PHP :: Bug #55704 :: php_flag engine off crashes apache

Bug #55704	php_flag engine off crashes apache
Submitted:	2011-09-15 20:48 UTC	Modified:	2012-03-05 15:09 UTC
From:	j dot amend at gmail dot com	Assigned:
Status:	Closed	Package:	Apache2 related
PHP Version:	5.4SVN-2011-09-19 (snap)	OS:	Gentoo linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	j dot amend at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2011-09-15 20:48 UTC] j dot amend at gmail dot com

Description:
------------
Since PHP 5.4 alpha 2 (alpha 1 still worked), apache crashes with a segmentation fault if "php_flag engine off" is anywhere in my apache configuration files.

Test script:
---------------
httpd.conf:
...
php_flag engine off
...

Expected result:
----------------
PHP is disabled in whatever context "php_flag engine off" is used.

Actual result:
--------------
Apache crashes with a segmentation fault, even for a configtest (apache2 -t).

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff04ddff9 in _zend_hash_add_or_update () from /usr/lib64/apache2/modules/libphp5.so

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-09-16 08:30 UTC] laruence@php.net

-Status: Open +Status: Feedback

[2011-09-16 08:30 UTC] laruence@php.net

Please try using this snapshot:

  http://snaps.php.net/php5.4-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

I can not reproduce this in my environ, plz test with the svn-snap plz, thanks

[2011-09-20 13:43 UTC] j dot amend at gmail dot com

-Status: Feedback +Status: Open -PHP Version: 5.4SVN-2011-09-15 (snap) +PHP Version: 5.4SVN-2011-09-19 (snap)

[2011-09-20 13:43 UTC] j dot amend at gmail dot com

I just tried it with php5.4-201109192030 on my Mac (Apache/2.2.17, Mac OS X 10.6.7) with the same result.

#0  0x00000001012e9e72 in _zend_hash_add_or_update (ht=0x10087d118, arKey=0x18 <Address 0x18 out of bounds>, nKeyLength=7, pData=0x7fff5fbff350, nDataSize=24, pDest=0x0, flag=1) at /Users/Grayling/php5.4-201109192030/Zend/zend_hash.c:268
#1  0x000000010139a944 in real_value_hnd (cmd=0x7fff5fbff820, dummy=0x10087d118, name=0x100890f58 "engine", value=<value temporarily unavailable, due to optimizations>, status=2) at /Users/Grayling/php5.4-201109192030/sapi/apache2handler/apache_config.c:73
#2  0x000000010139a9dd in real_flag_hnd (cmd=0x7fff5fbff820, dummy=0x10087d118, arg1=0x100890f58 "engine", arg2=0x100890f60 "off", status=2) at /Users/Grayling/php5.4-201109192030/sapi/apache2handler/apache_config.c:98
#3  0x0000000100003595 in invoke_cmd ()
#4  0x00000001000047d8 in ap_walk_config_sub ()
#5  0x000000010000488b in ap_walk_config ()
#6  0x0000000100005ddd in ap_process_config_tree ()
#7  0x000000010000a26a in main ()

[2011-09-20 14:32 UTC] laruence@php.net

-Status: Open +Status: Feedback

[2011-09-20 14:32 UTC] laruence@php.net

this is so weird, since in the frame #0, the arkey is an invalid pointer, but it 
shoud be exactlly same as the name in #1, since I can not reproduce this in my 
environ,  could you do me a favor and try to find out the reason for how could 
this var be damaged?

you can try  to use gdb httpd, make a break point "b real_value_hnd", then exam it 
step by step, thanks

[2011-09-20 16:46 UTC] j dot amend at gmail dot com

-Status: Feedback +Status: Open

[2011-09-20 16:46 UTC] j dot amend at gmail dot com

I tried what I could, but I don't know C or how to use gdb properly. It looks like var name makes it to _zend_hash_add_or_update intact as arKey, but then the address of arKey mysteriously changes inside that function.

Breakpoint 1, _zend_hash_add_or_update (ht=0x10087d120, arKey=0x10088e298 "engine", nKeyLength=7, pData=0x7fff5fbff330, nDataSize=24, pDest=0x0, flag=1) at /Users/Grayling/php5.4-201109192030/Zend/zend_hash.c:201
201		TSRMLS_FETCH();
(gdb) info args
ht = (HashTable *) 0x10087d120
arKey = 0x10088e298 "engine"
nKeyLength = 7
pData = (void *) 0x7fff5fbff330
nDataSize = 24
pDest = (void **) 0x0
flag = 1
(gdb) print arKey
$6 = 0x10088e298 "engine"
(gdb) print &arKey
Address requested for identifier "arKey" which is in register $r13
(gdb) info address arKey
Symbol "arKey" is 

   0x1012e9a70 - 0x1012e9a98: in register rsi
   0x1012e9a98 - 0x1012e9ace: in register r13
   0x1012e9ace - 0x1012e9b94: in register rcx
   0x1012e9b94 - 0x1012e9bc1: in register r13
   0x1012e9bc1 - 0x1012e9c7c: in register rcx
   0x1012e9c7c - 0x1012e9cd2: in register r13
   0x1012e9d7f - 0x1012e9d8a: in register r13
   0x1012e9d90 - 0x1012e9d9e: in register r13
   0x1012e9da4 - 0x1012e9dff: in register r13
   0x1012e9e2b - 0x1012e9f0f: in register r13
   0x1012e9f15 - 0x1012e9f45: in register r13
   0x1012e9fb5 - 0x1012e9fc6: in register r13
   0x1012e9fd9 - 0x1012e9ff1: in register r13
   0x1012ea00a - 0x1012ea02b: in register r13
   0x1012ea062 - 0x1012ea0b0: in register r13.

(gdb) next
(gdb) print arKey
$6 = 0x10088e298 "engine"
(gdb) p/x $rcx
$17 = 0x10088e298
[...]
(gdb) next    
278			case 6: hash = ((hash << 5) + hash) + *arKey++; /* fallthrough... */
(gdb) p/x $rcx
$18 = 0x10088e299
[...]
(gdb) next
283			case 1: hash = ((hash << 5) + hash) + *arKey++; break;
(gdb) p/x $rcx
$21 = 0x10088e29e
(gdb) print (char*)0x10088e29e
$22 = 0x10088e29e ""
(gdb) next
218		p = ht->arBuckets[nIndex];
(gdb) print arKey
$24 = 0x10088e29e ""
(gdb) p/x *arKey
$27 = 0x0
[...]
(gdb) next
Breakpoint 8, _zend_hash_add_or_update (ht=0x10087d120, arKey=0x10088e298 "engine", nKeyLength=7, pData=0x7fff5fbff330, nDataSize=24, pDest=0x0, flag=1) at /Users/Grayling/php5.4-201109192030/Zend/zend_hash.c:253
253			p = (Bucket *) pemalloc(sizeof(Bucket) + nKeyLength, ht->persistent);
(gdb) p/x *arKey
$32 = 0x65
(gdb) p/x $rcx
$33 = 0x10088e29e
(gdb) next
258			memcpy((char*)p->arKey, arKey, nKeyLength);
(gdb) p/x arKey
$41 = 0x10088e298
(gdb) print arKey
$42 = 0x10088e298 "engine"
[...]
(gdb) next
262		p->h = h;
(gdb) print arKey
$48 = 0x18 <Address 0x18 out of bounds>
(gdb) p/x arKey
$49 = 0x18
(gdb) print *p
$51 = {
  h = 0, 
  nKeyLength = 7, 
  pData = 0x100222bf0, 
  pDataPtr = 0x0, 
  pListNext = 0x200000000, 
  pListLast = 0x600000001, 
  pNext = 0x5000021000000010, 
  pLast = 0x0, 
  arKey = 0x100222be8 "engine"
}
[...]
(gdb) next

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x000000005448523c
0x00000001012e9e72 in _zend_hash_add_or_update (ht=0x10087d120, arKey=0x18 <Address 0x18 out of bounds>, nKeyLength=7, pData=0x7fff5fbff330, nDataSize=24, pDest=0x0, flag=1) at /Users/Grayling/php5.4-201109192030/Zend/zend_hash.c:268
268		HANDLE_BLOCK_INTERRUPTIONS();

[2012-03-05 15:09 UTC] j dot amend at gmail dot com

I just tested upgrading from RC4 and the release version, and I no longer get a segfault when I do a config test or graceful/restart.

[2012-03-05 15:09 UTC] j dot amend at gmail dot com

-Status: Open +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 16:01:28 2024 UTC