PHP :: Bug #21989 :: openssl_csr_new causes apache+modphp to segfault

Bug #21989

openssl_csr_new causes apache+modphp to segfault

Submitted:

2003-01-31 13:58 UTC

Modified:

2003-02-03 17:23 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

cw at f00f dot org

Assigned:

iliaa (profile)

Status:

Closed

Package:

OpenSSL related

PHP Version:

4.3.0

OS:

Linux x86 (2.4.x, glibc 2.3)

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	cw at f00f dot org
New email:
PHP Version:		OS:

New/Additional Comment:

[2003-01-31 13:58 UTC] cw at f00f dot org

When php 4.3.0 is compiled as loaded as an apache module (apache 1.3.27 from Debian Linux) accessing the function openssl_csr_new causes apache to segfault.

Building php as a CGI this apparently does not happen (but I've not investigated this all that closely).

Attaching to the apache process (where modphp has been build with symbols) shows the actual segfault occurs inside php_openssl_make_REQ (no stack trace available as I guess something get's clobbered and messes this up).

Placing a breakpoint at php_openssl_make_REQ I see it is entered with a stack of:

Breakpoint 2, php_openssl_make_REQ (req=0xbfffcf24, csr=0x8116c70, dn=0x8117e1c, attribs=0x0)
    at /home/cw/wk/zaphod/php4/php4-4.3.0/ext/openssl/openssl.c:1143
1143            STACK_OF(CONF_VALUE) * dn_sk, *attr_sk = NULL;
(gdb) bt
#0  php_openssl_make_REQ (req=0xbfffcf24, csr=0x8116c70, dn=0x8117e1c, attribs=0x0)
    at /home/cw/wk/zaphod/php4/php4-4.3.0/ext/openssl/openssl.c:1143
#1  0x403a8429 in zif_openssl_csr_new (ht=2, return_value=0x81163ec, this_ptr=0x0, return_value_used=1)
    at /home/cw/wk/zaphod/php4/php4-4.3.0/ext/openssl/openssl.c:1583
#2  0x404adf62 in execute (op_array=0x811333c) at /home/cw/wk/zaphod/php4/php4-4.3.0/Zend/zend_execute.c:1596
#3  0x4049af24 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/cw/wk/zaphod/php4/php4-4.3.0/Zend/zend.c:864
#4  0x4045fd53 in php_execute_script (primary_file=0xbffff764) at /home/cw/wk/zaphod/php4/php4-4.3.0/main/main.c:1573
#5  0x404b3470 in apache_php_module_main (r=0x8109564, display_source_mode=0) at /home/cw/wk/zaphod/php4/php4-4.3.0/sapi/apache/sapi_apache.c:55
#6  0x404b4410 in send_php (r=0x8109564, display_source_mode=0, filename=0x810b0dc "/var/www/other.php")
    at /home/cw/wk/zaphod/php4/php4-4.3.0/sapi/apache/mod_php4.c:556
#7  0x404b448f in send_parsed_php (r=0x8109564) at /home/cw/wk/zaphod/php4/php4-4.3.0/sapi/apache/mod_php4.c:571
#8  0x08053b34 in ap_invoke_handler ()
#9  0x0806368c in ap_some_auth_required ()
#10 0x080636e8 in ap_process_request ()
#11 0x0805ce2b in ap_child_terminate ()
#12 0x0805cfbc in ap_child_terminate ()
#13 0x0805d0d9 in ap_child_terminate ()
#14 0x0805d5b5 in ap_child_terminate ()
#15 0x0805dcbd in main ()
#16 0x400e59f1 in __libc_start_main () from /lib/libc.so.6

and then dies at php4-4.3.0/ext/openssl/openssl.c line 1185 (the call to X509_NAME_add_entry_by_NID):

Breakpoint 4, php_openssl_make_REQ (req=0xbfffcf24, csr=0x8116c70, dn=0x8117e1c, attribs=0x0)
    at /home/cw/wk/zaphod/php4/php4-4.3.0/ext/openssl/openssl.c:1185
1185                                            if (!X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_ASC,
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
0x402c6f8b in sk_value () from /usr/lib/i686/cmov/libcrypto.so.0.9.6
(gdb) 


I don't know enough about this call, php or indeed anything to really know what variables to poke and look at further.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-02-03 15:29 UTC] iliaa@php.net

What parameters are you passing to the function, but first try to see if the problem persists in the latest snapshot of PHP.

[2003-02-03 15:38 UTC] cw at f00f dot org

the test/demo code from http://php.planetmirror.com/manual/en/function.openssl-csr-new.php suffices to trigger this:

$dn = array(
    "countryName" => "UK",
    "stateOrProvinceName" => "Somerset",
    "localityName" => "Glastonbury",
    "organizationName" => "The Brain Room Limited",
    "organizationalUnitName" => "PHP Documentation Team",
    "commonName" => "Wez Furlong",
    "emailAddress" => "wez@php.net"
);

// Generate a new private (and public) key pair
$privkey = openssl_pkey_new();

// Generate a certificate signing request
$csr = openssl_csr_new($dn, $privkey); // kaboom

[2003-02-03 16:22 UTC] iliaa@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

I cannot replicate the described bug using latest CVS + openssl 0.9.7. Try downloading a snapshot and see if the crash still occurs.

[2003-02-03 17:17 UTC] cw at f00f dot org

The snapshot version appears to work correctly.

Will a fix be back ported to a stable branch(?) or is STABLE-latest considered as stable as a release or very nearly so?

[2003-02-03 17:23 UTC] iliaa@php.net

The 'STABLE' branch will be released as 4.3.1 at some future point.

Closing the report as the user indicated the bug no longer occurs in latest CVS.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 14:01:32 2024 UTC