PHP :: Bug #45188 :: Crash during request shutdown if mail server shuts down

Bug #45188	Crash during request shutdown if mail server shuts down
Submitted:	2008-06-05 15:41 UTC	Modified:	2009-06-03 11:41 UTC
From:	thomas dot jarosch at intra2net dot com	Assigned:	fb-req-jani (profile)
Status:	Closed	Package:	IMAP related
PHP Version:	5.2.6	OS:	linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	thomas dot jarosch at intra2net dot com
New email:
PHP Version:		OS:

New Comment:

[2008-06-05 15:41 UTC] thomas dot jarosch at intra2net dot com

Description:
------------
Hello together,

if you use a webmail applications like Horde's IMP and restart the 
server while an IMAP command is processing, PHP segfaults on request 
shutdown.

Here's a backtrace of the crash:

(gdb) bt
#0  0x632f6564 in ?? ()
#1  0x01a6b575 in mail_close_full (stream=0x87b8ad8, options=0) at 
mail.c:1361
#2  0x01a494e3 in mail_close_it (rsrc=0xb7977840) 
at /usr/src/redhat/BUILD/php-5.2.6/ext/imap/php_imap.c:229
#3  0x006dacc7 in list_entry_destructor (ptr=0xb7977840) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_list.c:184
#4  0x006d8a3a in zend_hash_del_key_or_index (ht=0x7cb480, arKey=0x0, 
nKeyLength=0, h=81, flag=1) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_hash.c:497
#5  0x006da915 in _zend_list_delete (id=81) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_list.c:58
#6  0x006cb9ed in _zval_dtor_func (zvalue=0xb79d7a74) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_variables.c:60
#7  0x006be95e in _zval_dtor (zvalue=0xb79d7a74) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_variables.h:35
#8  0x006bebac in _zval_ptr_dtor (zval_ptr=0xb79a9610) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_execute_API.c:414
#9  0x006d8b33 in zend_hash_destroy (ht=0xb7a1a71c) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_hash.c:526
#10 0x006eae64 in zend_object_std_dtor (object=0xb7b9bf08) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_objects.c:45
#11 0x006eb287 in zend_objects_free_object_storage 
(object=0xb7b9bf08) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_objects.c:122
#12 0x006eec3f in zend_objects_store_free_object_storage 
(objects=0x7cb528) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_objects_API.c:89
#13 0x006be7c7 in shutdown_executor () 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_execute_API.c:299
#14 0x006cd48d in zend_deactivate () 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend.c:860
#15 0x0067d8d2 in php_request_shutdown (dummy=0x0) 
at /usr/src/redhat/BUILD/php-5.2.6/main/main.c:1486
#16 0x00742f2f in php_apache_request_dtor (r=0x8776f70) 
at /usr/src/redhat/BUILD/php-5.2.6/sapi/apache2handler/sapi_apache2.c:469
#17 0x007438ce in php_handler (r=0x8776f70) 
at /usr/src/redhat/BUILD/php-5.2.6/sapi/apache2handler/sapi_apache2.c:641
#18 0x08065f19 in ap_run_handler ()
#19 0x08068f61 in ap_invoke_handler ()
#20 0x080639d8 in ap_process_request ()
#21 0x0805e6b8 in _start ()

I took a look at the structures in #1 mail_close_full 
(stream=0x87b8ad8, options=0), the memory was totally bogus and 
already reused. To me this looks like a use-after-free issue.

While debugging I've found another crash in c-client's IMAP extension 
and I will submit a patch upstream.

I was unable to find the source of this crash, but I suspect the 
connection already gets closed and then PHP tries to close it twice 
or something like that.

Reproduce code:
---------------
Move mails via IMAP to another folder and restart your IMAP server.

Expected result:
----------------
Error message "Connection to server died".

Actual result:
--------------
Segfault.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-05-19 15:24 UTC] jani@php.net

Now, since you could fix the compile failure, does your original issue in this report exist or not using that snapshot? (we'll deal with that compile failure, don't worrry :)

[2009-05-27 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2009-06-03 11:41 UTC] thomas dot jarosch at intra2net dot com

I was now able to verify that the issue does not occur
with PHP 5.2.x 200906030630 anymore. Case closed :-)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Dec 22 02:01:28 2024 UTC