Fix GH-8979: Possible Memory Leak with SSL-enabled MySQL connections

nielsdos · nielsdos · commit 8930bf8c3325 · 2023-03-24T18:03:29.000+01:00
The stream context inside `mysqlnd_vio::enable_ssl()` is leaking. In particular: when `php_stream_context_set()` get called the refcount of `context` is increased by 1, which means that `context` will now have a refcount of 2. Later on we remove the context from the stream by calling `php_stream_context_set(stream, NULL)` but that leaves our `context` with a refcount of 1, and therefore it's never destroyed. In my test case this yielded a leak of 1456 bytes per connection (but could be more depending on your settings ofc). Annoyingly, Valgrind doesn't find it because the context is still in the `EG(regular_list)` and will thus be destroyed at the end of the request. However, I still think this bug needs to be fixed because as the users in the issue report already mentioned: there can be long-running PHP scripts. Fix it by decreasing the refcount to transfer the ownership. Closes GH-10909.
diff --git a/NEWS b/NEWS
@@ -31,6 +31,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-10521 (ftp_get/ftp_nb_get resumepos offset is maximum 10GB).
     (nielsdos)
 
+- MySQLnd:
+  . Fixed bug GH-8979 (Possible Memory Leak with SSL-enabled MySQL
+    connections). (nielsdos)
+
 - Opcache:
   . Fixed build for macOS to cater with pkg-config settings. (David Carlier)
   . Fixed bug GH-8065 (opcache.consistency_checks > 0 causes segfaults in
diff --git a/ext/mysqlnd/mysqlnd_vio.c b/ext/mysqlnd/mysqlnd_vio.c
@@ -561,6 +561,10 @@ MYSQLND_METHOD(mysqlnd_vio, enable_ssl)(MYSQLND_VIO * const net)
 		}
 	}
 	php_stream_context_set(net_stream, context);
+	/* php_stream_context_set() increases the refcount of context, but we just want to transfer ownership
+	 * hence the need to decrease the refcount so the refcount will be equal to 1. */
+	ZEND_ASSERT(GC_REFCOUNT(context->res) == 2);
+	GC_DELREF(context->res);
 	if (php_stream_xport_crypto_setup(net_stream, STREAM_CRYPTO_METHOD_TLS_CLIENT, NULL) < 0 ||
 	    php_stream_xport_crypto_enable(net_stream, 1) < 0)
 	{

Original file line number	Diff line number	Diff line change
`@@ -561,6 +561,10 @@ MYSQLND_METHOD(mysqlnd_vio, enable_ssl)(MYSQLND_VIO * const net)`
`561`	`561`	`}`
`562`	`562`	`}`
`563`	`563`	`php_stream_context_set(net_stream, context);`
	`564`	`+ /* php_stream_context_set() increases the refcount of context, but we just want to transfer ownership`
	`565`	`+ * hence the need to decrease the refcount so the refcount will be equal to 1. */`
	`566`	`+ ZEND_ASSERT(GC_REFCOUNT(context->res) == 2);`
	`567`	`+ GC_DELREF(context->res);`
`564`	`568`	`if (php_stream_xport_crypto_setup(net_stream, STREAM_CRYPTO_METHOD_TLS_CLIENT, NULL) < 0 \|\|`
`565`	`569`	`php_stream_xport_crypto_enable(net_stream, 1) < 0)`
`566`	`570`	`{`