PHP :: Bug #81407 :: shmop_open won't attach and causes php to crash

Bug #81407	shmop_open won't attach and causes php to crash
Submitted:	2021-09-02 02:20 UTC	Modified:	2021-09-02 12:04 UTC
From:	dr286 dot business at pacbell dot net	Assigned:	cmb (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.4.23	OS:	Windows 10 x64
Private report:	No	CVE-ID:	None

View Developer Edit

[2021-09-02 02:20 UTC] dr286 dot business at pacbell dot net

Description:
------------
When using large values for for $key on shmop_open, only one shared memory object can be opened.  Subsequent attempts to open a shared memory object result in the following warning:

Warning:  shmop_open(): unable to attach or create shared memory segment 'No error' in php shell code on line 1

Also, when performing the operation repeatedly when this warning shows up, PHP will crash with a memory access violation.  The following is information from the Windows Event log about the crash:

Log Name:      Application
Source:        Application Error
Date:          9/1/2021 7:09:47 PM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      HARDROCK
Description:
Faulting application name: php.exe, version: 7.4.23.0, time stamp: 0x6126106b
Faulting module name: php7ts.dll, version: 7.4.23.0, time stamp: 0x61261d0c
Exception code: 0xc0000005
Fault offset: 0x0000000000592b8f
Faulting process id: 0x23b0
Faulting application start time: 0x01d79f9f9a1cd8a1
Faulting application path: C:\Servers\php\php.exe
Faulting module path: C:\Servers\php\php7ts.dll
Report Id: 784e70c3-570d-41fc-bba4-32b2c9c2acfe
Faulting package full name: 
Faulting package-relative application ID: 
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>100</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2021-09-02T02:09:47.0466867Z" />
    <EventRecordID>14012</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>HARDROCK</Computer>
    <Security />
  </System>
  <EventData>
    <Data>php.exe</Data>
    <Data>7.4.23.0</Data>
    <Data>6126106b</Data>
    <Data>php7ts.dll</Data>
    <Data>7.4.23.0</Data>
    <Data>61261d0c</Data>
    <Data>c0000005</Data>
    <Data>0000000000592b8f</Data>
    <Data>23b0</Data>
    <Data>01d79f9f9a1cd8a1</Data>
    <Data>C:\Servers\php\php.exe</Data>
    <Data>C:\Servers\php\php7ts.dll</Data>
    <Data>784e70c3-570d-41fc-bba4-32b2c9c2acfe</Data>
    <Data>
    </Data>
    <Data>
    </Data>
  </EventData>
</Event>

Below is the diff of php.ini file with all the comments and blank lines removed.  The diff was almost 500 lines long, so I just copied both files and cleared out the comments and blank lines and diffed that.  The file compared against was php.ini-development.


--- php.ini-development	Wed Sep 01 18:51:26 2021
+++ php.ini	Wed Sep 01 18:51:19 2021
@@ -2 +1,0 @@
-engine = On
@@ -13 +11,0 @@
-zend.exception_ignore_args = Off
@@ -25,0 +24 @@
+html_errors = On
@@ -35 +34 @@
-;include_path = ".;c:\php\includes"
+include_path = ".;c:\servers\php\includes"
@@ -37,0 +37 @@
+extension_dir = "C:\servers\php\ext"
@@ -44,0 +45,6 @@
+extension=php_fileinfo.dll
+extension=php_openssl.dll
+extension=php_pdo_mysql.dll
+extension=php_shmop.dll
+extension=php_sockets.dll
+zend_extension="C:\servers\php\ext\php_xdebug.dll"
@@ -50 +55,0 @@
-[imap]
@@ -55,0 +61 @@
+pdo_mysql.cache_size = 2000
@@ -61,0 +68,2 @@
+[SQL]
+sql.safe_mode = Off
@@ -68,0 +77,7 @@
+[Interbase]
+ibase.allow_persistent = 1
+ibase.max_persistent = -1
+ibase.max_links = -1
+ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
+ibase.dateformat = "%Y-%m-%d"
+ibase.timeformat = "%H:%M:%S"
@@ -72,0 +88 @@
+mysqli.cache_size = 2000
@@ -95 +111,2 @@
-session.use_strict_mode = 0
+session.save_path = "C:\servers\sessions"
+session.use_strict_mode = 1
@@ -103,2 +120 @@
-session.cookie_httponly =
-session.cookie_samesite =
+session.cookie_httponly = 1
@@ -131,0 +148 @@
+[mcrypt]
@@ -136 +153,3 @@
-[ffi]
\ No newline at end of file
+[Xdebug]
+xdebug.remote_enable = 1
+xdebug.remote_autostart = 1
\ No newline at end of file



Test script:
---------------
<?php
// This file demonstrates a bug in php 7.4.23 dealing with shmop_open.
// THis works just fine.
$a = shmop_open(1, 'n', 0664, 16384);
$b = shmop_open(2, 'n', 0664, 16384);
shmop_delete($a);
shmop_delete($b);
shmop_close($a);
shmop_close($b);
// This fails.
$a = shmop_open(367504384, 'n', 0664, 262144);
$b = shmop_open(367504385, 'n', 0664, 65536);
if ($b == false) {
	$b = shmop_open(367504385, 'w', 0664, 65536);
}
// And this will crash php.
$c = shmop_open(367504385, 'n', 0664, 65536);
if ($c == false) {
	$c = shmop_open(367504385, 'w', 0664, 65536);
}
echo "Reached the end.\n";
?>

Expected result:
----------------
It should create/attach a resource from key 367504385 without crashing.  Also, if the first call fails, a warning is expected.  Normally, I would use @ to suppress it.  The second call should attach to an already existing shared memory region.

Actual result:
--------------
C:\Servers\webdocs\test\bugs>php -f php_crash.php
PHP Warning:  shmop_open(): unable to attach or create shared memory segment 'No error' in C:\Servers\webdocs\test\bugs\php_crash.php on line 12
PHP Stack trace:
PHP   1. {main}() C:\Servers\webdocs\test\bugs\php_crash.php:0
PHP   2. shmop_open() C:\Servers\webdocs\test\bugs\php_crash.php:12

Warning: shmop_open(): unable to attach or create shared memory segment 'No error' in C:\Servers\webdocs\test\bugs\php_crash.php on line 12

Call Stack:
    0.3998     395600   1. {main}() C:\Servers\webdocs\test\bugs\php_crash.php:0
    0.4003     395680   2. shmop_open() C:\Servers\webdocs\test\bugs\php_crash.php:12

PHP Warning:  shmop_open(): unable to attach or create shared memory segment 'No error' in C:\Servers\webdocs\test\bugs\php_crash.php on line 14
PHP Stack trace:
PHP   1. {main}() C:\Servers\webdocs\test\bugs\php_crash.php:0
PHP   2. shmop_open() C:\Servers\webdocs\test\bugs\php_crash.php:14

Warning: shmop_open(): unable to attach or create shared memory segment 'No error' in C:\Servers\webdocs\test\bugs\php_crash.php on line 14

Call Stack:
    0.3998     395600   1. {main}() C:\Servers\webdocs\test\bugs\php_crash.php:0
    0.4045     395688   2. shmop_open() C:\Servers\webdocs\test\bugs\php_crash.php:14

PHP Warning:  shmop_open(): unable to attach or create shared memory segment 'No error' in C:\Servers\webdocs\test\bugs\php_crash.php on line 17
PHP Stack trace:
PHP   1. {main}() C:\Servers\webdocs\test\bugs\php_crash.php:0
PHP   2. shmop_open() C:\Servers\webdocs\test\bugs\php_crash.php:17

Warning: shmop_open(): unable to attach or create shared memory segment 'No error' in C:\Servers\webdocs\test\bugs\php_crash.php on line 17

Call Stack:
    0.3998     395600   1. {main}() C:\Servers\webdocs\test\bugs\php_crash.php:0
    0.4083     395688   2. shmop_open() C:\Servers\webdocs\test\bugs\php_crash.php:17


C:\Servers\webdocs\test\bugs>

Patches

Pull Requests

Pull requests:

Fix #81407: shmop_open won't attach and causes php to crash (php-src/7448)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-09-02 09:45 UTC] cmb@php.net

I cannot reproduce the crash, but the failure to open/attach, and
the cause is pretty obvious: the names of the file mappings are
truncated for keys > 99999999[1], what may cause all kinds of
issues.

[1] <https://github.com/php/php-src/blob/php-7.4.23/TSRM/tsrm_win32.c#L622-L623>

[2021-09-02 09:45 UTC] cmb@php.net

-Status: Open +Status: Analyzed -Assigned To: +Assigned To: cmb

[2021-09-02 10:11 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #81407: shmop_open won't attach and causes php to crash
On GitHub:  https://github.com/php/php-src/pull/7448
Patch:      https://github.com/php/php-src/pull/7448.patch

[2021-09-02 11:46 UTC] dr2867 dot business at pacbell dot net

This was working forever using a single shared memory region.  Only recently I have been updating the code to use more than one region (3 to be exact) to improve performance.  The purpose is to cache data that does not change often, saving several database queries.

Does the key value limit exist only on the Windows platform? Only when I tried using more than one region, I started having issues.  Also, if this limit is by design, it should be in the manual.

As a workaround until the fix is applied in the next version of PHP, I can use different key IDs.  They were picked randomly years ago.

[2021-09-02 12:04 UTC] cmb@php.net

Yes, this issue is specific to Windows.

[2021-09-02 21:23 UTC] git@php.net

Automatic comment on behalf of cmb69
Revision: https://github.com/php/php-src/commit/f3d24af74fdc59981650edcd7dfec7b8747e7158
Log: Fix #81407: shmop_open won't attach and causes php to crash

[2021-09-02 21:23 UTC] git@php.net

-Status: Analyzed +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC