PHP :: Bug #61728 :: PHP crash when calling ob_start in session

Bug #61728

PHP crash when calling ob_start in session_write

Submitted:

2012-04-13 19:24 UTC

Modified:

2013-09-26 15:03 UTC

Votes:	5
Avg. Score:	4.2 ± 1.0
Reproduced:	2 of 3 (66.7%)
Same Version:	2 (100.0%)
Same OS:	2 (100.0%)

From:

frederik_php at vanrenterghem dot biz

Assigned:

laruence (profile)

Status:

Closed

Package:

Reproducible crash

PHP Version:

5.4.0

OS:

Linux Debian Wheezy

Private report:

CVE-ID:

None

View Developer Edit

[2012-04-13 19:24 UTC] frederik_php at vanrenterghem dot biz

Description:
------------
Hi,

I am running a friendica (friendica.com) instance on a bitfolk.com VPS with 480MB ram. As webserver I'm using nginx. I can cause the site to crash very easily by clicking around on some links.

I am using an up-to-date version of Debian Wheezy. All packages are installed from the standard repository.

I have attached a backtrace, which is the same with each crash.

It seems as if the error is linked with the facebook connector from friendica, as it crashes when I try to load the connector settings, or if I go to the network page, which contains statuses from all connected sites including facebook. https://github.com/friendica/friendica-addons/tree/master/facebook

Thanks in advance for helping find a solution!

Best regards,
Frederik


Actual result:
--------------
Reading symbols from /usr/sbin/php5-fpm...(no debugging symbols found)...done.
[New LWP 2801]

warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".
Core was generated by `php-fpm: pool www                                         '.
Program terminated with signal 11, Segmentation fault.
#0  0x0832239d in zend_stack_push ()
(gdb) bt
#0  0x0832239d in zend_stack_push ()
#1  0x082d0e5c in php_output_handler_start ()
#2  0x082d337b in php_output_start_default ()
#3  0x0823953d in ?? ()
#4  0x083d2c31 in ?? ()
#5  0x0838e6d5 in execute ()
#6  0x08315e36 in zend_call_function ()
#7  0x083161b3 in call_user_function_ex ()
#8  0x08316228 in call_user_function ()
#9  0x081a67a0 in ?? ()
#10 0x081a69fe in ?? ()
#11 0x0819ecc4 in ?? ()
#12 0x0819ef55 in ?? ()
#13 0x0832b384 in ?? ()
#14 0x082bd905 in php_request_shutdown ()
#15 0x0806fd70 in ?? ()
#16 0xb6e6ce46 in __libc_start_main () from /lib/i386-linux-gnu/i686/cmov/libc.so.6
#17 0x08070875 in _start ()

Patches

bug61728.patch (last revision 2012-04-14 16:58 UTC by laruence@php.net)
bug61728.phpt (last revision 2012-04-14 16:57 UTC by laruence@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-04-13 19:26 UTC] frederik_php at vanrenterghem dot biz

corrected summary

[2012-04-13 19:26 UTC] frederik_php at vanrenterghem dot biz

-Summary: php-fpm SIGSEV running friendica on nginx +Summary: php-fpm SIGSEGV running friendica on nginx

[2012-04-14 02:50 UTC] aharvey@php.net

-Status: Open +Status: Feedback

[2012-04-14 02:50 UTC] aharvey@php.net

Can you install the php5-dbg package and generate a new backtrace with debug 
symbols installed, please?

[2012-04-14 07:15 UTC] frederik_php at vanrenterghem dot biz

-Status: Feedback +Status: Open

[2012-04-14 07:15 UTC] frederik_php at vanrenterghem dot biz

Ok, here's the updated backtrace with the debugging package installed:

Reading symbols from /usr/sbin/php5-fpm...Reading symbols from /usr/lib/debug/usr/sbin/php5-fpm...done.
done.
[New LWP 8194]

warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".

warning: the debug information found in "/usr/lib/debug//usr/lib/php5/20100525+lfs/mysql.so" does not match "/usr/lib/php5/20100525+lfs/mysql.so" (CRC mismatch).


warning: the debug information found in "/usr/lib/debug/usr/lib/php5/20100525+lfs/mysql.so" does not match "/usr/lib/php5/20100525+lfs/mysql.so" (CRC mismatch).


warning: the debug information found in "/usr/lib/debug//usr/lib/php5/20100525+lfs/mysqli.so" does not match "/usr/lib/php5/20100525+lfs/mysqli.so" (CRC mismatch).


warning: the debug information found in "/usr/lib/debug/usr/lib/php5/20100525+lfs/mysqli.so" does not match "/usr/lib/php5/20100525+lfs/mysqli.so" (CRC mismatch).


warning: the debug information found in "/usr/lib/debug//usr/lib/php5/20100525+lfs/pdo_mysql.so" does not match "/usr/lib/php5/20100525+lfs/pdo_mysql.so" (CRC mismatch).


warning: the debug information found in "/usr/lib/debug/usr/lib/php5/20100525+lfs/pdo_mysql.so" does not match "/usr/lib/php5/20100525+lfs/pdo_mysql.so" (CRC mismatch).

Core was generated by `php-fpm: pool www                                         '.
Program terminated with signal 11, Segmentation fault.
#0  0x0832239d in zend_stack_push (stack=<error reading variable: Unknown argument list address for `stack'.>, element=<error reading variable: Unknown argument list address for `element'.>, 
    size=<error reading variable: Unknown argument list address for `size'.>) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_stack.c:42
42      /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_stack.c: No such file or directory.
(gdb) bt
#0  0x0832239d in zend_stack_push (stack=<error reading variable: Unknown argument list address for `stack'.>, element=<error reading variable: Unknown argument list address for `element'.>, 
    size=<error reading variable: Unknown argument list address for `size'.>) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_stack.c:42
#1  0x082d0e5c in php_output_handler_start (handler=0x82cf910) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/main/output.c:563
#2  0x082d337b in php_output_start_default () at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/main/output.c:412
#3  0x0823953d in zif_print_r (ht=-1226425644, return_value=0x0, return_value_ptr=0x0, this_ptr=0x1, return_value_used=-1269958144) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/ext/standard/basic_functions.c:5485
#4  0x083d2c31 in zend_do_fcall_common_helper_SPEC (execute_data=0xb6e39450) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_vm_execute.h:642
#5  0x0838e6d5 in execute (op_array=0x8315e36) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_vm_execute.h:410
#6  0x08315e36 in zend_call_function (fci=0x7, fci_cache=0x878ff54) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_execute_API.c:958
#7  0x083161b3 in call_user_function_ex (function_table=0xa04b450, object_pp=0x0, function_name=0xb6e5b010, retval_ptr_ptr=0xbfe4facc, param_count=<unknown type>, params=0xb6e50d20, no_separation=1, symbol_table=0x0)
    at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_execute_API.c:750
#8  0x08316228 in call_user_function (function_table=0x0, object_pp=0xb6e5b010, function_name=0xb6e619a0, retval_ptr=0x2, param_count=<unknown type>, params=0x6)
    at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_execute_API.c:723
#9  0x081a67a0 in ps_call_handler (func=0xb6e5b010, argc=2, argv=0x13b) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/ext/session/mod_user.c:53
#10 0x081a69fe in ps_write_user (mod_data=0x819ecc4, key=0x878c294 "", val=0xb6e5c048 "qm2ukkgs12n6ftusrqrihd9qo2", vallen=170073760) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/ext/session/mod_user.c:144
#11 0x0819ecc4 in php_session_flush () at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/ext/session/session.c:489
#12 0x0819ef55 in zm_deactivate_session (type=137540484, module_number=1) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/ext/session/session.c:2145
#13 0x0832b384 in zend_deactivate_modules () at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_API.c:2325
#14 0x082bd905 in php_request_shutdown (dummy=0xa) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/main/main.c:1755
#15 0x0806fd70 in main (argc=3, argv=0xbfe521b4) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/sapi/fpm/fpm/fpm_main.c:1884

[2012-04-14 15:13 UTC] frederik_php at vanrenterghem dot biz

I get the same error on apache2:

Core was generated by `/usr/sbin/apache2 -k start'.
Program terminated with signal 11, Segmentation fault.
#0  0xb5cf371d in zend_stack_push (stack=<error reading variable: Unknown argument list address for `stack'.>, element=<error reading variable: Unknown argument list address for `element'.>, 
    size=<error reading variable: Unknown argument list address for `size'.>) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_stack.c:42
42      /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_stack.c: No such file or directory.
(gdb) bt
#0  0xb5cf371d in zend_stack_push (stack=<error reading variable: Unknown argument list address for `stack'.>, element=<error reading variable: Unknown argument list address for `element'.>, 
    size=<error reading variable: Unknown argument list address for `size'.>) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_stack.c:42
#1  0xb5ca1c1c in php_output_handler_start (handler=0xb5ca06d0) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/main/output.c:563
#2  0xb5ca413b in php_output_start_default () at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/main/output.c:412
#3  0xb5c0a0dd in zif_print_r (ht=-1295141216, return_value=0x0, return_value_ptr=0x0, this_ptr=0x1, return_value_used=-1228621212) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/ext/standard/basic_functions.c:5496
#4  0xb5da40b1 in zend_do_fcall_common_helper_SPEC (execute_data=0xb6c1e908) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_vm_execute.h:642
#5  0xb5d5fc75 in execute (op_array=0xb5ce70c6) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_vm_execute.h:410
#6  0xb5ce70c6 in zend_call_function (fci=0x7, fci_cache=0xb61cc7c4) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_execute_API.c:958
#7  0xb5ce7463 in call_user_function_ex (function_table=0xb82d57f8, object_pp=0x0, function_name=0xb2c89c18, retval_ptr_ptr=0xbfbeb81c, param_count=<unknown type>, params=0xb6c361a4, no_separation=1, symbol_table=0x0)
    at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_execute_API.c:750
#8  0xb5ce74d8 in call_user_function (function_table=0x0, object_pp=0xb2c89c18, function_name=0xb2d59274, retval_ptr=0x2, param_count=<unknown type>, params=0xb)
    at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_execute_API.c:723
#9  0xb5b76fa0 in ps_call_handler (func=0xb2c89c18, argc=2, argv=0x13b) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/ext/session/mod_user.c:53
#10 0xb5b771fe in ps_write_user (mod_data=0xb5b6f4e5, key=0xb61c8a94 "", val=0xb6c41214 "qm2ukkgs12n6ftusrqrihd9qo2", vallen=-1296104456) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/ext/session/mod_user.c:144
#11 0xb5b6f4e5 in php_session_flush () at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/ext/session/session.c:489
#12 0xb5b703b5 in zm_deactivate_session (type=-1239763244, module_number=-1078019424) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/ext/session/session.c:2144
#13 0xb5cfc684 in zend_deactivate_modules () at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_API.c:2328
#14 0xb5c8e5d5 in php_request_shutdown (dummy=0xb630c838) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/main/main.c:1755
#15 0xb5da6824 in php_handler (r=0xb630f4c0) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/sapi/apache2handler/sapi_apache2.c:520
#16 0xb77945be in ap_run_handler (r=0xb630f4c0) at config.c:159
#17 0xb7794a36 in ap_invoke_handler (r=0xb630f4c0) at config.c:377
#18 0xb77a5efc in ap_internal_redirect (new_uri=0xb630f490 "/index.php?q=admin/plugins/facebook/&a=t", r=0xb631d058) at http_request.c:554
#19 0xb6c93d96 in handler_redirect (r=0xb631d058) at mod_rewrite.c:4860
#20 0xb77945be in ap_run_handler (r=0xb631d058) at config.c:159
#21 0xb7794a36 in ap_invoke_handler (r=0xb631d058) at config.c:377
#22 0xb77a6878 in ap_process_request (r=0xb631d058) at http_request.c:282
#23 0xb77a3350 in ap_process_http_connection (c=0xb6bb81f0) at http_core.c:190
#24 0xb779bbce in ap_run_process_connection (c=0xb6bb81f0) at connection.c:43
#25 0xb77ac125 in child_main (child_num_arg=<optimized out>) at prefork.c:667
#26 0xb77aca83 in make_child (slot=0, s=<optimized out>) at prefork.c:768
#27 make_child (s=<optimized out>, slot=0) at prefork.c:696
#28 0xb77acb5c in startup_children (number_to_start=5) at prefork.c:786
#29 0xb77ad730 in ap_mpm_run (_pconf=0xb7730018, plog=0xb747c018, s=0xb74aa880) at prefork.c:1007
#30 0xb777d5d2 in main (argc=3, argv=0xbfbec334) at main.c:755

[2012-04-14 16:57 UTC] laruence@php.net

The following patch has been added/updated:

Patch Name: bug61728.phpt
Revision:   1334422666
URL:        https://bugs.php.net/patch-display.php?bug=61728&patch=bug61728.phpt&revision=1334422666

[2012-04-14 16:58 UTC] laruence@php.net

The following patch has been added/updated:

Patch Name: bug61728.patch
Revision:   1334422683
URL:        https://bugs.php.net/patch-display.php?bug=61728&patch=bug61728.patch&revision=1334422683

[2012-04-14 16:59 UTC] laruence@php.net

if you try to start a user output handler in session_write.  then it will crash. I 
have attach a simple reproduce script. 

and also made a simple fix.

[2012-04-14 17:03 UTC] laruence@php.net

-Status: Open +Status: Verified

[2012-04-14 17:16 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3b42f184cdcf512fdc1f944052bfa296f17a035f
Log: Fixed bug #61728 (php-fpm SIGSEGV running friendica on nginx)

[2012-04-14 17:18 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3b42f184cdcf512fdc1f944052bfa296f17a035f
Log: Fixed bug #61728 (php-fpm SIGSEGV running friendica on nginx)

[2012-04-14 17:21 UTC] laruence@php.net

-Assigned To: +Assigned To: laruence

[2012-04-14 17:21 UTC] laruence@php.net

assign to me, since I have made a try to fix it. will close this after confirm 
that fix is okey.

[2012-04-16 11:19 UTC] laruence@php.net

-Summary: php-fpm SIGSEGV running friendica on nginx +Summary: PHP crash when calling ob_start in session_write

[2012-04-16 11:19 UTC] laruence@php.net

change the summary

[2013-09-26 15:03 UTC] mike@php.net

-Status: Verified +Status: Closed

[2013-09-26 15:03 UTC] mike@php.net

Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php

[2014-10-07 23:26 UTC] stas@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=3b42f184cdcf512fdc1f944052bfa296f17a035f
Log: Fixed bug #61728 (php-fpm SIGSEGV running friendica on nginx)

[2014-10-07 23:37 UTC] stas@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=3b42f184cdcf512fdc1f944052bfa296f17a035f
Log: Fixed bug #61728 (php-fpm SIGSEGV running friendica on nginx)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 10:01:29 2024 UTC