PHP :: Bug #66043 :: Segfault calling bind

Bug #66043	Segfault calling bind_param() on mysqli
Submitted:	2013-11-07 09:48 UTC	Modified:	2013-11-08 07:13 UTC
From:	victork at sekindo dot com	Assigned:	laruence (profile)
Status:	Closed	Package:	MySQLi related
PHP Version:	5.4.21	OS:	Linux(CentOS 5)
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	victork at sekindo dot com
New email:
PHP Version:		OS:

New Comment:

[2013-11-07 09:48 UTC] victork at sekindo dot com

Description:
------------
Full problem description:
Calling mysql_stmt::bind_result() without storing it's result value in a variable on PHP using MySQLi module built against libmysl causing segmentation fault.

Notes:
If my mysqli is linked against libmysqlng no crashing occurs
If PHP debugger module(Like XDebug or Nusphere DBG) is active no crashing occurs(Looks like a timing issue ...)
If return value of mysql_stmt::bind_result() is stored($res = $stmt->bind_result(&$name);) no crashing occurs.


PHP code(Zend/zend_vm_execute.h)

if (fbc->type == ZEND_INTERNAL_FUNCTION) {  <---- For internal PHP routines
....
if (!zend_execute_internal) {
 553                                 /* saves one function call if zend_execute_internal is not used */
 554                                 fbc->internal_function.handler(opline->extended_value, ret->var.ptr, &ret->var.ptr, EX(object), RETURN_VALUE_USED(opline) TSRMLS_CC);
 555                         } else {
 556                                 zend_execute_internal(execute_data, NULL, RETURN_VALUE_USED(opline) TSRMLS_CC);
 557                         }
 558 
 559                         if (!RETURN_VALUE_USED(opline)) {
 [***segfault_560]                                 zval_ptr_dtor(&ret->var.ptr);
 561                         }

Tested affected PHP versions: 5.4.20 and 5.4.21
Unaffected PHP version: PHP 5.1.6 with patches and backports from RedHat/CentOS team.

Short Script To Reproduce(Please read the notes above):

php -r '$link = new mysqli("127.0.0.1", "root", "ew89sjw0aj", "mysql"); $stmt = $link->stmt_init();$stmt->prepare("SELECT User FROM user WHERE password=\"\"");$stmt->execute(); $stmt->bind_result($testArg); $stmt->fetch(); $stmt->close(); echo $testArg;'

If query like "SELECT 10" is used(Without tables) no crashing occurs.

PHP configuration(IUS repository package):
'./configure' '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--cache-file=../config.cache' '--with-libdir=lib64' '--with-config-file-path=/etc' '--with-config-file-scan-dir=/etc/php.d' '--disable-debug' '--with-pic' '--disable-rpath' '--without-pear' '--with-bz2' '--with-exec-dir=/usr/bin' '--with-freetype-dir=/usr' '--with-png-dir=/usr' '--with-xpm-dir=/usr' '--enable-gd-native-ttf' '--with-t1lib=/usr' '--without-gdbm' '--with-gettext' '--with-gmp' '--with-iconv' '--with-jpeg-dir=/usr' '--with-openssl' '--with-pcre-regex' '--with-zlib' '--with-layout=GNU' '--enable-exif' '--enable-ftp' '--enable-magic-quotes' '--enable-sockets' '--with-kerberos' '--enable-ucd-snmp-hack' '--enable-shmop' '--enable-calendar' '--with-libxml-dir=/usr' '--enable-xml' '--with-system-tzdata' '--with-mhash' '--enable-force-cgi-redirect' '--libdir=/usr/lib64/php' '--enable-pcntl' '--with-imap=shared' '--with-imap-ssl' '--enable-mbstring=shared' '--enable-mbregex' '--with-gd=shared' '--enable-bcmath=shared' '--enable-dba=shared' '--with-db4=/usr' '--with-xmlrpc=shared' '--with-ldap=shared' '--with-ldap-sasl' '--enable-mysqlnd=shared' '--with-mysql=shared,mysqlnd' '--with-mysqli=shared,mysqlnd' '--with-mysql-sock=/var/lib/mysql/mysql.sock' '--with-interbase=shared,/usr/lib64/firebird' '--with-pdo-firebird=shared,/usr/lib64/firebird' '--enable-dom=shared' '--with-pgsql=shared' '--enable-wddx=shared' '--with-snmp=shared,/usr' '--enable-soap=shared' '--with-xsl=shared,/usr' '--enable-xmlreader=shared' '--enable-xmlwriter=shared' '--with-curl=shared,/usr' '--enable-fastcgi' '--enable-pdo=shared' '--with-pdo-odbc=shared,unixODBC,/usr' '--with-pdo-mysql=shared,mysqlnd' '--with-pdo-pgsql=shared,/usr' '--with-pdo-sqlite=shared,/usr' '--with-pdo-dblib=shared,/usr' '--without-sqlite3' '--enable-json=shared' '--enable-zip=shared' '--without-readline' '--with-libedit' '--with-pspell=shared' '--enable-phar=shared' '--with-mcrypt=shared,/usr' '--with-tidy=shared,/usr' '--with-mssql=shared,/usr' '--enable-sysvmsg=shared' '--enable-sysvshm=shared' '--enable-sysvsem=shared' '--enable-posix=shared' '--with-unixODBC=shared,/usr' '--enable-fileinfo=shared' '--enable-intl=shared' '--with-icu-dir=/usr' '--with-enchant=shared,/usr' '--with-recode=shared,/usr'

All external modules except mysqli has been disabled during testing to exclude possibility of modules collision(Crashes with all modules and with only mysqli).


php.ini changes:
Increased limits of POST,memory,etc
Script timeout set to unlimited.
Include path enhanced with our project folder
pre/post autoinclude for xhprof files added.


GDB backtrace and info:

Program received signal SIGSEGV, Segmentation fault.
zend_do_fcall_common_helper_SPEC (execute_data=0x2aaaaaacf060) at /usr/src/debug/php-5.4.21/Zend/zend_vm_execute.h:649
649                                     zval_ptr_dtor(&ret->var.ptr);
(gdb) bt
#0  zend_do_fcall_common_helper_SPEC (execute_data=0x2aaaaaacf060) at /usr/src/debug/php-5.4.21/Zend/zend_vm_execute.h:649
#1  0x000000000060a9de in execute (op_array=0x2aaaaab05ec0) at /usr/src/debug/php-5.4.21/Zend/zend_vm_execute.h:410
#2  0x00000000005d565e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/debug/php-5.4.21/Zend/zend.c:1319
#3  0x000000000057af48 in php_execute_script (primary_file=0x7fffffffd6d0) at /usr/src/debug/php-5.4.21/main/main.c:2502
#4  0x000000000067d06d in do_cli (argc=2, argv=0x7fffffffea08) at /usr/src/debug/php-5.4.21/sapi/cli/php_cli.c:989
#5  0x000000000067d9ed in main (argc=2, argv=0x7fffffffea08) at /usr/src/debug/php-5.4.21/sapi/cli/php_cli.c:1365
(gdb) print &ret->var.ptr
$1 = (zval **) 0x2aaa00000008
(gdb) print ret->var.ptr
Cannot access memory at address 0x2aaa00000008

Test script:
---------------
php -r '$link = new mysqli("127.0.0.1", "root", "ew89sjw0aj", "mysql"); $stmt = $link->stmt_init();$stmt->prepare("SELECT User FROM user WHERE password=\"\"");$stmt->execute(); $stmt->bind_result($testArg); $stmt->fetch(); $stmt->close(); echo $testArg;'

Expected result:
----------------
root

Actual result:
--------------
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-11-07 09:55 UTC] victork at sekindo dot com

Edit test

[2013-11-08 07:08 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fd3fa9b53c6bc8f34c1c8bf75141f7ee74dc8db0
Log: Fixed Bug #66043 (Segfault calling bind_param() on mysqli)

[2013-11-08 07:08 UTC] laruence@php.net

-Status: Open +Status: Closed

[2013-11-08 07:09 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fd3fa9b53c6bc8f34c1c8bf75141f7ee74dc8db0
Log: Fixed Bug #66043 (Segfault calling bind_param() on mysqli)

[2013-11-08 07:13 UTC] laruence@php.net

-Assigned To: +Assigned To: laruence

[2013-11-08 07:13 UTC] laruence@php.net

from mysql's dev manual, it says "In MySQL 5.0, mysql_stmt_attr_get() uses unsigned int *"

but actually, from the sources codes, it is unsigned long *. 

mysql-5.0.95/libmysql/libmysql.c:2776

"my_bool STDCALL mysql_stmt_attr_get(MYSQL_STMT *stmt,
                                    enum enum_stmt_attr_type attr_type,
                                    void *value)
{
  switch (attr_type) {
  case STMT_ATTR_UPDATE_MAX_LENGTH:
    *(unsigned long *) value= stmt->update_max_length;
    break;

"

[2013-11-08 10:16 UTC] dmitry@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fd3fa9b53c6bc8f34c1c8bf75141f7ee74dc8db0
Log: Fixed Bug #66043 (Segfault calling bind_param() on mysqli)

[2013-11-09 10:21 UTC] ab@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fd3fa9b53c6bc8f34c1c8bf75141f7ee74dc8db0
Log: Fixed Bug #66043 (Segfault calling bind_param() on mysqli)

[2014-10-07 23:16 UTC] stas@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=fd3fa9b53c6bc8f34c1c8bf75141f7ee74dc8db0
Log: Fixed Bug #66043 (Segfault calling bind_param() on mysqli)

[2014-10-07 23:27 UTC] stas@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=fd3fa9b53c6bc8f34c1c8bf75141f7ee74dc8db0
Log: Fixed Bug #66043 (Segfault calling bind_param() on mysqli)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 17:01:29 2024 UTC