PHP :: Bug #18863 :: PHP leaves a SYSV semaphore unclosed (php -v). Denial of service possibility.

Bug #18863

PHP leaves a SYSV semaphore unclosed (php -v). Denial of service possibility.

Submitted:

2002-08-12 00:34 UTC

Modified:

2002-10-26 01:00 UTC

Votes:	6
Avg. Score:	4.8 ± 0.4
Reproduced:	6 of 6 (100.0%)
Same Version:	4 (66.7%)
Same OS:	5 (83.3%)

From:

bryce at redhat dot com

Assigned:

Status:

No Feedback

Package:

Unknown/Other Function

PHP Version:

4.1.2

OS:

RHAT Linux (i386 and Alpha)

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	bryce at redhat dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2002-08-12 00:34 UTC] bryce at redhat dot com

I've been contacted by a php user in the wild who told me that by simply issuing 'php -v', a semaphore that php opens for session management is not closed on exit.

This becomes bad news because the ipc system on linux is a global resource and not based per user, so it's possible for a local user to DOS the box by running php -v repeatidly.

[test@alpha3 test]$ ipcs > l
[test@alpha3 test]$ php -v
Content-type: text/html
4.1.2
[test@alpha3 test]$ ipcs > ll
[test@alpha3 test]$ diff l ll
9a10,11
> 0x00000000 65538      test      600        1         
> 0x00000000 98307      test      600        1         

I tried to trace this out between 4.1.2 and 4.2.2 (4.2.2 does not exhibit this behaviour) but I can find no obvious differances in the codepaths between versions. This behaviour seems to be present all the way back to 4.0.6 from the little additional checking I made.

Please see 
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=71097
For a more detailed analysis

The RH 4.1.2 configure incantation:
./configure --prefix=/usr --with-config-file-path=/etc --enable-force-cgi-redirect --disable-debug --enable-pic --disable-rpath --enable-inline-optimization --with-bz2 --with-db3 --with-curl --with-dom=/usr --with-exec-dir=/usr/bin --with-freetype-dir=/usr --with-png-dir=/usr --with-gd --enable-gd-native-ttf --with-ttf --with-gdbm --with-gettext --with-ncurses --with-gmp --with-iconv --with-jpeg-dir=/usr --with-mm --with-openssl --with-png --with-pspell --with-regex=system --with-xml --with-expat-dir=/usr --with-zlib --with-layout=GNU --enable-bcmath --enable-debugger --enable-exif --enable-ftp --enable-magic-quotes --enable-safe-mode --enable-sockets --enable-sysvsem --enable-sysvshm --enable-discard-path --enable-track-vars --enable-trans-sid --enable-yp --enable-wddx --without-oci8 --with-imap=shared --with-imap-ssl --with-kerberos=/usr/kerberos --with-ldap=shared --with-mysql=shared,/usr --with-pgsql=shared --with-snmp=shared,/usr --with-snmp=shared --enable-ucd-snmp-hack --with-unixODBC=shared --enable-memory-limit --enable-bcmath --enable-shmop --enable-versioning --enable-calendar --enable-dbx --enable-dio --enable-mbstring --enable-mbstr-enc-trans --enable-force-cgi-redirect


Phil
=--=

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-08-12 09:51 UTC] sander@php.net

IIRC, this was fixed someday...  if it works with 4.2.2 than it's no longer a bug. Please try a (non-STABLE) snapshot from http://snaps.php.net and reopen this report if the problem still persists.

[2002-10-10 00:25 UTC] mrfloppy at ntrippy dot net

I have just compiled and tested this on RH7.2 ans 4.2.4-dev and the same behaviour still exists.

If you run php -v enough times (in my case 58 times) you end up with a whole bunch of semaphore arrays that have not been cleaned up and php dying when run fit rom the command line with:

$ php -v
Content-type: text/html

PHP Fatal error:  Unable to start session mm module in Unknown on line 0

[2002-10-10 06:47 UTC] wez@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-latest.zip

[2002-10-26 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over 2 weeks, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Nov 04 15:00:01 2025 UTC