PHP :: Bug #20358 :: Apache is "Segmentation fault" by session

Bug #20358

Apache is "Segmentation fault" by session_start() with libmm

Submitted:

2002-11-11 06:44 UTC

Modified:

2003-08-15 20:46 UTC

Votes:	22
Avg. Score:	4.6 ± 0.7
Reproduced:	22 of 22 (100.0%)
Same Version:	8 (36.4%)
Same OS:	7 (31.8%)

From:

mtak at beyondnetworks dot co dot jp

Assigned:

Status:

No Feedback

Package:

Session related

PHP Version:

4.3.0-dev

OS:

RedHat7.3

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	mtak at beyondnetworks dot co dot jp
New email:
PHP Version:		OS:

New/Additional Comment:

[2002-11-11 06:44 UTC] mtak at beyondnetworks dot co dot jp

OS: RedHat7.3(Intel)
PHP: 4.2.2, 4.2.3, 4.3.0-pre2
Apache: 1.3.26, 1.3.27
libmm: 1.1.3(RPM), 1.2.1(tar.gz)


Apache:
# ./configure --enable-module=so ...

PHP:
# ./configure --with-apxs=/usr/local/apache/bin/apxs --with-mm .....
# ./cp php.ini-recommended /usr/local/lib/php.ini
# vi /usr/local/lib/php.ini
session.save_handler = files -> session.save_handler = mm


bug.php
-------
<?php
 session_start();
?>
.
-------

loop.sh
-------
#!/bin/bash

for((i = 0; i < 2000; ++i));
 do wget -O - http://localhost/bug.php?PHPSESSID=$i;
done
-------

# sh loop.sh
..... wait a few minutes

# tail -f /usr/local/apache/logs/error_log
                     :  
[Tue Oct 22 20:50:59 2002] [notice] child pid 26434 exit signal Segmentation fault (11)
                     :
                     :

is this bug?

I think so
"ext/session/mod_mm.c: ps_sd_lookup()" has problem

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-11-11 06:55 UTC] derick@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

[2002-11-11 07:30 UTC] mtak at beyondnetworks dot co dot jp

This problem does not appear at "/usr/local/apache/bin/httpd -X".

I think so because apache is single task...

[2002-11-11 09:56 UTC] sniper@php.net

So what is the 'problem' you think there is?
(works fine here (tm))

[2002-11-11 19:35 UTC] mtak at beyondnetworks dot co dot jp

Sorry... My English is weak...

This problem has appeared by 3 different machines(all x86).

# /usr/local/apache/bin/apachectl start
(without -X)
# sh loop.sh
# tail -f /usr/local/apache/logs/error_log

---
In /usr/local/apache/bin/httpd -X, since Segmentation fault did not occur, php_error(E_WARNING, ...) was written to mod_mm.c and the state was seen by "tail -f /usr/local/apache/logs/error_log".

example.
static ps_sd *ps_sd_lookup(ps_mm *data, const char *key, int rw)
{
        php_uint32 hv, slot;
        ps_sd *ret, *prev;
+       pid_t pid = getpid();


        hv = ps_sd_hash(key, strlen(key));
        slot = hv & data->hash_max;
+       php_error(E_WARNING, "pid[%d] hv:%x key:%x slot:%x", pid, hv, key, slot); 

        for (prev = NULL, ret = data->hash[slot]; ret; prev = ret, ret = ret->next)
                   :
                   :
                   :

[2002-11-12 05:51 UTC] mtak at beyondnetworks dot co dot jp

Apache was re-compiled with -DBIG_SECURITY_HOLE option.
edit /usr/local/apache/conf/httpd.conf
User root
Group root
CoreDumpDirectory /tmp

# /usr/local/apache/bin/apachectl start
# sh loop.sh
# tail -f /usr/local/apache/logs/error_log
[Tue Nov 12 20:41:49 2002] [notice] child pid 23351 exit signal Segmentation fault (11), possible coredump in /tmp

child proccess of apache was core dumped.

back trace
----
(gdb) bt
#0  0x40148a33 in ps_sd_lookup (data=0x80d4418, key=0x8136f2c "136", rw=0)
    at /home/work/httpd/php-4.3.0pre2/ext/session/mod_mm.c:187
#1  0x40148ec8 in ps_read_mm (mod_data=0x4029ea70, key=0x8136f2c "136",
    val=0xbfffd1e0, vallen=0xbfffd1dc)
    at /home/work/httpd/php-4.3.0pre2/ext/session/mod_mm.c:326
#2  0x401446b9 in php_session_initialize ()
    at /home/work/httpd/php-4.3.0pre2/ext/session/session.c:608
#3  0x40145864 in php_session_start ()
    at /home/work/httpd/php-4.3.0pre2/ext/session/session.c:1004
#4  0x40147438 in zif_session_start (ht=0, return_value=0x8136fd4,
    this_ptr=0x0, return_value_used=0)
    at /home/work/httpd/php-4.3.0pre2/ext/session/session.c:1445
#5  0x4022cfc7 in execute (op_array=0x8136c3c)
    at /home/work/httpd/php-4.3.0pre2/Zend/zend_execute.c:1595
#6  0x4021a174 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/work/httpd/php-4.3.0pre2/Zend/zend.c:839
#7  0x401e1f13 in php_execute_script (primary_file=0xbffff6b0)
    at /home/work/httpd/php-4.3.0pre2/main/main.c:1542
#8  0x40231f36 in apache_php_module_main (r=0x812ff2c, display_source_mode=0)
    at /home/work/httpd/php-4.3.0pre2/sapi/apache/sapi_apache.c:55
#9  0x40232e00 in send_php (r=0x812ff2c, display_source_mode=0,
    filename=0x813093c "/usr/local/apache/htdocs/php/samples/session/bug.phtml")
 at /home/work/httpd/php-4.3.0pre2/sapi/apache/mod_php4.c:556
#10 0x40232e6d in send_parsed_php (r=0x812ff2c)
    at /home/work/httpd/php-4.3.0pre2/sapi/apache/mod_php4.c:571
#11 0x0806a7bb in ap_invoke_handler ()
#12 0x0807f723 in process_request_internal ()
#13 0x0807f784 in ap_process_request ()
#14 0x080765c1 in child_main ()
#15 0x0807682f in make_child ()
#16 0x08076bac in perform_idle_server_maintenance ()
#17 0x08077181 in standalone_main ()
#18 0x080777bb in main ()
#19 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6

[2002-11-12 06:01 UTC] mtak at beyondnetworks dot co dot jp

more info...

(gdb) list
182
183             hv = ps_sd_hash(key, strlen(key));
184             slot = hv & data->hash_max;
185
186             for (prev = NULL, ret = data->hash[slot]; ret; prev = ret, ret =
 ret->next)
187                     if (ret->hv == hv && !strcmp(ret->key, key))
188                             break;
189
190             if (ret && rw && ret != data->hash[slot]) {
191                     /* Move the entry to the top of the linked list */
(gdb) print key
$1 = 0x8136f2c "136"
(gdb) print hv
$2 = 1943406893
(gdb) print slot
$3 = 301
(gdb) print data->hash_max
$4 = 511
(gdb) print prev
$5 = (ps_sd *) 0x4413df00
(gdb) print ret
$6 = (ps_sd *) 0x1f
(gdb) print ret->next
Cannot access memory at address 0x1f
(gdb) print data->hash[slot]->next
$7 = (struct ps_sd *) 0x1f

[2003-08-10 21:56 UTC] iliaa@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

After 10,000 requests I have yet to see a single crash.

[2003-08-15 20:46 UTC] sniper@php.net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.

And I can't reproduce this either..(using latest CVS)

[2006-01-27 19:13 UTC] temnota+php at kmv dot ru

RedHat 7.3, php4-STABLE-200601271135, mm-1.4.0

Same backtrace:

(gdb) bt
#0  0x403f0e18 in ps_sd_lookup (data=0x81e4e38, 
    key=0x86aa9bc "3fbf8ce3f281344252f22e0103a3ad5e", rw=0)
    at /usr/src/redhat/BUILD/php-4.4.x.dev/ext/session/mod_mm.c:188
#1  0x403f1126 in ps_read_mm (mod_data=0x406847b0, 
    key=0x86aa9bc "3fbf8ce3f281344252f22e0103a3ad5e", val=0xbfff813c, 
    vallen=0xbfff8140)
    at /usr/src/redhat/BUILD/php-4.4.x.dev/ext/session/mod_mm.c:328
#2  0x403edb3d in php_session_initialize ()
    at /usr/src/redhat/BUILD/php-4.4.x.dev/ext/session/session.c:657
#3  0x403eed25 in php_session_start ()
    at /usr/src/redhat/BUILD/php-4.4.x.dev/ext/session/session.c:1106
#4  0x403efe95 in zif_session_start (ht=0, return_value=0x863dcac, 
    this_ptr=0x0, return_value_used=0)
    at /usr/src/redhat/BUILD/php-4.4.x.dev/ext/session/session.c:1566
#5  0x44ce53c7 in zend_optimizer_set_oe_ex ()
   from /usr/local/Zend2510/lib/Optimizer-2.5.10/php-4.4.x/ZendOptimizer.so
#6  0x44ce4a96 in zend_optimizer_set_oe_ex ()
   from /usr/local/Zend2510/lib/Optimizer-2.5.10/php-4.4.x/ZendOptimizer.so
#7  0x44ce9795 in zend_oe ()
   from /usr/local/Zend2510/lib/Optimizer-2.5.10/php-4.4.x/ZendOptimizer.so
#8  0x40462b6e in php_execute_script (primary_file=0xbffff080)
    at /usr/src/redhat/BUILD/php-4.4.x.dev/main/main.c:1753
#9  0x4049ff76 in apache_php_module_main (r=0x81cc56c, display_source_mode=0)
    at /usr/src/redhat/BUILD/php-4.4.x.dev/sapi/apache/sapi_apache.c:54
#10 0x404a094b in send_php (r=0x81cc56c, display_source_mode=0, filename=0x0)
    at /usr/src/redhat/BUILD/php-4.4.x.dev/sapi/apache/mod_php4.c:629
#11 0x404a098a in send_parsed_php (r=0x81cc56c)
    at /usr/src/redhat/BUILD/php-4.4.x.dev/sapi/apache/mod_php4.c:643
#12 0x0805efab in ap_invoke_handler ()
---Type <return> to continue, or q <return> to quit---
#13 0x08076663 in process_request_internal ()
#14 0x08076ad1 in ap_internal_redirect ()
#15 0x42aa5ff0 in mod_gzip_redir1_handler (r=0x81810fc, dconf=0x81563e4)
    at mod_gzip.c:4684
#16 0x42aa42ba in mod_gzip_handler (r=0x81810fc) at mod_gzip.c:2643
#17 0x0805efab in ap_invoke_handler ()
#18 0x08076663 in process_request_internal ()
#19 0x080766c4 in ap_process_request ()
#20 0x0806bc01 in child_main ()
#21 0x0806be93 in make_child ()
#22 0x0806c210 in perform_idle_server_maintenance ()
#23 0x0806c879 in standalone_main ()
#24 0x0806cecf in main ()
#25 0x4017c1c4 in __libc_start_main () from /lib/libc.so.6


#0  0x403f0e18 in ps_sd_lookup (data=0x81e4e38,
    key=0x86aa9bc "3fbf8ce3f281344252f22e0103a3ad5e", rw=0)
    at /usr/src/redhat/BUILD/php-4.4.x.dev/ext/session/mod_mm.c:188
188             for (prev = NULL, ret = data->hash[slot]; ret; prev = ret, ret = ret->next)
(gdb) Quit
(gdb) print prev
$1 = (ps_sd *) 0x0
(gdb) print ret
$2 = (ps_sd *) 0x48
(gdb) print data
$3 = (ps_mm *) 0x81e4e38
(gdb) print data[0]
$4 = {mm = 0x42cc8014, hash = 0x42cc8034, hash_max = 511, hash_cnt = 7,owner = 25922}
(gdb) print data->hash
$5 = (ps_sd **) 0x42cc8034
(gdb) print slot
$6 = 46
(gdb) print data->hash[46]
$7 = (ps_sd *) 0x48

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Nov 07 08:00:02 2025 UTC