PHP :: Bug #66043 :: Segfault calling bind

Bug #66043	Segfault calling bind_param() on mysqli
Submitted:	2013-11-07 09:48 UTC	Modified:	2013-11-08 07:13 UTC
From:	victork at sekindo dot com	Assigned:	laruence (profile)
Status:	Closed	Package:	MySQLi related
PHP Version:	5.4.21	OS:	Linux(CentOS 5)
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2013-11-07 09:48 UTC] victork at sekindo dot com

Description:
------------
Full problem description:
Calling mysql_stmt::bind_result() without storing it's result value in a variable on PHP using MySQLi module built against libmysl causing segmentation fault.

Notes:
If my mysqli is linked against libmysqlng no crashing occurs
If PHP debugger module(Like XDebug or Nusphere DBG) is active no crashing occurs(Looks like a timing issue ...)
If return value of mysql_stmt::bind_result() is stored($res = $stmt->bind_result(&$name);) no crashing occurs.


PHP code(Zend/zend_vm_execute.h)

if (fbc->type == ZEND_INTERNAL_FUNCTION) {  <---- For internal PHP routines
....
if (!zend_execute_internal) {
 553                                 /* saves one function call if zend_execute_internal is not used */
 554                                 fbc->internal_function.handler(opline->extended_value, ret->var.ptr, &ret->var.ptr, EX(object), RETURN_VALUE_USED(opline) TSRMLS_CC);
 555                         } else {
 556                                 zend_execute_internal(execute_data, NULL, RETURN_VALUE_USED(opline) TSRMLS_CC);
 557                         }
 558 
 559                         if (!RETURN_VALUE_USED(opline)) {
 [***segfault_560]                                 zval_ptr_dtor(&ret->var.ptr);
 561                         }

Tested affected PHP versions: 5.4.20 and 5.4.21
Unaffected PHP version: PHP 5.1.6 with patches and backports from RedHat/CentOS team.

Short Script To Reproduce(Please read the notes above):

php -r '$link = new mysqli("127.0.0.1", "root", "ew89sjw0aj", "mysql"); $stmt = $link->stmt_init();$stmt->prepare("SELECT User FROM user WHERE password=\"\"");$stmt->execute(); $stmt->bind_result($testArg); $stmt->fetch(); $stmt->close(); echo $testArg;'

If query like "SELECT 10" is used(Without tables) no crashing occurs.

PHP configuration(IUS repository package):
'./configure' '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--cache-file=../config.cache' '--with-libdir=lib64' '--with-config-file-path=/etc' '--with-config-file-scan-dir=/etc/php.d' '--disable-debug' '--with-pic' '--disable-rpath' '--without-pear' '--with-bz2' '--with-exec-dir=/usr/bin' '--with-freetype-dir=/usr' '--with-png-dir=/usr' '--with-xpm-dir=/usr' '--enable-gd-native-ttf' '--with-t1lib=/usr' '--without-gdbm' '--with-gettext' '--with-gmp' '--with-iconv' '--with-jpeg-dir=/usr' '--with-openssl' '--with-pcre-regex' '--with-zlib' '--with-layout=GNU' '--enable-exif' '--enable-ftp' '--enable-magic-quotes' '--enable-sockets' '--with-kerberos' '--enable-ucd-snmp-hack' '--enable-shmop' '--enable-calendar' '--with-libxml-dir=/usr' '--enable-xml' '--with-system-tzdata' '--with-mhash' '--enable-force-cgi-redirect' '--libdir=/usr/lib64/php' '--enable-pcntl' '--with-imap=shared' '--with-imap-ssl' '--enable-mbstring=shared' '--enable-mbregex' '--with-gd=shared' '--enable-bcmath=shared' '--enable-dba=shared' '--with-db4=/usr' '--with-xmlrpc=shared' '--with-ldap=shared' '--with-ldap-sasl' '--enable-mysqlnd=shared' '--with-mysql=shared,mysqlnd' '--with-mysqli=shared,mysqlnd' '--with-mysql-sock=/var/lib/mysql/mysql.sock' '--with-interbase=shared,/usr/lib64/firebird' '--with-pdo-firebird=shared,/usr/lib64/firebird' '--enable-dom=shared' '--with-pgsql=shared' '--enable-wddx=shared' '--with-snmp=shared,/usr' '--enable-soap=shared' '--with-xsl=shared,/usr' '--enable-xmlreader=shared' '--enable-xmlwriter=shared' '--with-curl=shared,/usr' '--enable-fastcgi' '--enable-pdo=shared' '--with-pdo-odbc=shared,unixODBC,/usr' '--with-pdo-mysql=shared,mysqlnd' '--with-pdo-pgsql=shared,/usr' '--with-pdo-sqlite=shared,/usr' '--with-pdo-dblib=shared,/usr' '--without-sqlite3' '--enable-json=shared' '--enable-zip=shared' '--without-readline' '--with-libedit' '--with-pspell=shared' '--enable-phar=shared' '--with-mcrypt=shared,/usr' '--with-tidy=shared,/usr' '--with-mssql=shared,/usr' '--enable-sysvmsg=shared' '--enable-sysvshm=shared' '--enable-sysvsem=shared' '--enable-posix=shared' '--with-unixODBC=shared,/usr' '--enable-fileinfo=shared' '--enable-intl=shared' '--with-icu-dir=/usr' '--with-enchant=shared,/usr' '--with-recode=shared,/usr'

All external modules except mysqli has been disabled during testing to exclude possibility of modules collision(Crashes with all modules and with only mysqli).


php.ini changes:
Increased limits of POST,memory,etc
Script timeout set to unlimited.
Include path enhanced with our project folder
pre/post autoinclude for xhprof files added.


GDB backtrace and info:

Program received signal SIGSEGV, Segmentation fault.
zend_do_fcall_common_helper_SPEC (execute_data=0x2aaaaaacf060) at /usr/src/debug/php-5.4.21/Zend/zend_vm_execute.h:649
649                                     zval_ptr_dtor(&ret->var.ptr);
(gdb) bt
#0  zend_do_fcall_common_helper_SPEC (execute_data=0x2aaaaaacf060) at /usr/src/debug/php-5.4.21/Zend/zend_vm_execute.h:649
#1  0x000000000060a9de in execute (op_array=0x2aaaaab05ec0) at /usr/src/debug/php-5.4.21/Zend/zend_vm_execute.h:410
#2  0x00000000005d565e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/debug/php-5.4.21/Zend/zend.c:1319
#3  0x000000000057af48 in php_execute_script (primary_file=0x7fffffffd6d0) at /usr/src/debug/php-5.4.21/main/main.c:2502
#4  0x000000000067d06d in do_cli (argc=2, argv=0x7fffffffea08) at /usr/src/debug/php-5.4.21/sapi/cli/php_cli.c:989
#5  0x000000000067d9ed in main (argc=2, argv=0x7fffffffea08) at /usr/src/debug/php-5.4.21/sapi/cli/php_cli.c:1365
(gdb) print &ret->var.ptr
$1 = (zval **) 0x2aaa00000008
(gdb) print ret->var.ptr
Cannot access memory at address 0x2aaa00000008

Test script:
---------------
php -r '$link = new mysqli("127.0.0.1", "root", "ew89sjw0aj", "mysql"); $stmt = $link->stmt_init();$stmt->prepare("SELECT User FROM user WHERE password=\"\"");$stmt->execute(); $stmt->bind_result($testArg); $stmt->fetch(); $stmt->close(); echo $testArg;'

Expected result:
----------------
root

Actual result:
--------------
Segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-11-07 09:55 UTC] victork at sekindo dot com

Edit test

[2013-11-08 07:08 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fd3fa9b53c6bc8f34c1c8bf75141f7ee74dc8db0
Log: Fixed Bug #66043 (Segfault calling bind_param() on mysqli)

[2013-11-08 07:08 UTC] laruence@php.net

-Status: Open +Status: Closed

[2013-11-08 07:09 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fd3fa9b53c6bc8f34c1c8bf75141f7ee74dc8db0
Log: Fixed Bug #66043 (Segfault calling bind_param() on mysqli)

[2013-11-08 07:13 UTC] laruence@php.net

-Assigned To: +Assigned To: laruence

[2013-11-08 07:13 UTC] laruence@php.net

from mysql's dev manual, it says "In MySQL 5.0, mysql_stmt_attr_get() uses unsigned int *"

but actually, from the sources codes, it is unsigned long *. 

mysql-5.0.95/libmysql/libmysql.c:2776

"my_bool STDCALL mysql_stmt_attr_get(MYSQL_STMT *stmt,
                                    enum enum_stmt_attr_type attr_type,
                                    void *value)
{
  switch (attr_type) {
  case STMT_ATTR_UPDATE_MAX_LENGTH:
    *(unsigned long *) value= stmt->update_max_length;
    break;

"

[2013-11-08 10:16 UTC] dmitry@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fd3fa9b53c6bc8f34c1c8bf75141f7ee74dc8db0
Log: Fixed Bug #66043 (Segfault calling bind_param() on mysqli)

[2013-11-09 10:21 UTC] ab@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fd3fa9b53c6bc8f34c1c8bf75141f7ee74dc8db0
Log: Fixed Bug #66043 (Segfault calling bind_param() on mysqli)

[2014-10-07 23:16 UTC] stas@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=fd3fa9b53c6bc8f34c1c8bf75141f7ee74dc8db0
Log: Fixed Bug #66043 (Segfault calling bind_param() on mysqli)

[2014-10-07 23:27 UTC] stas@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=fd3fa9b53c6bc8f34c1c8bf75141f7ee74dc8db0
Log: Fixed Bug #66043 (Segfault calling bind_param() on mysqli)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 05:01:28 2024 UTC