php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #59844 Value unserialization can lead to memory corruption and segfault
Submitted: 2011-07-09 18:40 UTC Modified: 2013-05-28 08:36 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (50.0%)
From: paul dot clifford+pecl at gmail dot com Assigned:
Status: Duplicate Package: memcache (PECL)
PHP Version: 5.3.6 OS: Fedora 14 and CentOS 5.6
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: paul dot clifford+pecl at gmail dot com
New email:
PHP Version: OS:

 

 [2011-07-09 18:40 UTC] paul dot clifford+pecl at gmail dot com 
Description:
------------
Getting an object with a circular reference from memcache 
triggers memory corruption, sometimes leading to a 
segmentation fault.  It looks like a zval allocated on the 
stack ends up being garbage collected during the destruct 
sequence as a result of the code within the "if (flags & 
MMC_SERIALIZED) {" block in mmc_unpack_value, in 
memcache_pool.c

This may be the same problem reported at 
http://pecl.php.net/bugs/bug.php?id=14511, and does not seem 
to be present in 2.2.6

Reproduce code:
---------------
Put the following in "corruption.php":
<?php
$obj = new StdClass();
$obj->obj = $obj;
$memcache = new Memcache;
$memcache->connect('127.0.0.1', 11211);
$memcache->set('x', $obj, false, 300);
$x = $memcache->get('x');
$x = $memcache->get('x');

Run under valgrind (assuming memcached is running on 127.0.0.1:11211):
valgrind --tool=memcheck php corruption.php

A potential patch: http://pastebin.com/raw.php?i=p3sJXmEk

Expected result:
----------------
No errors, similar to:

$ valgrind --tool=memcheck php corruption.php
==10808== Memcheck, a memory error detector
==10808== Copyright (C) 2002-2009, and GNU GPL'd, by Julian 
Seward et al.
==10808== Using Valgrind-3.5.0 and LibVEX; rerun with -h for 
copyright info
==10808== Command: php corruption.php
==10808==
==10808==
==10808== HEAP SUMMARY:
==10808==     in use at exit: 85,004 bytes in 2,145 blocks
==10808==   total heap usage: 20,680 allocs, 18,535 frees, 
2,514,693 bytes allocated
==10808==
==10808== LEAK SUMMARY:
==10808==    definitely lost: 2,253 bytes in 31 blocks
==10808==    indirectly lost: 2,148 bytes in 49 blocks
==10808==      possibly lost: 0 bytes in 0 blocks
==10808==    still reachable: 80,603 bytes in 2,065 blocks
==10808==         suppressed: 0 bytes in 0 blocks
==10808== Rerun with --leak-check=full to see details of 
leaked memory
==10808==
==10808== For counts of detected and suppressed errors, 
rerun with: -v
==10808== ERROR SUMMARY: 0 errors from 0 contexts 
(suppressed: 216 from 13)


Actual result:
--------------
Lots of invalid reads and writes, similar to:
http://pastebin.com/raw.php?i=Mmm5QgUP

On some of my test machines it also triggers a segmentation 
fault.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-05-28 08:20 UTC] github at fabian-franz dot de 
Thanks for the perfect bug description.

This was fixed as part of:

https://bugs.php.net/bug.php?id=63142

Should be closed as a duplicate.
 [2013-05-28 08:36 UTC] pajoye@php.net 
See #63142
 [2013-05-28 08:36 UTC] pajoye@php.net
-Status: Open +Status: Duplicate
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Jan 15 10:01:29 2025 UTC