php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #9775 libmcrypt-2.4.9 causes random segmentation faults
Submitted: 2001-03-15 22:16 UTC Modified: 2001-07-05 02:51 UTC
From: old dot wolf at project-w dot com Assigned: derick (profile)
Status: Closed Package: Reproducible crash
PHP Version: 4.0.4pl1 OS: Red Hat 6.0 (2.2.5-15) i586
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2001-03-15 22:16 UTC] old dot wolf at project-w dot com 
./configure --with-apxs --with-mcrypt --with-mhash --with-mysql=../../mysql --with-gd --enable-versioning --with-ttf --with-jpeg-dir=../jpeg-6b 

Apache 1.3.19, mod_ssl 2.8.1-1.3.19, mm 1.1.3, libmcrypt 2.4.9, mhash 0.8.9, mysql 3.23.34, gd 1.8.4, libpng 1.0.9, freetype 2.0, zlib 1.1.3, jpeg-6b

Some scripts seemed to crash inexplicably (eg. during code that wasn't even calling any functions), and apache's error_log contains lines similar to:
[Fri Mar 16 13:58:06 2001] [notice] child pid 15396 exit signal Segmentation fault (11)

The same code sometimes segfaulted and sometimes didn't, and trying to pinpoint the exact crash line by inserting die() commands, would sometimes give different death locations.

I tracked down the problem location, firstly by recompiling PHP with --enable-debug, and then by using gdb's backtrace function. I will now give both of these results.

When --enable-debug is added to the above configure line, no segmentation faults occur, but the apache error log contains lines such as:
mcrypt.c(1240) :  Freeing 0x081957D4 (8 bytes), script=/var/www/activate/calculate.php
Last leak repeated 1 times.
mcrypt.c(1240) :  Freeing 0x081D1A34 (24 bytes), script=/var/www/paygate/confirm.php

The scripts in question contain a line:
$target = mcrypt_cbc(MCRYPT_DES, $product, $serial, MCRYPT_DECRYPT);
The first mcrypt error message above was for MCRYPT_DES, and the second was for MCRYPT_TripleDES.

So my guess would be that this memory leak is causing all of my crashes mentioned above.

[Note: Adding an initialization vector as a fifth parameter, or instead using mcrypt_encrypt() as describe in the manual, does not correct the problem in any respect.]

After finding this, I recompiled PHP without --enable-debug, and used GDB backtrace function. The first trace below occurs at the MCRYPT_DES line above, and the second trace occurs in a function a fair way after the MCRYPT_TripleDES line mentioned above (presumably it left memory corrupted or something).

[root@ptl3 bin]# gdb httpd           
GNU gdb 4.17.0.11 with Linux support
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(gdb) run -X
Starting program: /usr/local/apache/bin/httpd -X
Cannot access memory at address 0x7972.
(gdb) bt
#0  _dl_debug_state () at dl-debug.c:56
#1  0x4000a12b in _dl_catch_error (errstring=0xbfffc5cc, operate=0x402607a0 <dl_open_worker>, 
    args=0xbfffc5d0) at dl-error.c:141
#2  0x402609fd in _dl_open (file=0x8183f70 "/usr/local/lib/libmcrypt/des.so", mode=257)
    at dl-open.c:176
#3  0x40186058 in dlopen_doit (a=0xbfffc6d8) at dlopen.c:39
#4  0x4000a12b in _dl_catch_error (errstring=0x40187d00, operate=0x40186030 <dlopen_doit>, 
    args=0xbfffc6d8) at dl-error.c:141
#5  0x40186608 in _dlerror_run (operate=0x40186030 <dlopen_doit>, args=0xbfffc6d8)
    at dlerror.c:122
#6  0x4018601d in __dlopen_check (file=0x8183f70 "/usr/local/lib/libmcrypt/des.so", mode=257)
    at dlopen.c:50
#7  0x40508c91 in sys_dl_open (handle=0x8183ec0, 
    filename=0x8183f70 "/usr/local/lib/libmcrypt/des.so") at ltdl.c:266
#8  0x405091ad in tryall_dlopen (handle=0xbfffc814, 
    filename=0x8183f70 "/usr/local/lib/libmcrypt/des.so") at ltdl.c:943
#9  0x405092be in find_module (handle=0xbfffc814, dir=0x8183e80 "/usr/local/lib/libmcrypt/", 
    libdir=0x8183e58 "/usr/local/lib/libmcrypt", dlname=0x8183ea0 "des.so", 
    old_name=0x8183eb0 "des.a", installed=1) at ltdl.c:986
#10 0x40509e54 in lt_dlopen (filename=0x8185ae0 "des.la") at ltdl.c:1340
#11 0x4050a191 in lt_dlopenext (filename=0x8193ed4 "des") at ltdl.c:1434
#12 0x40505244 in mcrypt_dlopen (a_directory=0x0, m_directory=0x0, filename=0x8193ed4 "des")
    at mcrypt_modules.c:95
#13 0x40505295 in mcrypt_module_open (algorithm=0x8193ed4 "des", a_directory=0x0, 
    mode=0x40461662 "cbc", m_directory=0x0) at mcrypt_modules.c:145
#14 0x403dd120 in php_mcrypt_do_crypt (cipher=0x8193ed4 "des", key=0x81873d8, data=0x81873dc, 
    mode=0x40461662 "cbc", iv=0x81873e4, argc=5, dencrypt=1, return_value=0x8194d14)
    at mcrypt.c:1220
#15 0x403de42b in php_if_mcrypt_cbc (ht=5, return_value=0x8194d14, this_ptr=0x0, 
    return_value_used=1) at mcrypt.c:1385
#16 0x403a7736 in execute (op_array=0x81930e8) at ./zend_execute.c:1519
#17 0x403a7987 in execute (op_array=0x818840c) at ./zend_execute.c:1559
#18 0x403b5740 in zend_execute_scripts (type=8, file_count=3) at zend.c:729
#19 0x403c6841 in php_execute_script (primary_file=0xbffffb90) at main.c:1221
#20 0x403c3262 in apache_php_module_main (r=0x8106c40, display_source_mode=0)
    at sapi_apache.c:89
#21 0x403c3b83 in send_php (r=0x8106c40, display_source_mode=0, filename=0x0) at mod_php4.c:516
#22 0x403c3bb4 in send_parsed_php (r=0x8106c40) at mod_php4.c:527
#23 0x8091b43 in ap_invoke_handler ()
#24 0x80a5b09 in process_request_internal ()
#25 0x80a5b6c in ap_process_request ()
---Type <return> to continue, or q <return> to quit---
#26 0x809d0ae in child_main ()
#27 0x809d25c in make_child ()
#28 0x809d3b9 in startup_children ()
#29 0x809d9f6 in standalone_main ()
#30 0x809e193 in main ()
#31 0x4019fcb3 in __libc_start_main (main=0x809de3c <main>, argc=2, argv=0xbffffd54, 
    init=0x8054c7c <_init>, fini=0x80d5acc <_fini>, rtld_fini=0x4000a350 <_dl_fini>, 
    stack_end=0xbffffd4c) at ../sysdeps/generic/libc-start.c:78





[root@ptl3 bin]# gdb httpd
GNU gdb 4.17.0.11 with Linux support
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(gdb) run -X -DSSL
Starting program: /usr/local/apache/bin/httpd -X -DSSL
Cannot access memory at address 0x19.
(gdb) bt
#0  _dl_debug_state () at dl-debug.c:56
#1  0x4000a12b in _dl_catch_error (errstring=0xbfffc71c, operate=0x402607a0 <dl_open_worker>, 
    args=0xbfffc720) at dl-error.c:141
#2  0x402609fd in _dl_open (file=0x81b84b8 "/usr/local/lib/libmcrypt/tripledes.so", mode=257)
    at dl-open.c:176
#3  0x40186058 in dlopen_doit (a=0xbfffc828) at dlopen.c:39
#4  0x4000a12b in _dl_catch_error (errstring=0x40187d00, operate=0x40186030 <dlopen_doit>, 
    args=0xbfffc828) at dl-error.c:141
#5  0x40186608 in _dlerror_run (operate=0x40186030 <dlopen_doit>, args=0xbfffc828)
    at dlerror.c:122
#6  0x4018601d in __dlopen_check (file=0x81b84b8 "/usr/local/lib/libmcrypt/tripledes.so", 
    mode=257) at dlopen.c:50
#7  0x40508c91 in sys_dl_open (handle=0x81c0a08, 
    filename=0x81b84b8 "/usr/local/lib/libmcrypt/tripledes.so") at ltdl.c:266
#8  0x405091ad in tryall_dlopen (handle=0xbfffc964, 
    filename=0x81b84b8 "/usr/local/lib/libmcrypt/tripledes.so") at ltdl.c:943
#9  0x405092be in find_module (handle=0xbfffc964, dir=0x81bf830 "/usr/local/lib/libmcrypt/", 
    libdir=0x81c09e8 "/usr/local/lib/libmcrypt", dlname=0x818e970 "tripledes.so", 
    old_name=0x81b7ca8 "tripledes.a", installed=1) at ltdl.c:986
#10 0x40509e54 in lt_dlopen (filename=0x81d4f70 "tripledes.la") at ltdl.c:1340
#11 0x4050a191 in lt_dlopenext (filename=0x81e874c "tripledes") at ltdl.c:1434
#12 0x40505244 in mcrypt_dlopen (a_directory=0x0, m_directory=0x0, 
    filename=0x81e874c "tripledes") at mcrypt_modules.c:95
#13 0x40505295 in mcrypt_module_open (algorithm=0x81e874c "tripledes", a_directory=0x0, 
    mode=0x40461662 "cbc", m_directory=0x0) at mcrypt_modules.c:145
#14 0x403dd120 in php_mcrypt_do_crypt (cipher=0x81e874c "tripledes", key=0x81af890, 
    data=0x81af894, mode=0x40461662 "cbc", iv=0x0, argc=4, dencrypt=1, return_value=0x81b77dc)
    at mcrypt.c:1220
#15 0x403de42b in php_if_mcrypt_cbc (ht=4, return_value=0x81b77dc, this_ptr=0x0, 
    return_value_used=1) at mcrypt.c:1385
#16 0x403a7736 in execute (op_array=0x8198084) at ./zend_execute.c:1519
#17 0x403b5740 in zend_execute_scripts (type=8, file_count=3) at zend.c:729
#18 0x403c6841 in php_execute_script (primary_file=0xbffffb80) at main.c:1221
#19 0x403c3262 in apache_php_module_main (r=0x8173348, display_source_mode=0)
    at sapi_apache.c:89
#20 0x403c3b83 in send_php (r=0x8173348, display_source_mode=0, filename=0x0) at mod_php4.c:516
#21 0x403c3bb4 in send_parsed_php (r=0x8173348) at mod_php4.c:527
#22 0x8091b43 in ap_invoke_handler ()
#23 0x80a5b09 in process_request_internal ()
#24 0x80a5b6c in ap_process_request ()
#25 0x809d0ae in child_main ()
---Type <return> to continue, or q <return> to quit---
#26 0x809d25c in make_child ()
#27 0x809d3b9 in startup_children ()
#28 0x809d9f6 in standalone_main ()
#29 0x809e193 in main ()
#30 0x4019fcb3 in __libc_start_main (main=0x809de3c <main>, argc=3, argv=0xbffffd44, 
    init=0x8054c7c <_init>, fini=0x80d5acc <_fini>, rtld_fini=0x4000a350 <_dl_fini>, 
    stack_end=0xbffffd3c) at ../sysdeps/generic/libc-start.c:78
(gdb) 

To conclude, I am now running with --enable-debug on, since then my scripts do not segfault and (to the client) the pages appear to operate correctly, despite the leak messages in the error_log.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-03-15 23:09 UTC] sniper@php.net 
I had those same segfaults but after I updated my GDB to
version 5.0 they didn't happen again. So please try
updating your GDB and try generating the backtrace for
the crashes again. FYI: The author of libmcrypt has 
said that some of these crashes are actually bugs in
the libmcrypt itself..

--Jani
 [2001-03-16 09:26 UTC] derick@php.net 
Those memleaks can in no way crash php too. It seems to
me that the key is not freed. I'll check this part out.
 [2001-03-16 09:36 UTC] derick@php.net 
These memleaks where indeed caused by not freeing the key. Fix is pending until I have access to CVS again.
 [2001-04-16 05:30 UTC] jmoore@php.net 
Derick Ill assign this one to you so you remember it.. you said you had a fix.

- James
 [2001-04-16 07:10 UTC] derick@php.net 
I committed the fix for the memleak, but the crash is most likely a problem in libmcrypt, because I had those some things when running a C program which uses these functions. The author of libmcrypt says this can be a problem in different versions of libltdl, but I had the same problem with both the 1.2 and 2.0 versions. I'm awaiting further response from Nikos now.
 [2001-05-01 03:27 UTC] derick@php.net 
I can reproduce this on my own system, both thtough PHP and with a C-program. As the author of libmcrypt cannot reproduce this, I'll suspend this bug until I know more about it.
 [2001-06-10 21:32 UTC] jmoore@php.net 
I think derick fixed this one.. can you try latest CVS please.

- James
 [2001-07-03 04:54 UTC] derick@php.net 
Please try the latest version of libmcrypt. If it still
cores, reopen this report.

Derick
 [2001-07-04 22:02 UTC] old dot wolf at project-w dot com 
With 2.4.9, the faults still occur (even with --enable-debug), but with 2.4.15, everything appears to be stable.
 [2001-07-05 02:51 UTC] derick@php.net 
Ok.. so it was a bug in libmcrypt itself.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 25 11:01:30 2024 UTC