php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79413 session_create_id() fails for active sessions
Submitted: 2020-03-25 18:52 UTC Modified: 2020-03-26 18:20 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: hakhak57 at hotmail dot com Assigned: cmb (profile)
Status: Closed Package: Session related
PHP Version: Irrelevant OS: Macos / linux
Private report: No CVE-ID: None
 [2020-03-25 18:52 UTC] hakhak57 at hotmail dot com
Description:
------------
Developing a library on macos (10.14.6) in a form of middleware to facilitate secure use of sessions. This lib should work from PHP 7.1.

Problems appear when using built in session_create_id in class method function when session is already running (to test collision). This always end up by crashing (Segfault 11) during tests with phpunit (7.5.20) for PHP 7.1.33, 7.2.13, 7.3.12 like in Bug #78295.
It also randomly crash or memory leak alert in production environement. Refactored the code to prevent recursive calls but problem still occurs until december 2019.

These days, I've decided to dig into PHP source code for the session ext with my rusty rudimentary C knowledge and as described in this Bug #77178, i found that control collision is not against  SUCCESS but against FAILURE resulting in rejection of collision free ids 3 times and emission of warning "Failed to create new ID » in the next « if else » block.

But for me it just crashes !!

Then i found related Bug #79091 and test my code against 7.2.27 and 7.3.14 (where new_id = NULL was added) and no more crash but warning  « session_create_id(): Failed to create new ID in… »

Just asking if this necessary fix (pointed by @yohgaki in his comment of [2018-11-21] in this bug #77178) is going to roll out and be implemented in a minor update to avoid warnings ? 

Is it gonna be fixed also for PHP 7.1 branch for legacy reason to avoid crashes and warnings? 

Thx for your work guys :)

Test script:
---------------
<?php

declare(strict_types=1);

use PHPUnit\Framework\TestCase;

/**
 * Session crash tests
 * @runTestsInSeparateProcesses
 *
 * Note: this annotation is used to avoid problem of header already sent
 */
final class SessionCrashTest extends TestCase
{
    public function testSession(): void
    {
        \session_start();
        \session_create_id();

        $this->assertTrue(true);

        return;
    }
}

Expected result:
----------------
$php vendor/bin/phpunit

PHPUnit 7.5.20 by Sebastian Bergmann and contributors.

Runtime:       PHP 7.1.33 with Xdebug 2.8.0
Configuration: /path/to/phpunit.xml

.                                                           1 / 1 (100%)

Time: 93 ms, Memory: 6.00 MB

OK (1 tests, 1 assertion)

Actual result:
--------------
$php vendor/bin/phpunit

PHPUnit 7.5.20 by Sebastian Bergmann and contributors.

Runtime:       PHP 7.1.33 with Xdebug 2.8.0
Configuration: /path/to/phpunit.xml

F                                                                   1 / 1 (100%)

Time: 93 ms, Memory: 6.00 MB

There was 1 failure:

1) Project\Tests\SessionCrashTest::testSession
Test was run in child process and ended unexpectedly

FAILURES!
Tests: 1, Assertions: 0, Failures: 1.

-------------
Crash Report
-------------
Process:               php [41143]
Path:                  /usr/local/Cellar/php@7.1/7.1.33/bin/php
Identifier:            php
Version:               0
Code Type:             X86-64 (Native)
Parent Process:        php [41136]
Responsible:           php [41143]
User ID:               501

Date/Time:             2020-03-25 18:51:00.907 +0100
OS Version:            Mac OS X 10.14.6 (18G3020)
Report Version:        12
Anonymous UUID:        

Sleep/Wake UUID:       

Time Awake Since Boot: 230000 seconds
Time Since Wake:       38000 seconds

System Integrity Protection: enabled

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000011385a50000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [41143]

VM Regions Near 0x11385a50000:
    __LINKEDIT             00000001169c4000-00000001169eb000 [  156K] r--/rwx SM=COW  /usr/lib/dyld
--> 
    MALLOC_TINY            00007fa1a0400000-00007fa1a0800000 [ 4096K] rw-/rwx SM=PRV  

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   php                           	0x0000000110260e75 zend_mm_realloc_heap + 730
1   php                           	0x000000011026632c zend_ast_append_str + 76
2   php                           	0x000000011024cc1d zendparse + 1793
3   php                           	0x000000011024fdb7 zend_compile + 103
4   php                           	0x000000011024fcfd compile_file + 55
5   php                           	0x000000011010b714 phar_compile_file + 264
6   xdebug.so                     	0x000000011334207c xdebug_compile_file + 12
7   php                           	0x000000011024ff3c compile_filename + 143
8   php                           	0x0000000110310a65 zend_include_or_eval + 255
9   php                           	0x00000001102d8875 ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER + 51
10  php                           	0x00000001102bf67a execute_ex + 98
11  xdebug.so                     	0x00000001133425c0 xdebug_execute_ex + 1296
12  php                           	0x00000001102d3e3b ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER + 592
13  php                           	0x00000001102bf67a execute_ex + 98
14  xdebug.so                     	0x00000001133425c0 xdebug_execute_ex + 1296
15  php                           	0x0000000110276350 zend_call_function + 1515
16  php                           	0x000000011029eb7a zend_call_method + 554
17  php                           	0x0000000110170444 zif_spl_autoload_call + 323
18  xdebug.so                     	0x0000000113342b85 xdebug_execute_internal + 853
19  php                           	0x0000000110276664 zend_call_function + 2303
20  php                           	0x0000000110276b18 zend_lookup_class_ex + 845
21  php                           	0x00000001102772b7 zend_fetch_class_by_name + 32
22  php                           	0x00000001102e52b3 ZEND_FETCH_CLASS_SPEC_CONST_HANDLER + 86
23  php                           	0x00000001102bf67a execute_ex + 98
24  xdebug.so                     	0x00000001133425c0 xdebug_execute_ex + 1296
25  php                           	0x00000001102d8ae5 ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER + 675
26  php                           	0x00000001102bf67a execute_ex + 98
27  xdebug.so                     	0x00000001133425c0 xdebug_execute_ex + 1296
28  php                           	0x00000001102d3e3b ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER + 592
29  php                           	0x00000001102bf67a execute_ex + 98
30  xdebug.so                     	0x00000001133425c0 xdebug_execute_ex + 1296
31  php                           	0x0000000110276350 zend_call_function + 1515
32  php                           	0x000000011029eb7a zend_call_method + 554
33  php                           	0x0000000110170444 zif_spl_autoload_call + 323
34  xdebug.so                     	0x0000000113342b85 xdebug_execute_internal + 853
35  php                           	0x0000000110276664 zend_call_function + 2303
36  php                           	0x0000000110276b18 zend_lookup_class_ex + 845
37  php                           	0x00000001102772b7 zend_fetch_class_by_name + 32
38  php                           	0x00000001102d5506 ZEND_NEW_SPEC_CONST_HANDLER + 355
39  php                           	0x00000001102bf67a execute_ex + 98
40  xdebug.so                     	0x00000001133425c0 xdebug_execute_ex + 1296
41  php                           	0x00000001102d4325 ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER + 620
42  php                           	0x00000001102bf67a execute_ex + 98
43  xdebug.so                     	0x00000001133425c0 xdebug_execute_ex + 1296
44  php                           	0x00000001102d3e3b ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER + 592
45  php                           	0x00000001102bf67a execute_ex + 98
46  xdebug.so                     	0x00000001133425c0 xdebug_execute_ex + 1296
47  php                           	0x00000001102d4325 ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER + 620
48  php                           	0x00000001102bf67a execute_ex + 98
49  xdebug.so                     	0x00000001133425c0 xdebug_execute_ex + 1296
50  php                           	0x00000001102d4325 ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER + 620
51  php                           	0x00000001102bf67a execute_ex + 98
52  xdebug.so                     	0x00000001133425c0 xdebug_execute_ex + 1296
53  php                           	0x00000001102d3e3b ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER + 592
54  php                           	0x00000001102bf67a execute_ex + 98
55  xdebug.so                     	0x00000001133425c0 xdebug_execute_ex + 1296
56  php                           	0x00000001102d3e3b ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER + 592
57  php                           	0x00000001102bf67a execute_ex + 98
58  xdebug.so                     	0x00000001133425c0 xdebug_execute_ex + 1296
59  php                           	0x00000001102d3e3b ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER + 592
60  php                           	0x00000001102bf67a execute_ex + 98
61  xdebug.so                     	0x00000001133425c0 xdebug_execute_ex + 1296
62  php                           	0x00000001102d3e3b ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER + 592
63  php                           	0x00000001102bf67a execute_ex + 98
64  xdebug.so                     	0x00000001133425c0 xdebug_execute_ex + 1296
65  php                           	0x00000001102bf8b2 zend_execute + 506
66  php                           	0x00000001102847a3 zend_execute_scripts + 277
67  php                           	0x000000011022efc4 php_execute_script + 628
68  php                           	0x0000000110319954 do_cli + 3862
69  php                           	0x00000001103188cb main + 1266
70  libdyld.dylib                 	0x00007fff5bba53d5 start + 1

Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0x0000000000000008  rbx: 0x0000000000078900  rcx: 0x0000000000234890  rdx: 0x0000000000000008
  rdi: 0x0000000000000004  rsi: 0x0000000000234890  rbp: 0x00007ffedfcbc5c0  rsp: 0x00007ffedfcbc560
   r8: 0x0000000113478900   r9: 0x0000000000000048  r10: 0x0000000000000200  r11: 0x0000000000000030
  r12: 0x0000000113400040  r13: 0x0000000000400000  r14: 0x0000011385a50000  r15: 0x0000000113869150
  rip: 0x0000000110260e75  rfl: 0x0000000000010206  cr2: 0x0000011385a50000
  
Logical CPU:     3
Error Code:      0x00000004
Trap Number:     14

================================================================================

---------------------------------------------
When use of PHP 7.3.15 after Bug #79091 patch
---------------------------------------------

PHPUnit 7.5.20 by Sebastian Bergmann and contributors.

Runtime:       PHP 7.3.15
Configuration: /path/to/phpunit.xml

E                                                                   1 / 1 (100%)

Time: 96 ms, Memory: 4.00 MB

There was 1 error:

1) Project\Tests\SessionCrashTest::testSession
session_create_id(): Failed to create new ID

/Project/tests/SessionCrashTest.php:25

ERRORS!
Tests: 1, Assertions: 0, Errors: 1.

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-03-26 14:19 UTC] cmb@php.net
-Summary: PHP crashes if call to session_create_id when session running +Summary: session_create_id() fails for active sessions -Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2020-03-26 14:19 UTC] cmb@php.net
Well, the crash is irrelevant now since it has been fixed; that
fix will not be backported to older versions, because we're not
supporting these anymore[1].

[1] <https://www.php.net/supported-versions.php>
 [2020-03-26 14:51 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #79413: session_create_id() fails for active sessions
On GitHub:  https://github.com/php/php-src/pull/5305
Patch:      https://github.com/php/php-src/pull/5305.patch
 [2020-03-26 17:29 UTC] hakhak57 at hotmail dot com
Thx for your quick answer.

Well it's too bad for the backport but you can't maintain every version i guess. :)

Is it going to be rolled out for 7.2 too ? Saw that you support only security fixes.
 [2020-03-26 17:55 UTC] hakhak57 at hotmail dot com
I saw the quick patch you implemented (https://github.com/php/php-src/pull/5305.patch), I think the same problem appears in PHP_FUNCTION(session_regenerate_id) (line 2226).
I think it should be test against SUCCESS too to realase the id if collision is detected and create a new one.

It has also been pointed in Bug #77178 (this patch should fix this bug too)

Don't know if i should send a pull request or just tell you.
 [2020-03-26 18:20 UTC] cmb@php.net
> I think the same problem appears in
> PHP_FUNCTION(session_regenerate_id)

Indeed.  I've amended the PR.

> Is it going to be rolled out for 7.2 too ?

We *might* make an exception in this case.  That decision would
finally be up to the release managers.
 [2020-03-27 14:42 UTC] hakhak57 at hotmail dot com
Thx for your quick support

Take care
 [2020-03-31 06:42 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b510250b8ebe9d90b1db150d7a1edc75893f2e48
Log: Fix #79413: session_create_id() fails for active sessions
 [2020-03-31 06:42 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 16:01:29 2024 UTC