php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49968 php 5.2.11 with suhosin and mhash.so enabled causes canary mismatch
Submitted: 2009-10-23 10:11 UTC Modified: 2009-11-01 01:00 UTC
From: ciny at synapsia dot sk Assigned:
Status: No Feedback Package: mhash related
PHP Version: 5.2.11 OS: FreeBSD 7.2 amd64
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ciny at synapsia dot sk
New email:
PHP Version: OS:

 

 [2009-10-23 10:11 UTC] ciny at synapsia dot sk
Description:
------------
When I use php 5.2.11 with suhosin and mhash it generates a canary 
mismatch. If I try:
%php -v 
i get:
 ALERT - canary mismatch on efree() - heap overflow detected (attacker 
'REMOTE_ADDR not set', file 'unknown'
if I try
%setenv USE_ZEND_ALLOC 0
%php -v 
I get:
PHP 5.2.11 with Suhosin-Patch 0.9.7 (cli) (built: Oct 23 2009 
11:05:12) 
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
Segmentation fault (core dumped)

there is no package for valgrind on freebsd amd64 so I don't know If I 
can post more exact trace.

Reproduce code:
---------------
php -v

Expected result:
----------------
PHP 5.2.11 with Suhosin-Patch 0.9.7 (cli) (built: Oct 23 2009 11:05:12) 
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies


Actual result:
--------------
ALERT - canary mismatch on efree() - heap overflow detected (attacker 
'REMOTE_ADDR not set', file 'unknown')

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-10-23 10:15 UTC] jani@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.


 [2009-10-23 10:24 UTC] ciny at synapsia dot sk
<a href="http://www.pastebin.cz/43ef1b43ee1dbd"> here is the gdb output 
</a>
 [2009-10-23 11:00 UTC] jani@php.net
Proper link: http://www.pastebin.cz/43ef1b43ee1dbd

And obvious question: Does it crash without that 3rd party patch?


 [2009-10-23 11:38 UTC] ciny at synapsia dot sk
if by 3rd party patch you mean suhosin then yes, bud instead of the 
error message it segfaults.
 [2009-10-23 12:08 UTC] jani@php.net
Was the backtrace with or without the suhosin patch? (I'm guessing without?)
 [2009-10-23 12:33 UTC] ciny at synapsia dot sk
it was with suhosin patch compiled in but with USE_ZEND_ALLOC set to 0. 
I can post a test without suhosin but that will have to wait until 
night - I see this behaviour on a production machine so I can not allow 
php to segfault during work hours and I don't have a spare one to 
reproduce the problem.
 [2009-10-23 12:36 UTC] jani@php.net
You can't run the thing on command line..? I thought that's how you really meant it to be reproduced: # php -v ? (please don't reply before you have real feedback)
 [2009-10-23 18:08 UTC] ciny at synapsia dot sk
ok here
http://www.pastebin.cz/e9a52bce5e4288
is the gdb output on the core dump of php 5.2.11 without the suhosin patch with debugging symbols enabled.
If I remove mhash.so from the extensions php runs without problem. If mhash is enabled it produces the segmentation fault (heap overflow). Mhash package works normally and python mhash module works as well so from what I can see it is probably some kind of issue in php5-mhash. 

PS: And yes, I can run it from commandline but I had to recompile php without the suhosin patch included ;)
 [2009-10-23 20:20 UTC] sniper@php.net
Well, running something does not require installing it:

# make && sapi/cli/php -v 

And are you somehow enabling ZTS too? And you're sure you're loading the mhash.so from the same build? (I can't reproduce this..)
 [2009-10-24 09:37 UTC] ciny at synapsia dot sk
I don't know about ZTS - I pasted the configure options below for you to see. I am sure that I load the correct modules. I recompiled php and extensions several times and tried removing it completly and compiling it again.  Is it possible that this is a FreeBSD bug rather than a php bug?

here is the configure command used to compile php
'./configure' '--with-layout=GNU' '--with-config-file-scan-dir=/usr/local/etc/php' '--disable-all' '--enable-libxml' '--with-libxml-dir=/usr/local' '--enable-reflection' '--program-prefix=' '--disable-cgi' '--with-apxs2=/usr/local/sbin/apxs' '--with-regex=php' '--with-zend-vm=CALL' '--enable-debug' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd7.2' (according to phpinfo() )
 [2009-10-24 21:05 UTC] jani@php.net
Please try using this snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

And use the proper configure line without any extra:

# ./configure --disable-all --disable-cgi --with-mhash
 [2009-11-01 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 11:01:30 2024 UTC