php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #41621 Simple snippet of code consistently crashes FastCGI engines
Submitted: 2007-06-07 09:16 UTC Modified: 2010-12-20 12:27 UTC
From: php at mike2k dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 5.2.3 OS: Ubuntu Edgy & CentOS / Linux 2.6
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: php at mike2k dot com
New email:
PHP Version: OS:

 

 [2007-06-07 09:16 UTC] php at mike2k dot com 
Description:
------------
The simple code below somehow magically triggers a segfault.

PHP is compiled with

'./configure' '--enable-fastcgi' '--enable-discard-path' '--enable-force-cgi-redirect' '--enable-cli'
 '--with-mysql' '--with-mysqli=/usr/bin/mysql_config' '--with-curl' '--enable-mbstring' '--with-zlib' '--with-gd' '--enable
-track-vars' '--enable-inline-optimization' '--disable-rpath' '--disable-ipv6' '--disable-debug' '--with-jpeg-dir=/usr' '--
with-png-dir=/usr' '--with-freetype-dir' '--enable-gd-native-ttf' '--enable-shmop' '--with-xsl' '--enable-sockets' '--enabl
e-pcntl' '--with-mcrypt' '--with-bz2' '--enable-sqlite-utf8' '--with-tidy' '--with-pcre-dir' '--enable-exif'

NO bytecode caches or optimizers currently running either.

Reproduce code:
---------------
<?
$uri = ereg_replace('^/bootstrap.php', '', $_SERVER['PATH_INFO']).'/';        

function uri_check($uri, $level) {
    global $config;    
    $uri = substr($uri, 0, strrpos($uri, '/'));    
    if(file_exists($config['base_dir'].$uri.'.php') || file_exists($config['base_dir'].$uri.'/index.php')) {    

    }
     uri_check($uri, $level+1);   
}

uri_check($uri, 1);
?>

Expected result:
----------------
Webserver returns a bad gateway 502 error.

This shows up in dmesg/system logs, one per request:

php-cgi[10541]: segfault at 0000007fbf3ffd48 rip 00000000006d7055 rsp 0000007fbf3ffd50 error 6
php-cgi[10546]: segfault at 0000007fbf3ffd48 rip 00000000006d7055 rsp 0000007fbf3ffd50 error 6
php-cgi[10548]: segfault at 0000007fbf3ffd48 rip 00000000006d7055 rsp 0000007fbf3ffd50 error 6
php-cgi[10535]: segfault at 0000007fbf3ffd48 rip 00000000006d7055 rsp 0000007fbf3ffd50 error 6
php-cgi[10596]: segfault at 0000007fbf3fff98 rip 00000000006d7055 rsp 0000007fbf3fffa0 error 6


Actual result:
--------------
it's a pretty simple recursive function. no classes, nothing. putting that code by itself in a file without any other code (includes, anything) consistently crashes. hopefully it does for someone else who is more skilled with the debugging process.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-06-07 09:22 UTC] php at mike2k dot com 
I understand this code doesn't actually make sense, it's not finished. But during the trial and erroring process is when I figured out it was crashing. If anything it should execute and give me the wrong results, show an error, or get caught in an infinite loop. Actually, the infinite loop piece might be it.

Is there any way to trap this? Some sort of recursion limitation?

Now that I am looking at the online manual, this page http://www.php.net/functions has the exact same concept.

However, the expected result would be that PHP kills it, at least with a message.
 [2007-06-07 09:28 UTC] tony2001@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.
 [2007-06-07 09:36 UTC] php at mike2k dot com 
this is the function again:

<?php
$config['base_dir'] = "/home/foo";

$uri = ereg_replace('^/bootstrap.php', '', $_SERVER['PATH_INFO']).'/';

function uri_check($uri, $level) {
    global $config;    
    $uri = substr($uri, 0, strrpos($uri, '/'));    
    if(file_exists($config['base_dir'].$uri.'.php') ||
file_exists($config['base_dir'].$uri.'/index.php')) {    
echo "something";
    }
     uri_check($uri, $level+1);   
}

uri_check($uri, 1);
?>

it is apparent that the issue is an infinite loop. i need to put the uri_check() call inside of the file_exists() stuff.

the expected result would be a friendlier crash. something about a maximum recursion limit reached (i thought that error already existed?)
 [2007-06-07 09:38 UTC] tony2001@php.net 
>this is the function again:
Thanks, but I asked for COMPLETE reproduce case.

>it is apparent that the issue is an infinite loop.
Then it's apparent that this is stack oveflow.
 [2007-06-07 09:42 UTC] php at mike2k dot com 
i am sorry, but what is not complete below?

that script right there is all you need.

i would appreciate this being filed as a feature request for graceful handling of a recursion limit, now that i was able to determine it.
 [2010-12-20 12:27 UTC] jani@php.net
-Package: Tidy +Package: *General Issues
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Jun 13 20:01:31 2024 UTC