PHP :: Bug #34731 :: segmentation fault during request shutdown

Bug #34731	segmentation fault during request shutdown
Submitted:	2005-10-04 15:59 UTC	Modified:	2005-10-04 20:16 UTC
From:	novicky at aarongroup dot cz	Assigned:	tony2001 (profile)
Status:	Closed	Package:	OCI8 related
PHP Version:	5CVS-2005-10-04 (CVS)	OS:	All
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	novicky at aarongroup dot cz
New email:
PHP Version:		OS:

New Comment:

[2005-10-04 15:59 UTC] novicky at aarongroup dot cz

Description:
------------
There is an incorrect session destructor registration. The pointer registered by zend_list_insert points to a memory block which is then released by efree. This can lead to segmentation fault when destructor is called. A proposed patch follows (the same problem is id development branch)

--- php5-STABLE-200510041238/ext/oci8/oci8.c.ORIG       2005-10-04 15:39:42.301952856 +0200
+++ php5-STABLE-200510041238/ext/oci8/oci8.c    2005-10-04 15:40:58.979935427 +0200
@@ -2879,7 +2879,6 @@
                )
        );

-       session->num = zend_list_insert(session, le_session);
        session->is_open = 1;

        mutex_lock(mx_lock);
@@ -2892,6 +2891,7 @@
                }
        mutex_unlock(mx_lock);

+       session->num = zend_list_insert(session, le_session);
        oci_debug("_oci_open_session new sess=%d user=%s",session->num,username);

        return session;

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-10-04 18:29 UTC] sniper@php.net

Assigned to the maintainer.

[2005-10-04 18:48 UTC] tony2001@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc.

If possible, make the script source available online and provide
an URL to it here. Try to avoid embedding huge scripts into the report.

[2005-10-04 19:38 UTC] novicky at aarongroup dot cz

It is hard to reproduce but working on deallocated memory blocks is extremely dangerous. We had problems with segmentation faults on Sparc/Solaris 9.
Have a look on following code coming from oci8.c - first a session pointer is inserted into the list zend_list_insert(), while few lines bellow the session structure is copied into a new location zend_llist_add_element() and the original memory block is deallocated by efree(). Thus destructor applied on list would work on deallocated memory!!!

	session->num = zend_list_insert(session, le_session);
 	session->is_open = 1;

	mutex_lock(mx_lock);
		num_links++;
		if (!exclusive) {
			zend_llist_add_element(session_list, session);
			efree(session);
			session = (oci_session*) session_list->tail->data;
			num_persistent++;
		}
	mutex_unlock(mx_lock);

	oci_debug("_oci_open_session new sess=%d user=%s",session->num,username);

	return session;

[2005-10-04 20:16 UTC] tony2001@php.net

Patch committed, thanks.
But I'd really recommend you to switch to the new OCI8 from PECL (see http://pecl.php.net/oci8).

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 17:01:58 2024 UTC