PHP :: Bug #15905 :: long filenames in fopen() crash PHP.

Bug #15905	long filenames in fopen() crash PHP.
Submitted:	2002-03-06 11:34 UTC	Modified:	2002-03-08 09:01 UTC
From:	a dot mayrhofer at kpnqwest dot at	Assigned:
Status:	Not a bug	Package:	Reproducible crash
PHP Version:	4.1.2	OS:	Solaris 2.6
Private report:	No	CVE-ID:	None

View Developer Edit

[2002-03-06 11:34 UTC] a dot mayrhofer at kpnqwest dot at

While upgrading PHP from 4.0.3pl1 to 4.1.2 i noticed crashes related to long file names, espacially when running under safe_mode.

The problem can be reproduced using the following one liner:

<?
sleep(20);
fopen("xxxxxxxxxxxxxxxxxx..... [very long file name, 1000 characters] ...xxxxxxxxxx", "r");
?>

Please note that for obvious reasons the filename has been shortened in the example above, the "sleep" statement has been added for debugging purposes...

Process trace of PHP:

sigprocmask(SIG_UNBLOCK, 0xEFFFE5B8, 0x00000000) = 0
sigaction(SIGALRM, 0xEFFFE518, 0x00000000)      = 0
resolvepath("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0xEFFFE078, 1024) Err#78 ENAMETOOLONG
    Incurred fault #6, FLTBOUNDS  %pc = 0xEF3A4644
      siginfo: SIGSEGV SEGV_MAPERR addr=0xF0000000
    Received signal #11, SIGSEGV [default]
      siginfo: SIGSEGV SEGV_MAPERR addr=0xF0000000
        *** process killed ***


gdb output:

(gdb) b php_fopen_wrapper
Breakpoint 1 at 0x2f3b8: file fopen_wrappers.c, line 245.
(gdb) cont
Continuing.

Breakpoint 1, php_fopen_wrapper (path=0x1cb060 'x' <repeats 200 times>..., 
    mode=0x1c71e8 "r", options=4, issock=0xefffe660, socketd=0x72, 
    opened_path=0x0) at fopen_wrappers.c:245
fopen_wrappers.c:245: No such file or directory.
(gdb) 
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xef3a4644 in strcpy ()
(gdb) bt
#0  0xef3a4644 in strcpy ()
#1  0xef3cbe18 in _realpath ()
#2  0xf8090 in php_checkuid (filename=0x1cb060 'x' <repeats 200 times>..., 
    fopen_mode=0x1c71e8 "r", mode=0) at safe_mode.c:79
#3  0x2fcf8 in php_fopen_url_wrapper (
    path=0x78787878 <Address 0x78787878 out of bounds>, 
    mode=0x78787878 <Address 0x78787878 out of bounds>, options=2021161080, 
    issock=0x78787878, socketd=0x78787878, opened_path=0x78787878)
    at fopen_wrappers.c:558
Cannot access memory at address 0x787878b0.
(gdb) (gdb) b php_fopen_wrapper
Breakpoint 1 at 0x2f3b8: file fopen_wrappers.c, line 245.
(gdb) cont
Continuing.

Breakpoint 1, php_fopen_wrapper (path=0x1cb060 'x' <repeats 200 times>..., 
    mode=0x1c71e8 "r", options=4, issock=0xefffe660, socketd=0x72, 
    opened_path=0x0) at fopen_wrappers.c:245
fopen_wrappers.c:245: No such file or directory.
(gdb) 
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xef3a4644 in strcpy ()
(gdb) bt
#0  0xef3a4644 in strcpy ()
#1  0xef3cbe18 in _realpath ()
#2  0xf8090 in php_checkuid (filename=0x1cb060 'x' <repeats 200 times>..., 
    fopen_mode=0x1c71e8 "r", mode=0) at safe_mode.c:79
#3  0x2fcf8 in php_fopen_url_wrapper (
    path=0x78787878 <Address 0x78787878 out of bounds>, 
    mode=0x78787878 <Address 0x78787878 out of bounds>, options=2021161080, 
    issock=0x78787878, socketd=0x78787878, opened_path=0x78787878)
    at fopen_wrappers.c:558
Cannot access memory at address 0x787878b0.
(gdb) 

Other occurrences with different path names and include path lead to Bus Errors...

If you need further information, don't hesitate to contact me.

Alex Mayrhofer

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-03-06 12:06 UTC] a dot mayrhofer at kpnqwest dot at

Just investigated, it happens if the path name is longer than 1980 characters: PHP Works with 1980 characters, crashes with 1981.

Forgot to mention that i use the CGI version of PHP.

[2002-03-06 12:16 UTC] a dot mayrhofer at kpnqwest dot at

sorry, gdb output was duplicated during cut'n'paste.

[2002-03-06 12:53 UTC] mfischer@php.net

Can't reproduce this problem with latest CVS on Linux (don't have solaris test environment).

Can you test with CVS ?

[2002-03-06 12:55 UTC] derick@php.net

Does it only happen with safe_mode on?

Derick

[2002-03-07 03:27 UTC] a dot mayrhofer at kpnqwest dot at

Can't reproduce it on Linux as well. Could be related to some solaris weirdness. example script works fine if safe_mode is turned off. I'll test with latest snap shots today.

cheers

axelm

[2002-03-07 05:53 UTC] a dot mayrhofer at kpnqwest dot at

Happens still with latest CVS snapshot (200203070000), please see gdb debugging session below:

(gdb) run crash.php
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /src/webstuff/php4-200203070000/php crash.php
warning: Unable to find dynamic linker breakpoint function.
warning: GDB will be unable to debug shared library initializers
warning: and track explicitly loaded dynamic code.

Breakpoint 1, php_checkuid (filename=0x1d2180 'x' <repeats 200 times>..., 
    fopen_mode=0x1c9278 "r", mode=4) at safe_mode.c:50
50		long uid=0L, gid=0L, duid=0L, dgid=0L;
(gdb) step
55		if (!filename) {
(gdb) 
59		if (fopen_mode) {
(gdb) 
60			if (fopen_mode[0] == 'r') {
(gdb) 
71		if (!strncasecmp(filename,"http://", 7) || !strncasecmp(filename,"ftp://", 6)) {
(gdb) print filename
$7 = 0x1d2180 'x' <repeats 200 times>...
(gdb) 
$8 = 0x1d2180 'x' <repeats 200 times>...
(gdb) 
$9 = 0x1d2180 'x' <repeats 200 times>...
(gdb) step
78		if (mode != CHECKUID_ALLOW_ONLY_DIR) {
(gdb) 
79			VCWD_REALPATH(filename, path);
(gdb) 
80			ret = VCWD_STAT(path, &sb);
(gdb) 
81			if (ret < 0) {
(gdb) 
82				if (mode == CHECKUID_DISALLOW_FILE_NOT_EXISTS) {(gdb) 
83					php_error(E_WARNING, "Unable to access %s", filename);
(gdb) print filename
$10 = 0x1d2180 'x' <repeats 200 times>...
(gdb) 
$11 = 0x1d2180 'x' <repeats 200 times>...
(gdb) step
zend_error (type=2, format=<error type>) at zend.c:642
642		switch (type) {
(gdb) 
657				if (zend_is_compiling(TSRMLS_C)) {
(gdb) 
zend_is_compiling () at zend_compile.c:147
147		return CG(in_compilation);
(gdb) 
zend_is_executing () at zend_execute_API.c:263
263		return EG(in_execution);
(gdb) 
zend_error (type=2, format=<error type>) at zend.c:661
661					error_filename = zend_get_executed_filename(TSRMLS_C);
(gdb) print error_filename
$12 = <incomplete type>
(gdb) step
zend_get_executed_filename () at zend_execute_API.c:243
243		if (EG(active_op_array)) {
(gdb) print active_op_array
No symbol "active_op_array" in current context.
(gdb) step
244			return EG(active_op_array)->filename;
(gdb) print active_op_array
No symbol "active_op_array" in current context.
(gdb) print EG(active_op_array)->filename
No symbol "EG" in current context.
(gdb) step
zend_error (type=2, format=<error type>) at zend.c:662
662					error_lineno = zend_get_executed_lineno(TSRMLS_C);
(gdb) print error_filename
$13 = <incomplete type>
(gdb) 
$14 = <incomplete type>
(gdb) step
zend_get_executed_lineno () at zend_execute_API.c:253
253		if (EG(opline_ptr)) {
(gdb) print opline_ptr
No symbol "opline_ptr" in current context.
(gdb) step
254			return active_opline->lineno;
(gdb) print filename
No symbol "filename" in current context.
(gdb) step

Program received signal SIGSEGV, Segmentation fault.
zend_get_executed_lineno () at zend_execute_API.c:254
254			return active_opline->lineno;
(gdb) bt
#0  zend_get_executed_lineno () at zend_execute_API.c:254
#1  0xec1bc in zend_error (type=2, format=<error type>) at zend.c:662
#2  0xf5d30 in php_checkuid (filename=0x1d2180 'x' <repeats 200 times>..., 
    fopen_mode=0xefffe118 'x' <repeats 200 times>..., mode=0) at safe_mode.c:83
#3  0x31de4 in php_fopen_url_wrapper (path=<error type>, mode=<error type>, 
    options=2021161080, issock=<incomplete type>, socketd=<incomplete type>, 
    opened_path=<error type>) at fopen_wrappers.c:582
Cannot access memory at address 0x787878b0.
(gdb)

[2002-03-07 14:54 UTC] mfischer@php.net

What is the value of 'active_opline' in the function 'zend_executed_lineno' ? Seems to be fucked up somehow (or the if expression above results in a wrong condition?).

Does it also happen with current CVS?

[2002-03-08 03:11 UTC] a dot mayrhofer at kpnqwest dot at

the value is broken, gdb returns "incomplete type". The trace above was created using yesterday's CVS snaps...

If you would like to look deeper into the problem for yourself, i could give you an shell account on one of our test machines... Is that an option for you?

axelm

[2002-03-08 07:41 UTC] mfischer@php.net

Set to bogus per user request.

User reports that this couldn't be reproduced on another solaris machine and is supposed to be a bug in the solaris libraries.

(just reopen the report if you think otherwise).

[2002-03-08 08:43 UTC] a dot mayrhofer at kpnqwest dot at

Installation of Sun Patch Nr. 105210-46 fixed the problem, PHP works fine now even on our Solaris boxes ;)

[2002-03-08 08:50 UTC] mfischer@php.net

Heh :) What kind of patch is exactly ? (just for the archiv if someone else has similar problems)

[2002-03-08 09:01 UTC] a dot mayrhofer at kpnqwest dot at

see

http://sunsolve.sun.com/pub-cgi/retrieve.pl?type=0&doc=fpatches%2F105210

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Nov 30 20:00:01 2025 UTC