PHP :: Bug #46444 :: invalid session.save_path crashes when --with-pic is used

Bug #46444

invalid session.save_path crashes when --with-pic is used

Submitted:

2008-10-31 23:12 UTC

Modified:

2009-04-14 01:00 UTC

Votes:	2
Avg. Score:	4.0 ± 1.0
Reproduced:	2 of 2 (100.0%)
Same Version:	1 (50.0%)
Same OS:	1 (50.0%)

From:

hostmaster at uuism dot net

Assigned:

Status:

No Feedback

Package:

Session related

PHP Version:

5.2CVS-2008-11-02

OS:

Fedora Core 4

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	hostmaster at uuism dot net
New email:
PHP Version:		OS:

New Comment:

[2008-10-31 23:12 UTC] hostmaster at uuism dot net

Description:
------------
when I run test ext/session/tests/016.phpt, I still get a core dump with PHP 5.2.6 and FC4 and Linux Kernel 2.6.20.1.  The script run-tests puts FAIL in front of the description.  

This same problem was reported in Bug #43361 invalid session.save_path test cause php crash 

Here are the results:

# TEST_PHP_EXECUTABLE=sapi/cli/php sapi/cli/php run-tests.php ext/session/tests/016.phpt

=====================================================================
PHP         : sapi/cli/php
PHP_SAPI    : cli
PHP_VERSION : 5.2.6
ZEND_VERSION: 2.2.0
PHP_OS      : Linux - Linux host.uuserver.net 2.6.20.1 #16 SMP Thu Nov 8 14:19:44 EST 2007 i686
INI actual  : /usr/local/src/php-5.2.6/sapi/cli/php.ini
More .INIs  : /etc/php.d/mysql.ini,/etc/php.d/mysqli.ini
CWD         : /usr/local/src/php-5.2.6
Extra dirs  :
=====================================================================
Running selected tests.
FAIL invalid session.save_path should not cause a segfault [ext/session/tests/016.phpt]
=====================================================================
Number of tests :    1                 1
Tests skipped   :    0 (  0.0%) --------
Tests warned    :    0 (  0.0%) (  0.0%)
Tests failed    :    1 (100.0%) (100.0%)
Tests passed    :    0 (  0.0%) (  0.0%)
---------------------------------------------------------------------
Time taken      :    1 seconds
=====================================================================

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
invalid session.save_path should not cause a segfault [ext/session/tests/016.phpt]
=====================================================================


Reproduce code:
---------------
--INI--
session.save_path="123;:/really\\completely:::/invalid;;,23123;213"
session.use_cookies=0
session.cache_limiter=
session.save_handler=files
session.serialize_handler=php
--FILE--
<?php
error_reporting(E_ALL);

@session_start();
$HTTP_SESSION_VARS["test"] = 1;
@session_write_close();
print "I live\n";
?>


Expected result:
----------------
no core dump

Actual result:
--------------
core dump

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-11-01 23:20 UTC] jani@php.net

Are you loading any shared extensions?

[2008-11-02 00:55 UTC] hostmaster at uuism dot net

Modules:  mbstring.so; mysql.so; mysqli.so; soap.so; and xmlrpc.so

I reran the test without any modules and the results were the same.

Configuration string:

--build=i386-redhat-linux --host=i386-redhat-linux --target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --cache-file=../config.cache --with-libdir=lib --with-config-file-path=/etc --with-config-file-scan-dir=/etc/php.d --disable-debug --with-pic --disable-rpath --with-bz2 --with-curl --with-exec-dir=/usr/bin --with-freetype-dir=/usr --with-png-dir=/usr --enable-gd-native-ttf --without-gdbm --with-gettext --with-gmp --with-iconv --with-jpeg-dir=/usr --with-openssl --with-pspell --with-pcre-regex=/usr/local --with-zlib --with-layout=GNU --enable-exif --enable-ftp --enable-magic-quotes --enable-sockets --enable-sysvsem --enable-sysvshm --enable-sysvmsg --enable-wddx --with-pear=/usr/share/pear --with-kerberos --enable-ucd-snmp-hack --with-unixODBC=shared,/usr --enable-shmop --enable-calendar --with-mime-magic=/etc/httpd/conf/magic --without-sqlite --with-libxml-dir=/usr/local --enable-force-cgi-redirect --enable-pcntl --with-imap=shared --with-imap-ssl --enable-mbstring=shared --enable-mbregex --with-ncurses=shared --with-gd=shared --enable-bcmath=shared --enable-dba=shared --with-db4=/usr --with-xmlrpc=shared --with-ldap=shared --with-mysql=shared,/usr --with-mysqli=shared,/usr/bin/mysql_config --enable-dom=shared --with-pgsql=shared --with-snmp=shared,/usr --enable-soap=shared --with-xsl=shared,/usr --enable-fastcgi --with-pcre-dir=/usr/local --enable-xmlreader=shared --with-mcrypt --with-mhash --with-config-file-path=/etc/php-5.2.6 --with-config-file-scan-dir=/etc/php-5.2.6/php.d

Should it make any difference that I used --disable-debug?

I went back and ran configure again with --enable-debug and all the same other parameters.  This time the test PASSED.

I don't understand.

Jim




Jim

[2008-11-04 02:59 UTC] hostmaster at uuism dot net

jani,

i reran my original configuration with '--disable debug' and got you more information from the backtrace

[snip]
Core was generated by `/usr/local/src/php5.2-200811022130/sapi/cli/php -n -c /usr/local/src/php5.2-200'.
Program terminated with signal 11, Segmentation fault.
#0  php_session_start () at /usr/local/src/php5.2-200811022130/ext/session/session.c:621
621             if (PG(register_long_arrays)) {
(gdb) bt
#0  php_session_start () at /usr/local/src/php5.2-200811022130/ext/session/session.c:621
#1  0x08190660 in zif_session_start (ht=0, return_value=0xb7c15b14, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /usr/local/src/php5.2-200811022130/ext/session/session.c:1824
#2  0x082b923a in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe7d78c)
    at /usr/local/src/php5.2-200811022130/Zend/zend_vm_execute.h:200
#3  0x082a8c2f in execute (op_array=0xb7c15f94) at /usr/local/src/php5.2-200811022130/Zend/zend_vm_execute.h:92
#4  0x08288190 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/local/src/php5.2-200811022130/Zend/zend.c:1134
#5  0x08240eb3 in php_execute_script (primary_file=0xbfe7fb88) at /usr/local/src/php5.2-200811022130/main/main.c:2023
#6  0x0831041e in main (argc=108, argv=0xbfe7fca4) at /usr/local/src/php5.2-200811022130/sapi/cli/php_cli.c:1134

(gdb) frame 3
#3  0x082a8c2f in execute (op_array=0xb7c15f94) at /usr/local/src/php5.2-200811022130/Zend/zend_vm_execute.h:92
92                      if (EX(opline)->handler(&execute_data TSRMLS_CC) > 0) {
(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x8436fdc "session_start"
(gdb) print (char *)executor_globals.active_op_array->function_name
$2 = 0x0
(gdb) print (char *)executor_globals.active_op_array->filename
$3 = 0xb7c16060 "/usr/local/src/php5.2-200811022130/ext/session/tests/016.php"

(gdb) frame 2
#2  0x082b923a in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe7d78c)
    at /usr/local/src/php5.2-200811022130/Zend/zend_vm_execute.h:200
200                             ((zend_internal_function *) EX(function_state).function)->handler(opline->extended_value, EX_T(opline->result.u.var).var.ptr, EX(function_state).function->common.return_reference?&EX_T(opline->result.u.var).var.ptr:NULL, EX(object), return_value_used TSRMLS_CC);
(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$4 = 0x8436fdc "session_start"
(gdb) print (char *)executor_globals.active_op_array->function_name
$5 = 0x0
(gdb) print (char *)executor_globals.active_op_array->filename
$6 = 0xb7c16060 "/usr/local/src/php5.2-200811022130/ext/session/tests/016.php"

[2008-11-09 00:12 UTC] hostmaster at uuism dot net

jani,

It appears to be related to the -with-pic option.

Here are the results:

Case 1:  PASS ext/session/tests/016.phpt (ran twice)

./configure --disable-all --disable-cgi --enable-session --with-pcre-regex --build=i386-redhat-linux --host=i386-redhat-linux --target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --cache-file=../config.cache --with-libdir=lib --with-config-file-path=/etc --with-config-file-scan-dir=/etc/php.d --disable-debug

Case 2:  FAIL ext/session/tests/016.phpt

./configure --disable-all --disable-cgi --enable-session --with-pcre-regex --build=i386-redhat-linux --host=i386-redhat-linux --target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --cache-file=../config.cache --with-libdir=lib --with-config-file-path=/etc --with-config-file-scan-dir=/etc/php.d --disable-debug --with-pic

Jim

[2008-11-11 18:49 UTC] jani@php.net

Try this:

# rm config.cache
# ./configure --disable-all --disable-cgi --enable-session --disable-
debug --with-pic
# make test TESTS=ext/session/tests/016.phpt

[2008-11-17 16:45 UTC] hostmaster at uuism dot net

I run these commands:

#rm config.cache
#./configure --disable-all --disable-cgi --enable-session --disable-debug --with-pcre-regex --with-pic
#make clean
#make test TESTS=ext/session/tests/016.phpt

[snip]

=====================================================================
PHP         : /usr/local/src/php5.2-200811022130/sapi/cli/php
PHP_SAPI    : cli
PHP_VERSION : 5.2.7RC3-dev
ZEND_VERSION: 2.2.0
PHP_OS      : Linux - Linux host.uuserver.net 2.6.20.1 #16 SMP Thu Nov 8 14:19:44 EST 2007 i686
INI actual  : /usr/local/src/php5.2-200811022130/tmp-php.ini
More .INIs  :
CWD         : /usr/local/src/php5.2-200811022130
Extra dirs  :
VALGRIND    : Not used
=====================================================================
Running selected tests.
FAIL invalid session.save_path should not cause a segfault [ext/session/tests/016.phpt]
=====================================================================
Number of tests :    1                 1
Tests skipped   :    0 (  0.0%) --------
Tests warned    :    0 (  0.0%) (  0.0%)
Tests failed    :    1 (100.0%) (100.0%)
Expected fail   :    0 (  0.0%) (  0.0%)
Tests passed    :    0 (  0.0%) (  0.0%)
---------------------------------------------------------------------
Time taken      :    0 seconds
=====================================================================

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
invalid session.save_path should not cause a segfault [ext/session/tests/016.phpt]
=====================================================================

[2009-01-02 15:41 UTC] crrodriguez at opensuse dot org

Same here

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5d56560 in strlen () from /lib64/libc.so.6
(gdb) bt full
#0  0x00007ffff5d56560 in strlen () from /lib64/libc.so.6
No symbol table info available.
#1  0x00000000005a06d8 in ps_open_files (mod_data=0xddd960, save_path=0x7b <Address 0x7b out of bounds>, session_name=0xaaa37a "PHPSESSID")
    at /home/cristian/php5/ext/session/mod_files.c:325
        data = (ps_files *) 0xfdfaf0
        p = 0xdeff7a ";213"
        last = 0xdeff74 ",23123;213"
        argv = {0xdeff50 "123;:/really\\completely:::/invalid;;,23123;213", 0xdeff54 ":/really\\completely:::/invalid;;,23123;213",
  0xdeff73 ";,23123;213"}
        argc = 4
        dirdepth = 123
        filemode = 0
#2  0x0000000000599118 in php_session_initialize () at /home/cristian/php5/ext/session/session.c:512
        val = 0xfde576 "L)\r&#65533;\r&#65533;\r&#65533;"
        vallen = 0
#3  0x000000000059d732 in php_session_start () at /home/cristian/php5/ext/session/session.c:1479
        ppid = (zval **) 0xfdc678
        data = (zval **) 0x78
        p = 0x887fd0 "H\211l$&#65533;L\211|$&#65533;H\215-&#65533;}M"
        value = 0x0
        nrand = 32767
        lensess = 9
#4  0x000000000059ed3d in zif_session_start (ht=0, return_value=0xfdc6c8, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /home/cristian/php5/ext/session/session.c:1886
No locals.
#5  0x0000000000818899 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7e6f090) at /home/cristian/php5/Zend/zend_vm_execute.h:313
        opline = (zend_op *) 0xfddff0
        should_change_scope = 0 '\0'
#6  0x000000000081df90 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7e6f090) at /home/cristian/php5/Zend/zend_vm_execute.h:1564
        opline = (zend_op *) 0xfddff0
        fname = (zval *) 0xfde020
#7  0x0000000000817987 in execute (op_array=0xfdd418) at /home/cristian/php5/Zend/zend_vm_execute.h:104
        ret = 0
        execute_data = (zend_execute_data *) 0x7ffff7e6f090
        nested = 1 '\001'
        original_in_execution = 0 '\0'
#8  0x00000000007e77e9 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/cristian/php5/Zend/zend.c:1181
        files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffffffb7e0, reg_save_area = 0x7fffffffb720}}
        i = 1
        file_handle = (zend_file_handle *) 0x7fffffffdc60
        orig_op_array = (zend_op_array *) 0x0
        orig_retval_ptr_ptr = (zval **) 0x0
#9  0x000000000076a1d9 in php_execute_script (primary_file=0x7fffffffdc60) at /home/cristian/php5/main/main.c:2101
        realfile = "/home/cristian/php5/ext/session/tests/016.phpt\000\000&#65533;&#65533;&#65533;&#65533;&#65533;\177\000\000&#65533;\n|\000\000\000\000\000&#65533;r&#65533;&#65533;&#65533;\177\000\000p~&#65533;", '\0' <repeats 13 times>, "uct\000&#65533;\a\000\000X\000\000\000\000\000&#65533;p&#65533;&#65533;&#65533;\177\000\000\020&#65533;&#65533;&#65533;&#65533;\177\000\000z\005\177\000\000\000\000\000\002\000\000\000&#65533;\177\000\000X\000\000\000\000\000V\a\000\000\000\000\000\000\202\005\000\000\000\000\000\000&#65533;mQ&#65533;&#65533;\177\000\000\210&#65533;&#65533;\000\000\000\00---Type <return> to continue, or q <return> to quit---
0\000P&#65533;&#65533;&#65533;&#65533;\177\000\000\030&#65533;&#65533;&#65533;&#65533;\177\000\000&#65533;\214\222D\000\000\000\000\000&#65533;&#65533;"...
        __orig_bailout = (jmp_buf *) 0x7fffffffdaf0
        __bailout = {{__jmpbuf = {8945616, 1504162217199220120, 4369584, 140737488346800, 0, 0, 1504162220334462360,
      -1504162127358118504}, __mask_was_saved = 0, __saved_mask = {__val = {140737353931176, 0, 4294967295, 47784, 14397440, 4369584,
        140737488346800, 0, 0, 0, 140737351963577, 1, 0, 0, 73014444032, 140737317299080}}}}
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {
      handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0,
      closer = 0}}, free_filename = 0 '\0'}
        append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0,
      isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}},
  free_filename = 0 '\0'}
        old_cwd = 0x7fffffffb800 ""
        use_heap = 0 '\0'
        retval = 0
#10 0x0000000000887449 in main (argc=5, argv=0x7fffffffdeb8) at /home/cristian/php5/sapi/cli/php_cli.c:1138
        __orig_bailout = (jmp_buf *) 0x0
        __bailout = {{__jmpbuf = {8945616, 1504162217448781208, 4369584, 140737488346800, 0, 0, 1504162217209705880,
      -1504161051082934888}, __mask_was_saved = 0, __saved_mask = {__val = {140737353925464, 140737488346240, 140737488346184, 2972705047,
        140737488346400, 61765110, 140737354121608, 0, 140737351945772, 140733193388033, 140737354118584, 0, 1, 1910330751,
        140737351946810, 8419355904}}}}
        exit_status = 0
        c = -1
        file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x7fffffffe302 "/home/cristian/php5/ext/session/tests/016.phpt",
  opened_path = 0x0, handle = {fd = 16635992, fp = 0xfdd858, stream = {handle = 0xfdd858, isatty = 0, mmap = {len = 495, pos = 0,
        map = 0x7ffff7ff7000, buf = 0x7ffff7ff7000 <Address 0x7ffff7ff7000 out of bounds>, old_handle = 0xff34c0,
        old_closer = 0x8029a0 <zend_stream_stdio_closer>}, reader = 0x802974 <zend_stream_stdio_reader>,
      fsizer = 0x8029d1 <zend_stream_stdio_fsizer>, closer = 0x802aea <zend_stream_mmap_closer>}}, free_filename = 0 '\0'}
        behavior = 1
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0x7fffffffe302 "/home/cristian/php5/ext/session/tests/016.phpt"
        arg_excp = (char **) 0x7fffffffded8
        script_file = 0x7fffffffe302 "/home/cristian/php5/ext/session/tests/016.phpt"
        interactive = 0
        module_started = 1
        request_started = 1
        lineno = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = 0x0
        hide_argv = 0
---Type <return> to continue, or q <return> to quit---
        ini_entries_len = 110

[2009-04-06 12:14 UTC] bjori@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

Please try the next snapshot dated _after_ this message.

[2009-04-14 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Dec 26 21:01:28 2024 UTC