php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #51350 recursively including non existing file causes segfault
Submitted: 2010-03-22 17:08 UTC Modified: 2010-03-22 22:52 UTC
From: slogster at gmail dot com Assigned:
Status: Not a bug Package: Reproducible crash
PHP Version: 5.2.13 OS: freebsd & linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: slogster at gmail dot com
New email:
PHP Version: OS:

 

 [2010-03-22 17:08 UTC] slogster at gmail dot com 
Description:
------------
function a(){include("/nofile"); a();} a();

/nofine is non existing file

Test script:
---------------
function a(){include("/nofile"); a();} a();

/nofile is non existing file

Expected result:
----------------
should not segfault

Actual result:
--------------
segfault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-03-22 17:45 UTC] johannes@php.net
-Status: Open +Status: Bogus
 [2010-03-22 17:45 UTC] johannes@php.net 
Recusrion in PHP leads to a stack overflow for the process, which we can't properly handle ourselves so the operating system terminates the PHP process. This is the expected behavior.
 [2010-03-22 21:25 UTC] tyra3l at gmail dot com 
suhosin protects against infinite recursion since 2006.
if you can crash the php engine from userland, then you can reset the seed
http://www.baohx.com/extras/zendcon/lesserknownsecurityproblemsinphpapplications.pdf
page 33: attacker can get fresh seed by crashing php.
so its not only an inconvinience, but can be a security problem also.

Tyrael
 [2010-03-22 21:29 UTC] pajoye@php.net 
That's known and there is no bug per se here.

Not everything the suhosin patch does is the right thing to do to solve a problem. As far as I remember there was a (long) discussion on internals about this. You may find it interesting.
 [2010-03-22 21:39 UTC] tyra3l at gmail dot com 
should worth to reading it.
could you at least give me the year for that discussion?
I think, that in this case the script should terminate by memory exhaustion (memory_limit) or time_limit exhaustion, not with segfault.
In a managed language I shouldn't be able to do stack overflow from userspace.
At least not this easily.
 [2010-03-22 22:52 UTC] slogster at gmail dot com 
I've tried it with Suhosin-Patch 0.9.7 and it segfaults too
 [2010-07-14 23:31 UTC] tyra3l at gmail dot com 
afaik you need the suhosin extension for this functionality, not just the patch. 
http://www.hardened-php.net/suhosin/configuration.html#suhosin.executor.max_depth

Tyrael
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Mar 13 21:01:32 2025 UTC