Destroy temporary module classes in reverse order

arnaud-lb · arnaud-lb · commit 1c182674b09b · 2025-03-14T10:45:17.000+01:00
We destroy classes of dl()'ed modules in clean_module_classes(), during shutdown. Child classes of a module use structures of the parent class (such as inherited properties), which are destroyed earlier, so we have a use-after-free when destroying a child class. Here I destroy classes in reverse order, as it is done in zend_shutdown() for persistent classes. Fixes GH-17961 Fixes GH-15367
diff --git a/NEWS b/NEWS
@@ -2,6 +2,12 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.3.20
 
+- Core:
+  . Fixed bug GH-17961 (use-after-free during dl()'ed module class destruction).
+    (Arnaud)
+  . Fixed bug GH-15367 (dl() of module with aliased class crashes in shutdown).
+    (Arnaud)
+
 - DOM:
   . Fix weird unpack behaviour in DOM. (nielsdos)
 
diff --git a/Zend/zend_API.c b/Zend/zend_API.c
@@ -22,6 +22,7 @@
 #include "zend.h"
 #include "zend_execute.h"
 #include "zend_API.h"
+#include "zend_hash.h"
 #include "zend_modules.h"
 #include "zend_extensions.h"
 #include "zend_constants.h"
@@ -3111,21 +3112,17 @@ ZEND_API zend_result zend_get_module_started(const char *module_name) /* {{{ */
 }
 /* }}} */
 
-static int clean_module_class(zval *el, void *arg) /* {{{ */
-{
-	zend_class_entry *ce = (zend_class_entry *)Z_PTR_P(el);
-	int module_number = *(int *)arg;
-	if (ce->type == ZEND_INTERNAL_CLASS && ce->info.internal.module->module_number == module_number) {
-		return ZEND_HASH_APPLY_REMOVE;
-	} else {
-		return ZEND_HASH_APPLY_KEEP;
-	}
-}
-/* }}} */
-
 static void clean_module_classes(int module_number) /* {{{ */
 {
-	zend_hash_apply_with_argument(EG(class_table), clean_module_class, (void *) &module_number);
+	/* Child classes may reuse structures from parent classes, so destroy in reverse order. */
+	Bucket *bucket;
+	ZEND_HASH_REVERSE_FOREACH_BUCKET(EG(class_table), bucket) {
+		zend_class_entry *ce = Z_CE(bucket->val);
+		if (ce->type == ZEND_INTERNAL_CLASS && ce->info.internal.module->module_number == module_number) {
+			zend_hash_del_bucket(EG(class_table), bucket);
+		}
+	} ZEND_HASH_FOREACH_END();
+
 }
 /* }}} */
 
diff --git a/ext/dl_test/dl_test.c b/ext/dl_test/dl_test.c
@@ -92,10 +92,22 @@ PHP_METHOD(DlTest, test)
 	RETURN_STR(retval);
 }
 
+PHP_METHOD(DlTestSuperClass, test)
+{
+	ZEND_PARSE_PARAMETERS_NONE();
+
+	RETURN_NULL();
+}
+
 /* {{{ PHP_MINIT_FUNCTION */
 PHP_MINIT_FUNCTION(dl_test)
 {
+	zend_class_entry *ce;
+
 	register_class_DlTest();
+	ce = register_class_DlTestSuperClass();
+	register_class_DlTestSubClass(ce);
+	register_class_DlTestAliasedClass();
 
 	/* Test backwards compatibility */
 	if (getenv("PHP_DL_TEST_USE_OLD_REGISTER_INI_ENTRIES")) {
diff --git a/ext/dl_test/dl_test.stub.php b/ext/dl_test/dl_test.stub.php
@@ -12,3 +12,15 @@ function dl_test_test2(string $str = ""): string {}
 class DlTest {
     public function test(string $str = ""): string {}
 }
+
+class DlTestSuperClass {
+    public int $a;
+    public function test(string $str = ""): string {}
+}
+
+class DlTestSubClass extends DlTestSuperClass {
+}
+
+/** @alias DlTestClassAlias */
+class DlTestAliasedClass {
+}
diff --git a/ext/dl_test/dl_test_arginfo.h b/ext/dl_test/dl_test_arginfo.h
