Skip to content

Fix GH-19706: dba stream resource mismanagement #19710

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Fix GH-19706: dba stream resource mismanagement #19710

wants to merge 2 commits into from

Conversation

nielsdos
Copy link
Member

@nielsdos nielsdos commented Sep 4, 2025

This regressed in 8.4 when dba started mixing objects and resources (streams).
The streams are first destroyed at a first step in shutdown, and in slow shutdown then the symbol table is destroyed which destroys the dba objects. The dba objects still use the streams but they have been destroyed already, causing a UAF. Using dtor_obj instead of free_obj would work around this but would cause issues like memory leaks because dtor_obj may be skipped while free_obj may not be. Instead, use the same solution as mysqlnd uses in that we fully manage the stream lifecycle ourselves. This also avoids users from meddling with the stream through get_resources().
This would be fixed 'automatically' in the future when we are using objects for everything.

@nielsdos
Fix phpGH-19706: dba stream resource mismanagement
4e74e5e 
This regressed in 8.4 when dba started mixing objects and resources
(streams).
The streams are first destroyed at a first step in shutdown, and in slow
shutdown then the symbol table is destroyed which destroys the dba
objects. The dba objects still use the streams but they have been
destroyed already, causing a UAF. Using dtor_obj instead of free_obj
would work around this but would cause issues like memory leaks because
dtor_obj may be skipped while free_obj may not be.
Instead, use the same solution as mysqlnd uses in that we fully manage
the stream lifecycle ourselves. This also avoids users from meddling
with the stream through get_resources().
This would be fixed 'automatically' in the future when we are using
objects for everything.
@nielsdos nielsdos requested a review from Girgias as a code owner September 4, 2025 18:48
@nielsdos nielsdos marked this pull request as draft September 4, 2025 20:06
@nielsdos
Copy link
Member Author

nielsdos commented Sep 4, 2025

Marking as draft as something is still wrong apparently

Girgias
Girgias approved these changes Sep 4, 2025
View reviewed changes
Copy link
Member

@Girgias Girgias left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI looks like it will be green, and I trust your stream knowledge to be better than mine here :)

@nielsdos nielsdos marked this pull request as ready for review September 5, 2025 16:58
@nielsdos nielsdos closed this in f744c82 Sep 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Girgias Girgias Girgias approved these changes

Assignees

No one assigned

Labels

Extension: dba

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nielsdos @Girgias