Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96730
Return-Path: <php-dev@coydogsoftware.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 11194 invoked from network); 4 Nov 2016 11:15:03 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Nov 2016 11:15:03 -0000
Received: from [127.0.0.1] ([127.0.0.1:28263])
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ECSTREAM
	id E1/30-07826-7BD6C185 for <internals@lists.php.net>; Fri, 04 Nov 2016 06:15:03 -0500
Authentication-Results: pb1.pair.com header.from=php-dev@coydogsoftware.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=php-dev@coydogsoftware.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain coydogsoftware.net designates 162.246.56.219 as permitted sender)
X-PHP-List-Original-Sender: php-dev@coydogsoftware.net
X-Host-Fingerprint: 162.246.56.219 unknown  
Received: from [162.246.56.219] ([162.246.56.219:44043] helo=sliver.coydogsoftware.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F8/20-07826-63A6C185 for <internals@lists.php.net>; Fri, 04 Nov 2016 06:00:07 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=coydogsoftware.net; s=default; h=Message-ID:Subject:Cc:To:From:Date:
	Content-Type:MIME-Version:Sender:Reply-To:Content-Transfer-Encoding:
	Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
	Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:
	List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
	 bh=vV6F5Gf6wDSNiABO/TVKWP9NrLTh/BW9liZnpe39qNM=; b=pND6ADI/PH8v6568RqY5GmYQ8
	yuxiKI4k3BJR8h3I+buY4EYSxdBcui2WjwyRkCqLAY3p7cAROnCscfa+z4cuxk3eGGVvVxcMrFbMp
	ubKEtWef0XVXy4Dt0U19UhY8jUQVEbiWG+Ya8cHno4YjJ1og69C0FryoqWDJuFPaurxek=;
Received: from [::1] (port=48756 helo=coydogsoftware.net)
	by sliver.coydogsoftware.net with esmtpa (Exim 4.87)
	(envelope-from <php-dev@coydogsoftware.net>)
	id 1c2cE8-0000PT-0c; Fri, 04 Nov 2016 06:00:04 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="=_5464f89ae22d574303144988a70a3c5c"
Date: Fri, 04 Nov 2016 06:00:03 -0500
To: internals@lists.php.net
Cc: dmitry@zend.com
Message-ID: <c807ed0e31518329dd1c1c04ffea8bee@coydogsoftware.net>
X-Sender: php-dev@coydogsoftware.net
User-Agent: Roundcube Webmail/1.1.4
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - sliver.coydogsoftware.net
X-AntiAbuse: Original Domain - lists.php.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - coydogsoftware.net
X-Get-Message-Sender-Via: sliver.coydogsoftware.net: authenticated_id: php-dev@coydogsoftware.net
X-Authenticated-Sender: sliver.coydogsoftware.net: php-dev@coydogsoftware.net
X-Source: 
X-Source-Args: 
X-Source-Dir: 
Subject: [PATCH] opcache bug #69090, prepend user identifier to keys
From: php-dev@coydogsoftware.net

--=_5464f89ae22d574303144988a70a3c5c
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII;
 format=flowed

Hello,

I'm CCing Dmitry Stogov as maintainer because he's listed as an author 
in ext/opcache/ZendAccelerator.c and has recent commits.

I've attached a patch for bug #69090. You can find a more detailed 
writeup at https://bugs.php.net/bug.php?id=69090 . In short, the patch 
adds EUID or Windows username at the beginning of OPCache keys to 
prevent cross-user cache access, which will hopefully alleviate security 
concerns of enabling OPCache on shared hosting servers.

I took this in a different direction than that proposed in bug #69090 
(prepending inode to key) because I feel it more effectively addresses 
the cross-user security concerns.

I don't have a test script yet because the change is transparent to 
scripts, but I could probably cobble one together by checking OPCache 
debug log for key names. I do intend to port this forward to PHP7 head, 
but in my opinion the existing behavior in 5.6 is a serious 
vulnerability which warrants a maintenance patch. If needed I can 
provide working exploit scripts to demonstrate how bad the existing 
behavior is for shared servers using OPCache.

I was hoping to get some feedback before I put in the effort to port 
this to PHP7.

Thanks,
-- 
- php-dev@coydogsoftware.net
--=_5464f89ae22d574303144988a70a3c5c
Content-Transfer-Encoding: base64
Content-Type: text/x-diff;
 name=patch.txt
Content-Disposition: attachment;
 filename=patch.txt;
 size=5103

ZGlmZiAtLWdpdCBhL2V4dC9vcGNhY2hlL1plbmRBY2NlbGVyYXRvci5jIGIvZXh0L29wY2FjaGUv
WmVuZEFjY2VsZXJhdG9yLmMKaW5kZXggOTg1YTRlZi4uMzUyMjg2MSAxMDA2NDQKLS0tIGEvZXh0
L29wY2FjaGUvWmVuZEFjY2VsZXJhdG9yLmMKKysrIGIvZXh0L29wY2FjaGUvWmVuZEFjY2VsZXJh
dG9yLmMKQEAgLTUyLDYgKzUyLDggQEAKIHR5cGVkZWYgaW50IHVpZF90OwogdHlwZWRlZiBpbnQg
Z2lkX3Q7CiAjaW5jbHVkZSA8aW8uaD4KKyNpbmNsdWRlIDxXaW5kb3dzLmg+CisjaW5jbHVkZSA8
TG1jb25zLmg+IC8qIHVzZXJuYW1lIG1heCBsZW4gKi8KICNlbmRpZgogCiAjaWZuZGVmIFpFTkRf
V0lOMzIKQEAgLTk0OSw4ICs5NTEsMzYgQEAgc3RhdGljIHVuc2lnbmVkIGludCB6ZW5kX2FjY2Vs
X3NjcmlwdF9jaGVja3N1bSh6ZW5kX3BlcnNpc3RlbnRfc2NyaXB0ICpwZXJzaXN0ZW4KIGNoYXIg
KmFjY2VsX21ha2VfcGVyc2lzdGVudF9rZXlfZXgoemVuZF9maWxlX2hhbmRsZSAqZmlsZV9oYW5k
bGUsIGludCBwYXRoX2xlbmd0aCwgaW50ICprZXlfbGVuIFRTUk1MU19EQykKIHsKICAgICBpbnQg
a2V5X2xlbmd0aDsKKwlpbnQga2V5X29mZnNldCA9IDA7CisJY2hhciAqdXNlcl9pZF9zdHIgPSBO
VUxMOworCWludCB1c2VyX2lkX2xlbiA9IDA7CiAKLSAgICAvKiBDV0QgYW5kIGluY2x1ZGVfcGF0
aCBkb24ndCBtYXR0ZXIgZm9yIGFic29sdXRlIGZpbGUgbmFtZXMgYW5kIHN0cmVhbXMgKi8KKyNp
ZmRlZiBaRU5EX1dJTjMyCisJLyogV2luZG93cyBoYXMgbm8gZGlyZWN0IGVxdWl2YWxlbnQgb2Yg
RVVJRC4gU0lEIGFuZCBSSUQgYXJlIHJvdWdobHkKKwkgKiBhbmFsYWdvdXMsIGJ1dCBmb3Igbm93
IHNpbXBseSB1c2luZyB0aGUgdXNlcm5hbWUgc2VlbXMgbW9zdAorCSAqIHN0cmFpZ2h0Zm9yd2Fy
ZCBzaW5jZSB3ZSBjYW4gZ2V0IG1heCBsZW4gZnJvbSBVTkxFTiBpbiBMbWNvbnMuaAorCSAqLwor
CWludCB1c2VybmFtZV9sZW4gPSBVTkxFTiArIDE7CisJY2hhciB1c2VybmFtZV9zdHJbVU5MRU4g
KyAxXTsgLyogbm90IHdpZGUtY2hhcmFjdGVyIGNvbXBhdGlibGUgKi8KKwlpZiAoR2V0VXNlck5h
bWUodXNlcm5hbWVfc3RyLCAmdXNlcm5hbWVfbGVuKSA9PSAwKSB7CisJCXplbmRfYWNjZWxfZXJy
b3IoQUNDRUxfTE9HX1dBUk5JTkcsICJHZXRVc2VyTmFtZSBmb3Igb3BjYWNoZSBrZXkgIHVzZXJf
aWRfc3RyIGZhaWxlZCEiKTsKKwkJcmV0dXJuIE5VTEw7CisJfSBlbHNlIHsKKwkJdXNlcl9pZF9s
ZW4gPSB1c2VybmFtZV9sZW4gLSAxOyAvKiBzdWJ0cmFjdCB0ZXJtaW5hdGluZyB6ZXJvICovCisJ
CXVzZXJfaWRfc3RyID0gdXNlcm5hbWVfc3RyOworCX0KKyNlbHNlCisJI2RlZmluZSBFVUlEX0JV
RkZTSVpFIDQwIC8qIGhvcGUgd2UgbmV2ZXIgc2VlID4xMjgtYml0IHVpZF90J3MgKi8KKwl1aWRf
dCBldWlkID0gZ2V0ZXVpZCgpOworCWNoYXIgZXVpZF9zdHJbRVVJRF9CVUZGU0laRV07CisJaWYg
KHVzZXJfaWRfbGVuID0gc25wcmludGYoZXVpZF9zdHIsIEVVSURfQlVGRlNJWkUgLSAxLCAiJWQi
LCBldWlkKSA+PSBFVUlEX0JVRkZTSVpFKSB7CisJCXJldHVybiBOVUxMOworCX0gZWxzZSB7CisJ
CXVzZXJfaWRfc3RyID0gZXVpZF9zdHI7CisgICAgfQorI2VuZGlmCisKKwkvKiBDV0QgYW5kIGlu
Y2x1ZGVfcGF0aCBkb24ndCBtYXR0ZXIgZm9yIGFic29sdXRlIGZpbGUgbmFtZXMgYW5kIHN0cmVh
bXMgKi8KICAgICBpZiAoWkNHKGFjY2VsX2RpcmVjdGl2ZXMpLnVzZV9jd2QgJiYKICAgICAgICAg
IUlTX0FCU09MVVRFX1BBVEgoZmlsZV9oYW5kbGUtPmZpbGVuYW1lLCBwYXRoX2xlbmd0aCkgJiYK
ICAgICAgICAgIWlzX3N0cmVhbV9wYXRoKGZpbGVfaGFuZGxlLT5maWxlbmFtZSkpIHsKQEAgLTk1
OCw3ICs5ODgsNiBAQCBjaGFyICphY2NlbF9tYWtlX3BlcnNpc3RlbnRfa2V5X2V4KHplbmRfZmls
ZV9oYW5kbGUgKmZpbGVfaGFuZGxlLCBpbnQgcGF0aF9sZW5ndAogICAgICAgICBpbnQgaW5jbHVk
ZV9wYXRoX2xlbiA9IDA7CiAgICAgICAgIGNvbnN0IGNoYXIgKnBhcmVudF9zY3JpcHQgPSBOVUxM
OwogICAgICAgICBpbnQgcGFyZW50X3NjcmlwdF9sZW4gPSAwOwotICAgICAgICBpbnQgY3VyX2xl
biA9IDA7CiAgICAgICAgIGludCBjd2RfbGVuOwogICAgICAgICBjaGFyICpjd2Q7CiAKQEAgLTEw
MjcsNyArMTA1Niw3IEBAIGNoYXIgKmFjY2VsX21ha2VfcGVyc2lzdGVudF9rZXlfZXgoemVuZF9m
aWxlX2hhbmRsZSAqZmlsZV9oYW5kbGUsIGludCBwYXRoX2xlbmd0CiAgICAgICAgIH0KIAogICAg
ICAgICAvKiBDYWxjdWxhdGUga2V5IGxlbmd0aCAqLwotICAgICAgICBrZXlfbGVuZ3RoID0gY3dk
X2xlbiArIHBhdGhfbGVuZ3RoICsgaW5jbHVkZV9wYXRoX2xlbiArIDI7CisJCWtleV9sZW5ndGgg
PSB1c2VyX2lkX2xlbiArIGN3ZF9sZW4gKyBwYXRoX2xlbmd0aCArIGluY2x1ZGVfcGF0aF9sZW4g
KyAzOyAvKiArMyBmb3IgZGVsaW1pdGVyIGNvbG9ucyAqLwogICAgICAgICBpZiAocGFyZW50X3Nj
cmlwdF9sZW4pIHsKICAgICAgICAgICAgIGtleV9sZW5ndGggKz0gcGFyZW50X3NjcmlwdF9sZW4g
KyAxOwogICAgICAgICB9CkBAIC0xMDM2LDM5ICsxMDY1LDU3IEBAIGNoYXIgKmFjY2VsX21ha2Vf
cGVyc2lzdGVudF9rZXlfZXgoemVuZF9maWxlX2hhbmRsZSAqZmlsZV9oYW5kbGUsIGludCBwYXRo
X2xlbmd0CiAgICAgICAgICAqIE5vdGUgLSB0aGUgaW5jbHVkZV9wYXRoIG11c3QgYmUgdGhlIGxh
c3QgZWxlbWVudCBpbiB0aGUga2V5LAogICAgICAgICAgKiBzaW5jZSBpbiBpdHNlbGYsIGl0IG1h
eSBpbmNsdWRlIGNvbG9ucyAod2hpY2ggd2UgdXNlIHRvIHNlcGFyYXRlCiAgICAgICAgICAqIGRp
ZmZlcmVudCBjb21wb25lbnRzIG9mIHRoZSBrZXkpCi0gICAgICAgICAqLworCQkgKi8KIAkJaWYg
KChzaXplX3Qpa2V5X2xlbmd0aCA+PSBzaXplb2YoWkNHKGtleSkpKSB7CiAJCQlaQ0coa2V5X2xl
bikgPSAwOwogCQkJcmV0dXJuIE5VTEw7CiAJCX0KLQkJbWVtY3B5KFpDRyhrZXkpLCBjd2QsIGN3
ZF9sZW4pOwotCQlaQ0coa2V5KVtjd2RfbGVuXSA9ICc6JzsKLQotCQltZW1jcHkoWkNHKGtleSkg
KyBjd2RfbGVuICsgMSwgZmlsZV9oYW5kbGUtPmZpbGVuYW1lLCBwYXRoX2xlbmd0aCk7Ci0KLQkJ
WkNHKGtleSlbY3dkX2xlbiArIDEgKyBwYXRoX2xlbmd0aF0gPSAnOic7CiAKLSAgICAgICAgY3Vy
X2xlbiA9IGN3ZF9sZW4gKyAxICsgcGF0aF9sZW5ndGggKyAxOwotCi0gICAgICAgIGlmIChwYXJl
bnRfc2NyaXB0X2xlbikgewotCQkJbWVtY3B5KFpDRyhrZXkpICsgY3VyX2xlbiwgcGFyZW50X3Nj
cmlwdCwgcGFyZW50X3NjcmlwdF9sZW4pOwotICAgICAgICAgICAgY3VyX2xlbiArPSBwYXJlbnRf
c2NyaXB0X2xlbjsKLQkJCVpDRyhrZXkpW2N1cl9sZW5dID0gJzonOwotICAgICAgICAgICAgY3Vy
X2xlbisrOworCQkvKiBLZXkgb24gZXVpZCB0byBwcmV2ZW50IGNyb3NzLXVzZXIgY2FjaGUgYWNj
ZXNzIGJ5cGFzc2luZyBmaWxlCisJCSAqIHBlcm1pc3Npb25zLiBQcmV2ZW50cyBmaWxlbmFtZSBj
b2xsaXNpb24gaW4gY2hyb290cyBJRkYgZWFjaAorCQkgKiBjaHJvb3QgZW52aXJvbm1lbnQgaGFz
IGEgZGlmZmVyZW50IHVzZXIuCisJCSAqLworCQltZW1jcHkoWkNHKGtleSksIHVzZXJfaWRfc3Ry
LCB1c2VyX2lkX2xlbik7CisJCWtleV9vZmZzZXQgKz0gdXNlcl9pZF9sZW47CisJCVpDRyhrZXkp
W2tleV9vZmZzZXRdID0gJzonOworCQlrZXlfb2Zmc2V0Kys7CisKKwkJbWVtY3B5KFpDRyhrZXkg
KyBrZXlfb2Zmc2V0KSwgY3dkLCBjd2RfbGVuKTsKKwkJa2V5X29mZnNldCArPSBjd2RfbGVuOwor
CQlaQ0coa2V5KVtrZXlfb2Zmc2V0XSA9ICc6JzsKKwkJa2V5X29mZnNldCsrOworCisJCW1lbWNw
eShaQ0coa2V5KSArIGtleV9vZmZzZXQsIGZpbGVfaGFuZGxlLT5maWxlbmFtZSwgcGF0aF9sZW5n
dGgpOworCQlrZXlfb2Zmc2V0ICs9IHBhdGhfbGVuZ3RoOworCQlaQ0coa2V5KVtrZXlfb2Zmc2V0
XSA9ICc6JzsKKwkJa2V5X29mZnNldCsrOworCisJCWlmIChwYXJlbnRfc2NyaXB0X2xlbikgewor
CQkJbWVtY3B5KFpDRyhrZXkpICsga2V5X29mZnNldCwgcGFyZW50X3NjcmlwdCwgcGFyZW50X3Nj
cmlwdF9sZW4pOworCQkJa2V5X29mZnNldCArPSBwYXJlbnRfc2NyaXB0X2xlbjsKKwkJCVpDRyhr
ZXkpW2tleV9vZmZzZXRdID0gJzonOworCQkJa2V5X29mZnNldCsrOwogICAgICAgICB9Ci0JCW1l
bWNweShaQ0coa2V5KSArIGN1cl9sZW4sIGluY2x1ZGVfcGF0aCwgaW5jbHVkZV9wYXRoX2xlbik7
CisJCW1lbWNweShaQ0coa2V5KSArIGtleV9vZmZzZXQsIGluY2x1ZGVfcGF0aCwgaW5jbHVkZV9w
YXRoX2xlbik7CiAJCVpDRyhrZXkpW2tleV9sZW5ndGhdID0gJ1wwJzsKICAgICB9IGVsc2Ugewot
ICAgICAgICAvKiBub3QgdXNlX2N3ZCAqLwotICAgICAgICBrZXlfbGVuZ3RoID0gcGF0aF9sZW5n
dGg7CisJCS8qIG5vdCB1c2VfY3dkIGFuZCB1c2VfY3dkIGNhc2VzIHdoZXJlIGZpbGVuYW1lIGlz
IGFic29sdXRlICovCisJCWtleV9sZW5ndGggPSB1c2VyX2lkX2xlbiArIDEgKyBwYXRoX2xlbmd0
aDsgLyogPEVVSUQ+OjxwYXRoPiAqLwogCQlpZiAoKHNpemVfdClrZXlfbGVuZ3RoID49IHNpemVv
ZihaQ0coa2V5KSkpIHsKIAkJCVpDRyhrZXlfbGVuKSA9IDA7CiAJCQlyZXR1cm4gTlVMTDsKIAkJ
fQotCQltZW1jcHkoWkNHKGtleSksIGZpbGVfaGFuZGxlLT5maWxlbmFtZSwga2V5X2xlbmd0aCAr
IDEpOworCisJCW1lbWNweShaQ0coa2V5KSwgdXNlcl9pZF9zdHIsIHVzZXJfaWRfbGVuKTsKKwkJ
a2V5X29mZnNldCA9IHVzZXJfaWRfbGVuOworCQlaQ0coa2V5KVtrZXlfb2Zmc2V0XSA9ICc6JzsK
KwkJa2V5X29mZnNldCsrOworCisJCW1lbWNweShaQ0coa2V5ICsga2V5X29mZnNldCksIGZpbGVf
aGFuZGxlLT5maWxlbmFtZSwga2V5X2xlbmd0aCArIDEpOwogICAgIH0KIAogCSprZXlfbGVuID0g
WkNHKGtleV9sZW4pID0ga2V5X2xlbmd0aDsKKwl6ZW5kX2FjY2VsX2Vycm9yKEFDQ0VMX0xPR19E
RUJVRywgIm1ha2VfcGVyc2lzdGVudF9rZXlfZXgoKSByZXR1cm5pbmcga2V5OiAlcyIsIFpDRyhr
ZXkpKTsKIAlyZXR1cm4gWkNHKGtleSk7CiB9CiAK
--=_5464f89ae22d574303144988a70a3c5c--