From d9dca4939619236aea1fa7b9329fca766df5da7f Mon Sep 17 00:00:00 2001
From: Michal Nowacki <mnowacki@newrelic.com>
Date: Fri, 31 Jan 2025 10:59:55 -0500
Subject: [PATCH] verify wraprec belongs to process before using it

---
 agent/php_execute.c         | 6 +++++-
 agent/php_newrelic.h        | 2 +-
 agent/php_rinit.c           | 3 ++-
 agent/php_user_instrument.c | 2 +-
 4 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/agent/php_execute.c b/agent/php_execute.c
index 1aeb66c74..875958901 100644
--- a/agent/php_execute.c
+++ b/agent/php_execute.c
@@ -95,7 +95,11 @@
 
 static inline nruserfn_t* nr_php_get_wraprec_from_op_array_extension(const char* fn, zend_function* zf) {
   nruserfn_t* wraprec = (nruserfn_t*)ZEND_OP_ARRAY_EXTENSION(&zf->op_array, NR_PHP_PROCESS_GLOBALS(op_array_extension_handle));
-  nrl_verbosedebug(NRL_AGENT, "%s from %s, op_array_extension=%p, wraprec=%p, wraprec->pid=%d", __func__, fn, ZEND_OP_ARRAY_EXTENSION(&zf->op_array, NR_PHP_PROCESS_GLOBALS(op_array_extension_handle)), wraprec, wraprec->pid);
+  nrl_verbosedebug(NRL_AGENT, "%s from %s, op_array_extension=%p, wraprec=%p, wraprec->pid=%d", __func__, fn, ZEND_OP_ARRAY_EXTENSION(&zf->op_array, NR_PHP_PROCESS_GLOBALS(op_array_extension_handle)), wraprec, wraprec? wraprec->pid : 0);
+  if (NULL != wraprec && NRPRG(pid) != wraprec->pid) {
+    nrl_debug(NRL_AGENT, "wraprec pid mismatch: %d != %d", wraprec->pid, NRPRG(pid));
+    return NULL;
+  }
   return wraprec;
 }
 
diff --git a/agent/php_newrelic.h b/agent/php_newrelic.h
index 6afaf531a..f9b1963f2 100644
--- a/agent/php_newrelic.h
+++ b/agent/php_newrelic.h
@@ -602,13 +602,13 @@ nrinibool_t
 nrinibool_t
     message_tracer_segment_parameters_enabled; /* newrelic.segment_tracer.segment_parameters.enabled */
 
+uint64_t pid;
 #if ZEND_MODULE_API_NO < ZEND_7_4_X_API_NO
 /*
  * pid and user_function_wrappers are used to store user function wrappers.
  * Storing this on a request level (as opposed to storing it on transaction
  * level) is more robust when using multiple transactions in one request.
  */
-uint64_t pid;
 nr_vector_t* user_function_wrappers;
 #endif
 
diff --git a/agent/php_rinit.c b/agent/php_rinit.c
index d704f935e..2a308fe46 100644
--- a/agent/php_rinit.c
+++ b/agent/php_rinit.c
@@ -18,6 +18,7 @@
 #include "nr_slowsqls.h"
 #include "util_logging.h"
 #include "util_strings.h"
+#include "util_syscalls.h"
 
 static void nr_php_datastore_instance_destroy(
     nr_datastore_instance_t* instance) {
@@ -60,9 +61,9 @@ PHP_RINIT_FUNCTION(newrelic) {
   NRPRG(drupal_http_request_depth) = 0;
 #endif
 #else
-  NRPRG(pid) = getpid();
   NRPRG(user_function_wrappers) = nr_vector_create(64, NULL, NULL);
 #endif
+  NRPRG(pid) = nr_getpid();
 
   if ((0 == NR_PHP_PROCESS_GLOBALS(enabled)) || (0 == NRINI(enabled))) {
     return SUCCESS;
diff --git a/agent/php_user_instrument.c b/agent/php_user_instrument.c
index e4de4e3b7..0fe243b76 100644
--- a/agent/php_user_instrument.c
+++ b/agent/php_user_instrument.c
@@ -296,7 +296,7 @@ static void nr_php_wrap_user_function_internal(nruserfn_t* wraprec TSRMLS_DC) {
 
 static nruserfn_t* nr_php_user_wraprec_create(void) {
   nruserfn_t* wr = (nruserfn_t*)nr_zalloc(sizeof(nruserfn_t));
-  wr->pid = nr_getpid();
+  wr->pid = NRPRG(pid);
   return wr;
 }