fix: avoid longjmp crash on ARM64/macOS when connection is aborted#2304
Closed
johanjanssens wants to merge 1 commit intophp:mainfrom
Closed
fix: avoid longjmp crash on ARM64/macOS when connection is aborted#2304johanjanssens wants to merge 1 commit intophp:mainfrom
johanjanssens wants to merge 1 commit intophp:mainfrom
Conversation
php_handle_aborted_connection() calls zend_bailout() which does a longjmp(). On ARM64/macOS with Pointer Authentication (PAC), the jmp_buf signature check fails because the buffer was signed in a different stack frame, causing a SIGBUS crash. Inline the effect of php_handle_aborted_connection() without calling zend_bailout(): set PG(connection_status) = PHP_CONNECTION_ABORTED and php_output_set_status(PHP_OUTPUT_DISABLED). PHP detects the abort at safe points (between opcodes via zend_interrupt checks) instead of longjmping out of the SAPI write handler. This matches the approach used by Nginx Unit's PHP SAPI: https://github.com/nginx/unit/blob/master/src/nxt_php_sapi.c#L271 Affects both frankenphp_ub_write and frankenphp_sapi_flush.
Contributor
|
How nasty, I don't have a mac to verify this, but the solution is plausible. I can't think of a better one to fix the cross-context jump. |
Member
|
Shouldn't this be patched directly in PHP? |
Author
|
I don't think so. The That said, I can no longer reproduce the crash with the latest FrankenPHP, I had the issue on 11.3, when switching to Go 1.26.0. Didn't test anymore without the fix. Done so now to confirm, and can no longer break it. Closing it, will re-open if this pops up again. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
php_handle_aborted_connection()callszend_bailout()which does alongjmp(). On ARM64/macOS with Pointer Authentication (PAC), the jmp_buf signature check fails because the buffer was signed in a different stack frame, causing a SIGBUS crash.Inline the effect of php_handle_aborted_connection() without calling zend_bailout():
PHP detects the abort at safe points (between opcodes via zend_interrupt checks) instead of longjmping out of the SAPI write handler.
This matches the approach used by Nginx Unit's PHP SAPI: https://github.com/nginx/unit/blob/master/src/nxt_php_sapi.c#L271
Affects both frankenphp_ub_write and frankenphp_sapi_flush.