[wp-trac] [WordPress Trac] #44532: Extreme memory leak related to wp_is_stream in wp-includes/functions.php in WordPress 4.9.7
WordPress Trac
noreply at wordpress.org
Sun Jul 22 11:43:15 UTC 2018
#44532: Extreme memory leak related to wp_is_stream in wp-includes/functions.php in
WordPress 4.9.7
------------------------------------------+---------------------
Reporter: timbowesohft | Owner: pento
Type: defect (bug) | Status: closed
Priority: high | Milestone: 4.9.8
Component: Media | Version: 4.9.7
Severity: major | Resolution: fixed
Keywords: has-patch commit fixed-major | Focuses:
------------------------------------------+---------------------
Comment (by pento):
Replying to [comment:42 tristanleboss]:
> If the problem comes from the repeated call to `stream_get_wrappers`,
why don't we cache the output of this function in a function static
variable? I mean it's not supposed to change during the same request.
I don't think this would help a huge amount, and has the potential to
introduce other weird behaviour, and potentially security issues. For
example, say you were to cache the output of `stream_get_wrappers()` that
included a corrupt wrapper name. If it were a shorter bit of memory that
it was reading from, then `wp_is_stream()` could be called a bunch of
times, and return correctly (assuming it wasn't a stream we were trying to
use that was being checked in those calls: if it was, then the function
would be returning that we're unable to read from a stream that we can
read from).
However, the memory that the corrupt wrapper name is pointing at could be
deallocated at any time, and then allocated to something else: now we have
a lump of memory that could potentially even be used by something outside
the PHP process, and we're reading from it. This will often cause the PHP
process to be terminated (modern OSes protect against processes reading
outside of their allocated memory), but otherwise may cause strange
information exposure issues.
> Hello @SergeyBiryukov Sorry if my question seems "crazy" but why
@timbowesohft isn't in the props list? He pointed this bug here and
finally will be patched.
Thanks for noticing that, @sebastienserre! That was my mistake, I
should've included him on the props list. We'll make sure he's given props
in the 4.9.8 release post. 🙂
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44532#comment:57>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list