->prev = heap->main_chunk->prev;
 	chunk->prev->next = chunk;
 	chunk->next->prev = chunk;
@@ -939,6 +944,7 @@ static zend_always_inline void zend_mm_chunk_init(zend_mm_heap *heap, zend_mm_ch
 	/* mark first pages as allocated */
 	chunk->free_map[0] = (1L << ZEND_MM_FIRST_PAGE) - 1;
 	chunk->map[0] = ZEND_MM_LRUN(ZEND_MM_FIRST_PAGE);
+	ZEND_MM_POISON_CHUNK_HDR(heap->main_chunk->prev, heap);
 	ZEND_MM_POISON_CHUNK_HDR(heap->main_chunk, heap);
 }
 
@@ -1169,17 +1175,19 @@ static void *zend_mm_alloc_pages(zend_mm_heap *heap, uint32_t pages_count ZEND_F
 		/* move chunk into the head of the linked-list */
 		chunk->prev->next = chunk->next;
 		chunk->next->prev = chunk->prev;
-		ZEND_MM_POISON_CHUNK_HDR(chunk->next, heap);
-		ZEND_MM_POISON_CHUNK_HDR(chunk->prev, heap);
 
 		ZEND_MM_UNPOISON_CHUNK_HDR(heap->main_chunk);
 		ZEND_MM_UNPOISON_CHUNK_HDR(heap->main_chunk->next);
 		chunk->next = heap->main_chunk->next;
 		chunk->prev = heap->main_chunk;
 		chunk->prev->next = chunk;
 		chunk->next->prev = chunk;
-		ZEND_MM_POISON_CHUNK_HDR(heap->main_chunk, heap);
 		ZEND_MM_POISON_CHUNK_HDR(heap->main_chunk->next, heap);
+		ZEND_MM_POISON_CHUNK_HDR(heap->main_chunk, heap);
+
+		ZEND_MM_UNPOISON_CHUNK_HDR(chunk);
+		ZEND_MM_POISON_CHUNK_HDR(chunk->next, heap);
+		ZEND_MM_POISON_CHUNK_HDR(chunk->prev, heap);
 	}
 	/* mark run as allocated */
 	chunk->free_pages -= pages_count;
@@ -1603,6 +1611,8 @@ static zend_always_inline void *zend_mm_alloc_heap(zend_mm_heap *heap, size_t si
 		dbg->lineno = __zend_lineno;
 		dbg->orig_lineno = __zend_orig_lineno;
 #endif
+		ZEND_MM_UNPOISON(ptr, size);
+		return ptr;
 	} else if (EXPECTED(size <= ZEND_MM_MAX_LARGE_SIZE)) {
 		ptr = zend_mm_alloc_large(heap, size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
 #if ZEND_DEBUG
@@ -1613,14 +1623,16 @@ static zend_always_inline void *zend_mm_alloc_heap(zend_mm_heap *heap, size_t si
 		dbg->lineno = __zend_lineno;
 		dbg->orig_lineno = __zend_orig_lineno;
 #endif
+		ZEND_MM_UNPOISON(ptr, size);
+		return ptr;
 	} else {
 #if ZEND_DEBUG
 		size = real_size;
 #endif
 		ptr = zend_mm_alloc_huge(heap, size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
+		ZEND_MM_UNPOISON(ptr, size);
+		return ptr;
 	}
-	ZEND_MM_UNPOISON(ptr, size);
-	return ptr;
 }
 
 static zend_always_inline void zend_mm_free_heap(zend_mm_heap *heap, void *ptr ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
@@ -1807,6 +1819,7 @@ static zend_always_inline void *zend_mm_realloc_heap(zend_mm_heap *heap, void *p
 		} else {
 			ret = zend_mm_realloc_huge(heap, ptr, size, copy_size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
 		}
+		ZEND_MM_UNPOISON(ret, size);
 		return ret;
 	} else {
 		zend_mm_chunk *chunk = (zend_mm_chunk*)ZEND_MM_ALIGNED_BASE(ptr, ZEND_MM_CHUNK_SIZE);
@@ -1911,7 +1924,6 @@ static zend_always_inline void *zend_mm_realloc_heap(zend_mm_heap *heap, void *p
 					chunk->free_pages += rest_pages_count;
 					zend_mm_bitset_reset_range(chunk->free_map, page_num + new_pages_count, rest_pages_count);
 					ZEND_MM_POISON(ZEND_MM_PAGE_ADDR(chunk, page_num + new_pages_count), rest_pages_count * ZEND_MM_PAGE_SIZE);
-
 #if ZEND_DEBUG
 					dbg = zend_mm_get_debug_info(heap, ptr);
 					dbg->size = real_size;
@@ -1921,6 +1933,8 @@ static zend_always_inline void *zend_mm_realloc_heap(zend_mm_heap *heap, void *p
 					dbg->orig_lineno = __zend_orig_lineno;
 #endif
 					ZEND_MM_POISON_CHUNK_HDR(chunk, heap);
+					ZEND_MM_POISON(ptr, old_size);
+					ZEND_MM_UNPOISON(ptr, size);
 					return ptr;
 				} else /* if (new_size > old_size) */ {
 					int new_pages_count = (int)(new_size / ZEND_MM_PAGE_SIZE);
@@ -1940,7 +1954,6 @@ static zend_always_inline void *zend_mm_realloc_heap(zend_mm_heap *heap, void *p
 						chunk->free_pages -= new_pages_count - old_pages_count;
 						zend_mm_bitset_set_range(chunk->free_map, page_num + old_pages_count, new_pages_count - old_pages_count);
 						chunk->map[page_num] = ZEND_MM_LRUN(new_pages_count);
-						ZEND_MM_UNPOISON(ZEND_MM_PAGE_ADDR(chunk, page_num + old_pages_count), (new_pages_count - old_pages_count) * ZEND_MM_PAGE_SIZE);
 #if ZEND_DEBUG
 						dbg = zend_mm_get_debug_info(heap, ptr);
 						dbg->size = real_size;
@@ -1950,6 +1963,7 @@ static zend_always_inline void *zend_mm_realloc_heap(zend_mm_heap *heap, void *p
 						dbg->orig_lineno = __zend_orig_lineno;
 #endif
 						ZEND_MM_POISON_CHUNK_HDR(chunk, heap);
+						ZEND_MM_UNPOISON(ptr, size);
 						return ptr;
 					}
 				}
@@ -1963,6 +1977,7 @@ static zend_always_inline void *zend_mm_realloc_heap(zend_mm_heap *heap, void *p
 
 	copy_size = MIN(old_size, copy_size);
 	ret = zend_mm_realloc_slow(heap, ptr, size, copy_size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
+	ZEND_MM_UNPOISON(ret, size);
 	return ret;
 }
 
