PHP :: Bug #69964 :: SessionHandler::read AV's if the PS(default_mod)->s

Bug #69964

SessionHandler::read AV's if the PS(default_mod)->s_open fails

Submitted:

2015-06-29 21:36 UTC

Modified:

2016-01-14 04:24 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

ericsten@php.net

Assigned:

yohgaki (profile)

Status:

Closed

Package:

Session related

PHP Version:

5.6.10

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ericsten@php.net
New email:
PHP Version:		OS:

New Comment:

[2015-06-29 21:36 UTC] ericsten@php.net

Description:
------------
If a session handler is misconfigured (e.g. bad path in session.save_path) and fails to start, the SessionHandler::read(string id) method will call into handler whose PS_OPEN_FUNC() previously returned FAILURE.
The expectation is that if a handler's PS_OPEN_FUNC() returns FAILURE, it will not receive any subsequent PS_READ_FUNC()/PS_WRITE_FUNC()/PS_CLOSE_FUNC()/PS_DESTROY_FUNC() calls.

Looks like coming through the SessionHandler::read(string id) method is continuing to call PS(default_mod)->s_read even though ->s_open failed.  I believe this is because the PS(mod_user_is_open) is being set to 1, despite the fact that the ->s_open failed.

http://lxr.php.net/xref/PHP_TRUNK/ext/session/mod_user_class.c#50


Test script:
---------------
Assuming session.handler = wincache and session.save_path = "C:\doesNotExist\banana":

<?php

class WincacheSessionHandler extends SessionHandler {
  public function read($session_id) {
    $data = parent::read($session_id);
  }
}

// Initialize the storage
$handler = new WincacheSessionHandler();
session_set_save_handler($handler, true);

session_start();

print "<html><body>WORKS</body></html>";

Expected result:
----------------
php-cgi.exe should not AV.  It especially should not AV in wincache's PS_READ_FUNC() implementation.

Actual result:
--------------
Faulting application name: php-cgi.exe, version: 5.5.26.0, time stamp: 0x5578a6fc
 Faulting module name: php_wincache.dll, version: 1.3.7.6, time stamp: 0x556cd721
 Exception code: 0xc0000005
 Fault offset: 0x000163bf
 Faulting process id: 0x588
 Faulting application start time: 0x01d0ad4649943c17
 Faulting application path: C:\Program Files (x86)\PHP\php5.5\php-cgi.exe
 Faulting module path: C:\Program Files (x86)\PHP\php5.5\ext\php_wincache.dll
 Report Id: 88887401-1939-11e5-83b0-8019346bbdc6
 Faulting package full name: 
 Faulting package-relative application ID: 
...snip!...

WinDBG call stack:
eax=00a8e3c0 ebx=00000000 ecx=0000000b edx=0158ca90 esi=00000000 edi=0158c950
eip=6876680f esp=00a8e388 ebp=00000001 iopl=0         nv up ei ng nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210287
php_wincache!zvcache_get+0x1f:
6876680f 8b6b1c          mov     ebp,dword ptr [ebx+1Ch] ds:002b:0000001c=????????
0:000> k
  *** Stack trace for last set context - .thread/.cxr resets it
 # ChildEBP RetAddr  
00 00a8e39c 687648b8 php_wincache!zvcache_get+0x1f [c:\php-sdk\php56dev\vc11\x86\pecl\wincache\wincache_zvcache.c @ 1758]
01 00a8e3c0 5835b9de php_wincache!ps_read_wincache+0x58 [c:\php-sdk\php56dev\vc11\x86\pecl\wincache\wincache_session.c @ 301]
02 00a8e3d4 58235bde php5!zim_SessionHandler_read+0x7e [c:\php-sdk\php56\vc11\x86\php-5.6.0\ext\session\mod_user_class.c @ 83]
03 00a8e46c 5826ecb6 php5!zend_std_get_static_method+0x4e [c:\php-sdk\php56\vc11\x86\php-5.6.0\zend\zend_object_handlers.c @ 1204]
04 01572218 02762ac8 php5!zend_call_function+0x6d6 [c:\php-sdk\php56\vc11\x86\php-5.6.0\zend\zend_execute_api.c @ 832]
WARNING: Frame IP not in any known module. Following frames may be wrong.
05 0158e7a4 5826f0df 0x2762ac8
06 0158e81c 69a5dcff php5!ZEND_RETURN_SPEC_TMP_HANDLER+0x5f
07 (Inline) -------- msvcr110!_heap_alloc+0x21 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 56]
08 0158e8bc 69a5dcff msvcr110!malloc+0x49 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 91]
09 (Inline) -------- msvcr110!_heap_alloc+0x21 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 56]
0a 0158e95c 69a5dcff msvcr110!malloc+0x49 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 91]
0b (Inline) -------- msvcr110!_heap_alloc+0x21 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 56]
0c 0158ea2c 69a5dcff msvcr110!malloc+0x49 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 91]
0d (Inline) -------- msvcr110!_heap_alloc+0x21 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 56]
0e 0158ea38 5824e3a5 msvcr110!malloc+0x49 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 91]
0f 0158ea40 00000000 php5!zend_initialize_class_data+0x75 [c:\php-sdk\php56\vc11\x86\php-5.6.0\zend\zend_compile.c @ 6897]

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-06-29 21:38 UTC] ericsten@php.net

-Assigned To: +Assigned To: yohgaki

[2015-06-29 21:38 UTC] ericsten@php.net

Per e-mail, assigning to YOhgaki.

[2016-01-14 04:24 UTC] yohgaki@php.net

-Status: Assigned +Status: Closed

[2016-01-14 04:24 UTC] yohgaki@php.net

This is related to Bug #71038 and fixed partially for PHP 5.6, fully for PHP 7.0
Thank you for reporting.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed Dec 04 08:01:29 2024 UTC