Fix bug #81513 (Future possibility for heap overflow in FPM zlog)

bukka · bukka · commit b2cf9b7ec796 · 2021-11-14T20:08:57.000Z
This fixes currently unused code path in zlog that could lead to
the heap overflow in the future.
diff --git a/NEWS b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 7.4.27
 
+- FPM:
+  . Fixed bug #81513 (Future possibility for heap overflow in FPM zlog).
+    (Jakub Zelenka)
+
 - GD:
   . Fixed bug #71316 (libpng warning from imagecreatefromstring). (cmb)
 
diff --git a/sapi/fpm/fpm/zlog.c b/sapi/fpm/fpm/zlog.c
@@ -414,7 +414,8 @@ static inline ssize_t zlog_stream_unbuffered_write(
 static inline ssize_t zlog_stream_buf_copy_cstr(
 		struct zlog_stream *stream, const char *str, size_t str_len) /* {{{ */
 {
-	if (stream->buf.size - stream->len <= str_len && !zlog_stream_buf_alloc_ex(stream, str_len)) {
+	if (stream->buf.size - stream->len <= str_len &&
+			!zlog_stream_buf_alloc_ex(stream, str_len + stream->len)) {
 		return -1;
 	}
 
diff --git a/sapi/fpm/tests/log-bwp-realloc-buffer.phpt b/sapi/fpm/tests/log-bwp-realloc-buffer.phpt
@@ -0,0 +1,52 @@
+--TEST--
+FPM: bug81513 - Buffered worker output plain log stream reallocation
+--SKIPIF--
+<?php include "skipif.inc"; ?>
+--FILE--
+<?php
+
+require_once "tester.inc";
+
+$cfg = <<<EOT
+[global]
+error_log = {{FILE:LOG}}
+[unconfined]
+listen = {{ADDR}}
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 1
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+catch_workers_output = yes
+decorate_workers_output = no
+EOT;
+
+$code = <<<EOT
+<?php
+file_put_contents('php://stderr', str_repeat('a', 100));
+usleep(20000);
+file_put_contents('php://stderr', str_repeat('b', 2500) . "\n");
+EOT;
+
+$tester = new FPM\Tester($cfg, $code);
+$tester->start();
+$tester->expectLogStartNotices();
+$tester->request()->expectEmptyBody();
+$tester->terminate();
+var_dump($tester->getLastLogLine() === str_repeat('a', 100) . str_repeat('b', 923) . "\n");
+var_dump($tester->getLastLogLine() === str_repeat('b', 1023) . "\n");
+var_dump($tester->getLastLogLine() === str_repeat('b', 554) . "\n");
+$tester->close();
+
+?>
+Done
+--EXPECT--
+bool(true)
+bool(true)
+bool(true)
+Done
+--CLEAN--
+<?php
+require_once "tester.inc";
+FPM\Tester::clean();
+?>

Original file line number	Diff line number	Diff line change
`@@ -414,7 +414,8 @@ static inline ssize_t zlog_stream_unbuffered_write(`
`414`	`414`	`static inline ssize_t zlog_stream_buf_copy_cstr(`
`415`	`415`	`struct zlog_stream stream, const char str, size_t str_len) /* {{{ */`
`416`	`416`	`{`
`417`		`- if (stream->buf.size - stream->len <= str_len && !zlog_stream_buf_alloc_ex(stream, str_len)) {`
	`417`	`+ if (stream->buf.size - stream->len <= str_len &&`
	`418`	`+ !zlog_stream_buf_alloc_ex(stream, str_len + stream->len)) {`
`418`	`419`	`return -1;`
`419`	`420`	`}`
`420`	`421`