Fix uaf of MBSTRG(all_encodings_list)

iluuu1994 · iluuu1994 · commit 793f22f4296e · 2023-07-31T12:19:49.000+02:00
We need to remove the value from the GC buffer before freeing it. Otherwise
shutdown will uaf when running the gc. Do that by switching from
zend_hash_destroy to zend_array_destroy, which should also be faster for freeing
members due to inlining of i_zval_ptr_dtor.
diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
@@ -1159,8 +1159,7 @@ PHP_RSHUTDOWN_FUNCTION(mbstring)
 
 	if (MBSTRG(all_encodings_list)) {
 		GC_DELREF(MBSTRG(all_encodings_list));
-		zend_hash_destroy(MBSTRG(all_encodings_list));
-		efree(MBSTRG(all_encodings_list));
+		zend_array_destroy(MBSTRG(all_encodings_list));
 		MBSTRG(all_encodings_list) = NULL;
 	}
 
diff --git a/ext/mbstring/tests/mb_list_encodings_gc_uaf.phpt b/ext/mbstring/tests/mb_list_encodings_gc_uaf.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Use-after-free of MBSTRG(all_encodings_list) on shutdown
+--EXTENSIONS--
+mbstring
+--FILE--
+<?php
+mb_list_encodings();
+?>
+--EXPECT--

Original file line number	Diff line number	Diff line change
`@@ -1159,8 +1159,7 @@ PHP_RSHUTDOWN_FUNCTION(mbstring)`
`1159`	`1159`
`1160`	`1160`	`if (MBSTRG(all_encodings_list)) {`
`1161`	`1161`	`GC_DELREF(MBSTRG(all_encodings_list));`
`1162`		`- zend_hash_destroy(MBSTRG(all_encodings_list));`
`1163`		`- efree(MBSTRG(all_encodings_list));`
	`1162`	`+ zend_array_destroy(MBSTRG(all_encodings_list));`
`1164`	`1163`	`MBSTRG(all_encodings_list) = NULL;`
`1165`	`1164`	`}`
`1166`	`1165`