[pull] master from php:master#836
Merged
pull[bot] merged 26 commits intoturkdevops:masterfrom Apr 4, 2026
Merged
Conversation
If this is not propagated, then the function will succeed even though the serial number is not set.
Leak report:
```
Direct leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x7f97cf4cb340 in calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
#1 0x7f97cef66106 in BN_new bn/bn_lib.c:75
#2 0x7f97cef6006c in bn_bin2bn_cbs bn/bn_convert.c:151
#3 0x7f97cef60853 in BN_bin2bn bn/bn_convert.c:206
#4 0x56229112465b in php_openssl_pkey_init_dh_data /work/php-src/ext/openssl/openssl_backend_v1.c:208
#5 0x5622911248be in php_openssl_pkey_init_dh /work/php-src/ext/openssl/openssl_backend_v1.c:246
#6 0x5622910fe1d7 in zif_openssl_pkey_new /work/php-src/ext/openssl/openssl.c:2051
#7 0x562291eb44e5 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
#8 0x5622921dc85a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
#9 0x56229233cfa5 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
#10 0x562292351ec0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
#11 0x5622924b60cc in zend_execute_script /work/php-src/Zend/zend.c:1980
#12 0x562291ee8ecb in php_execute_script_ex /work/php-src/main/main.c:2645
#13 0x562291ee92db in php_execute_script /work/php-src/main/main.c:2685
#14 0x5622924bbc37 in do_cli /work/php-src/sapi/cli/php_cli.c:951
#15 0x5622924be204 in main /work/php-src/sapi/cli/php_cli.c:1362
#16 0x7f97ceb301c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#17 0x7f97ceb3028a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#18 0x562291009db4 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609db4) (BuildId: 5cc444a6a9fc1a486ea698e72366c16bd5472605)
... etc ...
```
* PHP-8.4: Fix memory leaks when php_openssl_dh_pub_from_priv() fails openssl: Propagate PHP_OPENSSL_ASN1_INTEGER_set() failure
* PHP-8.5: Fix memory leaks when php_openssl_dh_pub_from_priv() fails openssl: Propagate PHP_OPENSSL_ASN1_INTEGER_set() failure
* PHP-8.4: [ci skip] Silence test warning
* PHP-8.5: [ci skip] Silence test warning
If this fails, then the big numbers will be allocated outside of the context, leading to leaks. Closes GH-21061.
This is observable in LibreSSL. The code is creating 3 big numbers, but
if one of them failed to create, then DSA_set0_pqg() will have never
executed and there are no references left to the created big numbers,
leaking them in the process.
E.g.:
```
Direct leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x7f4edd402340 in calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
#1 0x7f4edce9d106 in BN_new bn/bn_lib.c:75
#2 0x7f4edce9706c in bn_bin2bn_cbs bn/bn_convert.c:151
#3 0x7f4edce97853 in BN_bin2bn bn/bn_convert.c:206
#4 0x5556bd923e1d in php_openssl_pkey_init_dsa_data /work/php-src/ext/openssl/openssl_backend_v1.c:142
#5 0x5556bd92428f in php_openssl_pkey_init_dsa /work/php-src/ext/openssl/openssl_backend_v1.c:186
#6 0x5556bd8fe079 in zif_openssl_pkey_new /work/php-src/ext/openssl/openssl.c:2042
#7 0x5556be6b44e5 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
#8 0x5556be9dc85a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
#9 0x5556beb3cfa5 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
#10 0x5556beb51ec0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
#11 0x5556becb60cc in zend_execute_script /work/php-src/Zend/zend.c:1980
#12 0x5556be6e8ecb in php_execute_script_ex /work/php-src/main/main.c:2645
#13 0x5556be6e92db in php_execute_script /work/php-src/main/main.c:2685
#14 0x5556becbbc37 in do_cli /work/php-src/sapi/cli/php_cli.c:951
#15 0x5556becbe204 in main /work/php-src/sapi/cli/php_cli.c:1362
#16 0x7f4edca671c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#17 0x7f4edca6728a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#18 0x5556bd809db4 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609db4) (BuildId: 5cc444a6a9fc1a486ea698e72366c16bd5472605)
```
Closes GH-21062.
This causes UB later on when the certificate is passed to another
function:
```
/work/php-src/Zend/zend_string.h:191:2: runtime error: null pointer passed as argument 2, which is declared to never be null
#0 0x55cfb9407d94 in zend_string_init /work/php-src/Zend/zend_string.h:191
#1 0x55cfb941ceb6 in add_assoc_stringl_ex /work/php-src/Zend/zend_API.c:1986
#2 0x55cfb7f4c16d in add_assoc_stringl /work/php-src/Zend/zend_API.h:579
#3 0x55cfb7f4cccd in php_openssl_add_assoc_asn1_string /work/php-src/ext/openssl/openssl_backend_common.c:113
#4 0x55cfb7f2eb98 in zif_openssl_x509_parse /work/php-src/ext/openssl/openssl.c:1074
#5 0x55cfb9160993 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
#6 0x55cfb958ee2d in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
#7 0x55cfb97854bd in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
#8 0x55cfb9795c96 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
#9 0x55cfb99666c6 in zend_execute_script /work/php-src/Zend/zend.c:1980
#10 0x55cfb919583e in php_execute_script_ex /work/php-src/main/main.c:2645
#11 0x55cfb9195b48 in php_execute_script /work/php-src/main/main.c:2685
#12 0x55cfb996bf48 in do_cli /work/php-src/sapi/cli/php_cli.c:951
#13 0x55cfb996e6a1 in main /work/php-src/sapi/cli/php_cli.c:1362
#14 0x7fb0b68301c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#15 0x7fb0b683028a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#16 0x55cfb7e097d4 in _start (/work/php-src/build-dbg-ubsan/sapi/cli/php+0x14097d4) (BuildId: b2b405964cc047ab6da19abaf92a8899a99e4a47)
```
Furthermore, it also simply does not propagate the error to userland.
Closes GH-21046.
This can actually fail because internally this function does stack
management in internal data structures.
Can cause a crash later, e.g.:
```
==239255==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x5652d8f2fe68 bp 0x7ffc99ee8fc0 sp 0x7ffc99ee8ec0 T0)
==239255==The signal is caused by a READ memory access.
==239255==Hint: address points to the zero page.
#0 0x5652d8f2fe68 in php_openssl_limit_handshake_reneg /work/php-src/ext/openssl/xp_ssl.c:1080
#1 0x5652d8f306e2 in php_openssl_info_callback /work/php-src/ext/openssl/xp_ssl.c:1137
#2 0x7f45057b84e5 (/lib/x86_64-linux-gnu/libssl.so.3+0x694e5) (BuildId: 5f3b12d47114f9fbdc7765266cd0bb8f1b5ee8fc)
#3 0x5652d8f351d9 in php_openssl_enable_crypto /work/php-src/ext/openssl/xp_ssl.c:1850
#4 0x5652d8f39c86 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2516
#5 0x5652d9d4c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
#6 0x5652d9d557c1 in php_stream_xport_crypto_enable /work/php-src/main/streams/transports.c:387
#7 0x5652d8f387be in php_openssl_tcp_sockop_accept /work/php-src/ext/openssl/xp_ssl.c:2279
#8 0x5652d8f39fcd in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2551
#9 0x5652d9d4c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
#10 0x5652d9d54d3a in php_stream_xport_accept /work/php-src/main/streams/transports.c:307
#11 0x5652d9b50161 in zif_stream_socket_accept /work/php-src/ext/standard/streamsfuncs.c:298
#12 0x5652d9fdacfb in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /work/php-src/Zend/zend_vm_execute.h:1355
#13 0x5652da140689 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116469
#14 0x5652da1558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
#15 0x5652da2ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
#16 0x5652d9cec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
#17 0x5652d9cecccb in php_execute_script /work/php-src/main/main.c:2685
#18 0x5652da2bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
#19 0x5652da2c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
#20 0x7f4504ebc1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#21 0x7f4504ebc28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#22 0x5652d8e09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
```
Closes GH-21049.
* PHP-8.4: Add missing error check on SSL_set_ex_data() Fix UB and error propagation when X509_gmtime_adj() fails Fix memory leaks when BN_bin2bn() fails Add missing error check on BN_CTX_new()
* PHP-8.5: Add missing error check on SSL_set_ex_data() Fix UB and error propagation when X509_gmtime_adj() fails Fix memory leaks when BN_bin2bn() fails Add missing error check on BN_CTX_new()
BIO_reset() needs a (void) cast, analogous to the other locations in this file.
/usr/openssl/3/include/openssl/bio.h:555:34: error: value computed is not used [-Werror=unused-value]
555 | # define BIO_reset(b) (int)BIO_ctrl(b,BIO_CTRL_RESET,0,NULL)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/runner/work/php-src/php-src/ext/openssl/openssl.c:1565:33: note: in expansion of macro ‘BIO_reset’
1565 | BIO_reset(bio_out);
| ^~~~~~~~~
```
ext/openssl/xp_ssl.c:423:24: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
423 | if (!(wildcard = strchr(certname, '*')) || memchr(certname, '.', wildcard - certname)) {
| ^
```
Since these typically turn into errors with -Werror, fix the build
already.
* PHP-8.4: Fix const-generic warning in xp_ssl.c
* PHP-8.5: Fix const-generic warning in xp_ssl.c
…ake() fails to set a version The leaks appears to be at least somewhat dependent on the OpenSSL version, but it is reproducible on an Ubuntu 24.04 container. Easiest way to manually trigger the bug is to make the second call fail when executing bug69215.phpt. Closes GH-21032.
* PHP-8.4: Fix memory leaks and missing error propagation when php_openssl_csr_make() fails to set a version
* PHP-8.5: Fix memory leaks and missing error propagation when php_openssl_csr_make() fails to set a version
Diffs in commit messages are applied by git, what a stupid design. So this can introduce accidental changes like here where the original reproducer got applied.
* PHP-8.4: openssl: Fix merge
* PHP-8.5: openssl: Fix merge
This check was once relevant for ICU versions < 4.2 which lack the unicode/uspoof.h header file. See: 6f6d608
- Suppress debug assertions - Exclude ext/opcache/jit/ir Closes GH-21629
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )