php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #75968 php-fpm restarts master process in a loop when using Program execution Function
Submitted: 2018-02-16 15:22 UTC Modified: 2018-02-23 16:54 UTC
Votes:26
Avg. Score:5.0 ± 0.2
Reproduced:21 of 21 (100.0%)
Same Version:14 (66.7%)
Same OS:10 (47.6%)
From: schnederle at futureweb dot at Assigned: bukka (profile)
Status: Duplicate Package: FPM related
PHP Version: 7.2.2 OS: Centos/RHEL 7.4
Private report: No CVE-ID: 2015-9253
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: schnederle at futureweb dot at
New email:
PHP Version: OS:

 

 [2018-02-16 15:22 UTC] schnederle at futureweb dot at 
Description:
------------
Follow-Up to already reported Bug #70185 (https://bugs.php.net/bug.php?id=70185)
Still a Problem with current PHP 7.2.2.

When using Program execution Functions (passthru(), exec(), shell_exec(), system(), ...) the php-fpm: master process reproduceable crashes with signal 15 (SIGTERM) which leads to crash-loop, 100% CPU usage and spamming of Logs (30GB within 1 day on my Dev-Server)

Test script:
---------------
<?php
exec('/usr/bin/postcss css_from.css --use autoprefixer --autoprefixer.remove "false" --output css_to.css');
echo 'Done';
?>

Actual result:
--------------
Millions of:
...
[16-Feb-2018 14:48:30] WARNING: [pool www] child 53778 exited on signal 15 (SIGTERM) after 0.046685 seconds from start
[16-Feb-2018 14:48:30] WARNING: [pool www] child 53782 exited on signal 15 (SIGTERM) after 0.045416 seconds from start
[16-Feb-2018 14:48:30] WARNING: [pool www] child 53785 exited on signal 15 (SIGTERM) after 0.045331 seconds from start
[16-Feb-2018 14:48:30] WARNING: [pool www] child 53787 exited on signal 15 (SIGTERM) after 0.044765 seconds from start
...

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-02-16 15:32 UTC] schnederle at futureweb dot at 
correction - not the master process crashes but php-fpm continues to restart the process over and over again using 100% of the CPU on the php-fpm master process. (crash loop)
 [2018-02-16 15:38 UTC] nikic@php.net
-Status: Open +Status: Feedback
 [2018-02-16 15:38 UTC] nikic@php.net 
Is it possible to provide a **self-contained** reproducer for this? That is, using something like "ls" rather than "postcss"?

If not, please provide detailed instructions on how to reproduce this, including any necessary input files and instructions for the installation of necessary programs.
 [2018-02-16 15:51 UTC] schnederle at futureweb dot at 
was able to reproduce behaviour "self contained":

Script 1:
<?php
stream_set_blocking(STDIN, false);
echo "Blah";
?>

Script 2:
<?php
passthru('/usr/bin/php /path/to/1.php');
?>

Reproduceable on 2 Machines with php-fpm 7.2.2 and earlier.

As it can be used to DOS Shared Hosting Servers (i.e. all Plesk Servers use PHP-FPM) I think this got some Security implications too.
 [2018-02-16 15:54 UTC] nikic@php.net
-Status: Feedback +Status: Open
 [2018-02-19 13:15 UTC] schnederle at futureweb dot at 
https://www.futureweb.at/Futureweb-OG-php-fpm-master-process-restarts-child-process-in-a_pid,54177,type,firmeninfo.html
 [2018-02-20 10:38 UTC] schnederle at futureweb dot at 
someone with proper rights please assign CVE-2015-9253 to this Bug Report.

Source:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9253
- https://www.futureweb.at/security/CVE-2015-9253/
 [2018-02-20 23:07 UTC] cmb@php.net
-Type: Bug +Type: Security -Private report: No +Private report: Yes -CVE-ID: +CVE-ID: 2015-9253
 [2018-02-20 23:11 UTC] stas@php.net
-Package: Reproducible crash +Package: FPM related
 [2018-02-20 23:11 UTC] stas@php.net 
Could someone explain to me why this is a security issue? Which permission border is being crossed?
 [2018-02-20 23:12 UTC] stas@php.net 
I mean, if you have process exec privileges, couldn't you just "kill -9" your parent  FPM process from shell and achieve the same effect?
 [2018-02-21 13:18 UTC] cmb@php.net 
> Could someone explain to me why this is a security issue?

Sorry, I can't.  I've merely switched to private, since a CVE had
been assigned.
 [2018-02-23 03:27 UTC] stas@php.net
-Assigned To: +Assigned To: bukka
 [2018-02-23 14:03 UTC] bukka@php.net 
This seems just like a duplicate of the https://bugs.php.net/bug.php?id=70185 that is public already so there is no reason to keep this as a security bug IMHO.
 [2018-02-23 16:54 UTC] nikic@php.net
-Status: Assigned +Status: Duplicate -Type: Security +Type: Bug
 [2018-02-23 16:54 UTC] nikic@php.net 
Duplicate of bug #73342. Unassigning privacy status as this has been public for a long time already.

Bug #73342 also has a patch attached, though I haven't checked if it makes sense.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 15:01:30 2024 UTC