Skip to content

Guard JIT blacklist rewrite to tracing JIT metadata#3929

Merged
bwoebi merged 1 commit into
masterfrom
codex/propose-fix-for-jit-corruption-vulnerability
May 28, 2026
Merged

Guard JIT blacklist rewrite to tracing JIT metadata#3929
bwoebi merged 1 commit into
masterfrom
codex/propose-fix-for-jit-corruption-vulnerability

Conversation

@bwoebi

@bwoebi bwoebi commented May 28, 2026

Copy link
Copy Markdown
Collaborator

Motivation

  • A helper used by HookData::overrideArguments() attempted to rewrite JIT/tracing opcache metadata without verifying the layout, which can reinterpret non-tracing JIT data as tracing metadata and cause out-of-bounds reads/writes or crash the PHP worker.
  • The PHP 8.0 reserved-slot heuristic also inspected the wrong pointer, which could select an incorrect resource id and further enable unsafe reinterpretation.
  • The change aims to safely gate the tracing-JIT-specific rewriting so only valid tracing-JIT metadata is modified.

Description

  • Fixed the PHP 8.0 reserved-slot heuristic in zai_get_zend_func_rid() to inspect op_array->reserved[i] instead of op_array->reserved, preventing incorrect resource-id selection.
  • Added a defensive zai_is_mapped() check before dereferencing the jit_extension pointer to avoid reading unmapped or invalid memory.
  • Only perform trace-layout rewrites when the metadata func_info.flags indicates hot-trace JIT by testing ZEND_FUNC_JIT_ON_HOT_TRACE, and added a compatibility fallback definition for that flag when headers don't provide it.

Testing

  • Ran git diff --check which reported no conflicts or whitespace errors and succeeded.
  • Verified repository status with git status --short and committed the change successfully.
  • No automated unit tests were added or run as part of this minimal, targeted native-safety hardening change.

Codex Task

@bwoebi bwoebi requested a review from a team as a code owner May 28, 2026 12:49
@datadog-datadog-prod-us1

datadog-datadog-prod-us1 Bot commented May 28, 2026

Copy link
Copy Markdown

Pipelines  Tests

Fix all issues with BitsAI

⚠️ Warnings

🚦 9 Pipeline jobs failed

DataDog/apm-reliability/dd-trace-php | pecl tests: [8.5]   View in Datadog   GitLab

🔧 Fix in code (Fix with Cursor). 1 failed test: Test dynamic config multiconfig priority merging.

DataDog/apm-reliability/dd-trace-php | test_extension_ci: [8.2]   View in Datadog   GitLab

🔧 Fix in code (Fix with Cursor). Error during installation of live debugger span probe. Exception: Oops! at dd_trace_span_link_with_exception.php:17.

DataDog/apm-reliability/dd-trace-php | min install tests   View in Datadog   GitLab

🔄 Retry job. This looks flaky and may succeed on retry. Failed to create pod sandbox due to network setup issues: unable to allocate IP via local cilium agent.

View all 9 failed jobs.

ℹ️ Info

No other issues found (see more)

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 60.70% (-0.05%)

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 07401b3 | Docs | Datadog PR Page | Give us feedback!

@bwoebi bwoebi merged commit e859a5a into master May 28, 2026
2112 of 2127 checks passed
@bwoebi bwoebi deleted the codex/propose-fix-for-jit-corruption-vulnerability branch May 28, 2026 13:56
@github-actions github-actions Bot added this to the 1.21.0 milestone May 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant