PHP :: Bug #61728 :: PHP crash when calling ob_start in session

Bug #61728

PHP crash when calling ob_start in session_write

Submitted:

2012-04-13 19:24 UTC

Modified:

2013-09-26 15:03 UTC

Votes:	5
Avg. Score:	4.2 ± 1.0
Reproduced:	2 of 3 (66.7%)
Same Version:	2 (100.0%)
Same OS:	2 (100.0%)

From:

frederik_php at vanrenterghem dot biz

Assigned:

laruence (profile)

Status:

Closed

Package:

Reproducible crash

PHP Version:

5.4.0

OS:

Linux Debian Wheezy

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	frederik_php at vanrenterghem dot biz
New email:
PHP Version:		OS:

New Comment:

[2012-04-13 19:24 UTC] frederik_php at vanrenterghem dot biz

Description:
------------
Hi,

I am running a friendica (friendica.com) instance on a bitfolk.com VPS with 480MB ram. As webserver I'm using nginx. I can cause the site to crash very easily by clicking around on some links.

I am using an up-to-date version of Debian Wheezy. All packages are installed from the standard repository.

I have attached a backtrace, which is the same with each crash.

It seems as if the error is linked with the facebook connector from friendica, as it crashes when I try to load the connector settings, or if I go to the network page, which contains statuses from all connected sites including facebook. https://github.com/friendica/friendica-addons/tree/master/facebook

Thanks in advance for helping find a solution!

Best regards,
Frederik


Actual result:
--------------
Reading symbols from /usr/sbin/php5-fpm...(no debugging symbols found)...done.
[New LWP 2801]

warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".
Core was generated by `php-fpm: pool www                                         '.
Program terminated with signal 11, Segmentation fault.
#0  0x0832239d in zend_stack_push ()
(gdb) bt
#0  0x0832239d in zend_stack_push ()
#1  0x082d0e5c in php_output_handler_start ()
#2  0x082d337b in php_output_start_default ()
#3  0x0823953d in ?? ()
#4  0x083d2c31 in ?? ()
#5  0x0838e6d5 in execute ()
#6  0x08315e36 in zend_call_function ()
#7  0x083161b3 in call_user_function_ex ()
#8  0x08316228 in call_user_function ()
#9  0x081a67a0 in ?? ()
#10 0x081a69fe in ?? ()
#11 0x0819ecc4 in ?? ()
#12 0x0819ef55 in ?? ()
#13 0x0832b384 in ?? ()
#14 0x082bd905 in php_request_shutdown ()
#15 0x0806fd70 in ?? ()
#16 0xb6e6ce46 in __libc_start_main () from /lib/i386-linux-gnu/i686/cmov/libc.so.6
#17 0x08070875 in _start ()

Patches

bug61728.patch (last revision 2012-04-14 16:58 UTC by laruence@php.net)
bug61728.phpt (last revision 2012-04-14 16:57 UTC by laruence@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-04-13 19:26 UTC] frederik_php at vanrenterghem dot biz

corrected summary

[2012-04-13 19:26 UTC] frederik_php at vanrenterghem dot biz

-Summary: php-fpm SIGSEV running friendica on nginx +Summary: php-fpm SIGSEGV running friendica on nginx

[2012-04-14 02:50 UTC] aharvey@php.net

-Status: Open +Status: Feedback

[2012-04-14 02:50 UTC] aharvey@php.net

Can you install the php5-dbg package and generate a new backtrace with debug 
symbols installed, please?

[2012-04-14 07:15 UTC] frederik_php at vanrenterghem dot biz

-Status: Feedback +Status: Open

[2012-04-14 07:15 UTC] frederik_php at vanrenterghem dot biz

Ok, here's the updated backtrace with the debugging package installed:

Reading symbols from /usr/sbin/php5-fpm...Reading symbols from /usr/lib/debug/usr/sbin/php5-fpm...done.
done.
[New LWP 8194]

warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".

warning: the debug information found in "/usr/lib/debug//usr/lib/php5/20100525+lfs/mysql.so" does not match "/usr/lib/php5/20100525+lfs/mysql.so" (CRC mismatch).


warning: the debug information found in "/usr/lib/debug/usr/lib/php5/20100525+lfs/mysql.so" does not match "/usr/lib/php5/20100525+lfs/mysql.so" (CRC mismatch).


warning: the debug information found in "/usr/lib/debug//usr/lib/php5/20100525+lfs/mysqli.so" does not match "/usr/lib/php5/20100525+lfs/mysqli.so" (CRC mismatch).


warning: the debug information found in "/usr/lib/debug/usr/lib/php5/20100525+lfs/mysqli.so" does not match "/usr/lib/php5/20100525+lfs/mysqli.so" (CRC mismatch).


warning: the debug information found in "/usr/lib/debug//usr/lib/php5/20100525+lfs/pdo_mysql.so" does not match "/usr/lib/php5/20100525+lfs/pdo_mysql.so" (CRC mismatch).


warning: the debug information found in "/usr/lib/debug/usr/lib/php5/20100525+lfs/pdo_mysql.so" does not match "/usr/lib/php5/20100525+lfs/pdo_mysql.so" (CRC mismatch).

Core was generated by `php-fpm: pool www                                         '.
Program terminated with signal 11, Segmentation fault.
#0  0x0832239d in zend_stack_push (stack=<error reading variable: Unknown argument list address for `stack'.>, element=<error reading variable: Unknown argument list address for `element'.>, 
    size=<error reading variable: Unknown argument list address for `size'.>) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_stack.c:42
42      /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_stack.c: No such file or directory.
(gdb) bt
#0  0x0832239d in zend_stack_push (stack=<error reading variable: Unknown argument list address for `stack'.>, element=<error reading variable: Unknown argument list address for `element'.>, 
    size=<error reading variable: Unknown argument list address for `size'.>) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_stack.c:42
#1  0x082d0e5c in php_output_handler_start (handler=0x82cf910) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/main/output.c:563
#2  0x082d337b in php_output_start_default () at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/main/output.c:412
#3  0x0823953d in zif_print_r (ht=-1226425644, return_value=0x0, return_value_ptr=0x0, this_ptr=0x1, return_value_used=-1269958144) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/ext/standard/basic_functions.c:5485
#4  0x083d2c31 in zend_do_fcall_common_helper_SPEC (execute_data=0xb6e39450) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_vm_execute.h:642
#5  0x0838e6d5 in execute (op_array=0x8315e36) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_vm_execute.h:410
#6  0x08315e36 in zend_call_function (fci=0x7, fci_cache=0x878ff54) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_execute_API.c:958
#7  0x083161b3 in call_user_function_ex (function_table=0xa04b450, object_pp=0x0, function_name=0xb6e5b010, retval_ptr_ptr=0xbfe4facc, param_count=<unknown type>, params=0xb6e50d20, no_separation=1, symbol_table=0x0)
    at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_execute_API.c:750
#8  0x08316228 in call_user_function (function_table=0x0, object_pp=0xb6e5b010, function_name=0xb6e619a0, retval_ptr=0x2, param_count=<unknown type>, params=0x6)
    at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_execute_API.c:723
#9  0x081a67a0 in ps_call_handler (func=0xb6e5b010, argc=2, argv=0x13b) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/ext/session/mod_user.c:53
#10 0x081a69fe in ps_write_user (mod_data=0x819ecc4, key=0x878c294 "", val=0xb6e5c048 "qm2ukkgs12n6ftusrqrihd9qo2", vallen=170073760) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/ext/session/mod_user.c:144
#11 0x0819ecc4 in php_session_flush () at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/ext/session/session.c:489
#12 0x0819ef55 in zm_deactivate_session (type=137540484, module_number=1) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/ext/session/session.c:2145
#13 0x0832b384 in zend_deactivate_modules () at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_API.c:2325
#14 0x082bd905 in php_request_shutdown (dummy=0xa) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/main/main.c:1755
#15 0x0806fd70 in main (argc=3, argv=0xbfe521b4) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/sapi/fpm/fpm/fpm_main.c:1884

[2012-04-14 15:13 UTC] frederik_php at vanrenterghem dot biz

I get the same error on apache2:

Core was generated by `/usr/sbin/apache2 -k start'.
Program terminated with signal 11, Segmentation fault.
#0  0xb5cf371d in zend_stack_push (stack=<error reading variable: Unknown argument list address for `stack'.>, element=<error reading variable: Unknown argument list address for `element'.>, 
    size=<error reading variable: Unknown argument list address for `size'.>) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_stack.c:42
42      /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_stack.c: No such file or directory.
(gdb) bt
#0  0xb5cf371d in zend_stack_push (stack=<error reading variable: Unknown argument list address for `stack'.>, element=<error reading variable: Unknown argument list address for `element'.>, 
    size=<error reading variable: Unknown argument list address for `size'.>) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_stack.c:42
#1  0xb5ca1c1c in php_output_handler_start (handler=0xb5ca06d0) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/main/output.c:563
#2  0xb5ca413b in php_output_start_default () at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/main/output.c:412
#3  0xb5c0a0dd in zif_print_r (ht=-1295141216, return_value=0x0, return_value_ptr=0x0, this_ptr=0x1, return_value_used=-1228621212) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/ext/standard/basic_functions.c:5496
#4  0xb5da40b1 in zend_do_fcall_common_helper_SPEC (execute_data=0xb6c1e908) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_vm_execute.h:642
#5  0xb5d5fc75 in execute (op_array=0xb5ce70c6) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_vm_execute.h:410
#6  0xb5ce70c6 in zend_call_function (fci=0x7, fci_cache=0xb61cc7c4) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_execute_API.c:958
#7  0xb5ce7463 in call_user_function_ex (function_table=0xb82d57f8, object_pp=0x0, function_name=0xb2c89c18, retval_ptr_ptr=0xbfbeb81c, param_count=<unknown type>, params=0xb6c361a4, no_separation=1, symbol_table=0x0)
    at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_execute_API.c:750
#8  0xb5ce74d8 in call_user_function (function_table=0x0, object_pp=0xb2c89c18, function_name=0xb2d59274, retval_ptr=0x2, param_count=<unknown type>, params=0xb)
    at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_execute_API.c:723
#9  0xb5b76fa0 in ps_call_handler (func=0xb2c89c18, argc=2, argv=0x13b) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/ext/session/mod_user.c:53
#10 0xb5b771fe in ps_write_user (mod_data=0xb5b6f4e5, key=0xb61c8a94 "", val=0xb6c41214 "qm2ukkgs12n6ftusrqrihd9qo2", vallen=-1296104456) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/ext/session/mod_user.c:144
#11 0xb5b6f4e5 in php_session_flush () at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/ext/session/session.c:489
#12 0xb5b703b5 in zm_deactivate_session (type=-1239763244, module_number=-1078019424) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/ext/session/session.c:2144
#13 0xb5cfc684 in zend_deactivate_modules () at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_API.c:2328
#14 0xb5c8e5d5 in php_request_shutdown (dummy=0xb630c838) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/main/main.c:1755
#15 0xb5da6824 in php_handler (r=0xb630f4c0) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/sapi/apache2handler/sapi_apache2.c:520
#16 0xb77945be in ap_run_handler (r=0xb630f4c0) at config.c:159
#17 0xb7794a36 in ap_invoke_handler (r=0xb630f4c0) at config.c:377
#18 0xb77a5efc in ap_internal_redirect (new_uri=0xb630f490 "/index.php?q=admin/plugins/facebook/&a=t", r=0xb631d058) at http_request.c:554
#19 0xb6c93d96 in handler_redirect (r=0xb631d058) at mod_rewrite.c:4860
#20 0xb77945be in ap_run_handler (r=0xb631d058) at config.c:159
#21 0xb7794a36 in ap_invoke_handler (r=0xb631d058) at config.c:377
#22 0xb77a6878 in ap_process_request (r=0xb631d058) at http_request.c:282
#23 0xb77a3350 in ap_process_http_connection (c=0xb6bb81f0) at http_core.c:190
#24 0xb779bbce in ap_run_process_connection (c=0xb6bb81f0) at connection.c:43
#25 0xb77ac125 in child_main (child_num_arg=<optimized out>) at prefork.c:667
#26 0xb77aca83 in make_child (slot=0, s=<optimized out>) at prefork.c:768
#27 make_child (s=<optimized out>, slot=0) at prefork.c:696
#28 0xb77acb5c in startup_children (number_to_start=5) at prefork.c:786
#29 0xb77ad730 in ap_mpm_run (_pconf=0xb7730018, plog=0xb747c018, s=0xb74aa880) at prefork.c:1007
#30 0xb777d5d2 in main (argc=3, argv=0xbfbec334) at main.c:755

[2012-04-14 16:57 UTC] laruence@php.net

The following patch has been added/updated:

Patch Name: bug61728.phpt
Revision:   1334422666
URL:        https://bugs.php.net/patch-display.php?bug=61728&patch=bug61728.phpt&revision=1334422666

[2012-04-14 16:58 UTC] laruence@php.net

The following patch has been added/updated:

Patch Name: bug61728.patch
Revision:   1334422683
URL:        https://bugs.php.net/patch-display.php?bug=61728&patch=bug61728.patch&revision=1334422683

[2012-04-14 16:59 UTC] laruence@php.net

if you try to start a user output handler in session_write.  then it will crash. I 
have attach a simple reproduce script. 

and also made a simple fix.

[2012-04-14 17:03 UTC] laruence@php.net

-Status: Open +Status: Verified

[2012-04-14 17:16 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3b42f184cdcf512fdc1f944052bfa296f17a035f
Log: Fixed bug #61728 (php-fpm SIGSEGV running friendica on nginx)

[2012-04-14 17:18 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3b42f184cdcf512fdc1f944052bfa296f17a035f
Log: Fixed bug #61728 (php-fpm SIGSEGV running friendica on nginx)

[2012-04-14 17:21 UTC] laruence@php.net

-Assigned To: +Assigned To: laruence

[2012-04-14 17:21 UTC] laruence@php.net

assign to me, since I have made a try to fix it. will close this after confirm 
that fix is okey.

[2012-04-16 11:19 UTC] laruence@php.net

-Summary: php-fpm SIGSEGV running friendica on nginx +Summary: PHP crash when calling ob_start in session_write

[2012-04-16 11:19 UTC] laruence@php.net

change the summary

[2013-09-26 15:03 UTC] mike@php.net

-Status: Verified +Status: Closed

[2013-09-26 15:03 UTC] mike@php.net

Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php

[2014-10-07 23:26 UTC] stas@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=3b42f184cdcf512fdc1f944052bfa296f17a035f
Log: Fixed bug #61728 (php-fpm SIGSEGV running friendica on nginx)

[2014-10-07 23:37 UTC] stas@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=3b42f184cdcf512fdc1f944052bfa296f17a035f
Log: Fixed bug #61728 (php-fpm SIGSEGV running friendica on nginx)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Nov 23 10:01:28 2024 UTC