PHP :: Bug #70885 :: session_regenerate

Bug #70885	session_regenerate_id segfaults
Submitted:	2015-11-10 04:39 UTC	Modified:	2015-11-12 19:53 UTC
From:	JosiahBradley at gmail dot com	Assigned:	yohgaki (profile)
Status:	Closed	Package:	Session related
PHP Version:	7.0.0RC6	OS:	Amazon Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	JosiahBradley at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2015-11-10 04:39 UTC] JosiahBradley at gmail dot com

Description:
------------
Whenever session_regenerate_id() is called PHP segfaults. The session file is created in the save path. I am using php-fpm and my configure line is 

./configure --enable-debug --prefix=/usr/local --enable-fpm --with-fpm-acl --with-fpm-user=php --with-fpm-group=php --with-config-file-path\
=/usr/local/php5/conf --disable-cgi --disable-short-tags --with-openssl --with-zlib --enable-zip --with-curl=/usr/local/lib --disable-flatf\
ile --enable-opcache --with-gd --with-jpeg-dir=/usr --without-ldap --enable-mbstring --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd --disab\
le-phar --with-readline --enable-sockets --enable-pcntl --without-pear --with-gnu-ld --with-libdir=lib64 --libdir=/usr/lib64/

php.ini related to session changed from defaults:

session.hash_function = 1
session.hash_bits_per_character = 6

Test script:
---------------
session_start();
echo session_save_path();
session_regenerate_id();


Expected result:
----------------
The location of the session save path.

Actual result:
--------------
#0  ps_files_path_create (buf=0x7ffc75268dc0 "", data=0x0, key=0x7fb976803068 "DKMeRn,GkcwqPerBP6zex4FaSg3", buflen=4096)
    at /usr/local/src/php/php-src/ext/session/mod_files.c:117
#1  0x0000000000649533 in ps_files_key_exists (data=0x7fb976803068, key=0x0) at /usr/local/src/php/php-src/ext/session/mod_files.c:334
#2  0x00000000006478df in zif_session_regenerate_id (execute_data=<optimized out>, return_value=0x7fb9768150b0)
    at /usr/local/src/php/php-src/ext/session/session.c:2081
#3  0x00000000007ce52d in ZEND_DO_ICALL_SPEC_HANDLER () at /usr/local/src/php/php-src/Zend/zend_vm_execute.h:586
#4  0x00000000007c0cdb in execute_ex (ex=<optimized out>) at /usr/local/src/php/php-src/Zend/zend_vm_execute.h:414
#5  0x0000000000809d47 in zend_execute (op_array=0x7fb976874000, op_array@entry=0x7fb9768692c0,
    return_value=return_value@entry=0x7fb976815030) at /usr/local/src/php/php-src/Zend/zend_vm_execute.h:458
#6  0x0000000000785cd4 in zend_execute_scripts (type=type@entry=8, retval=0x7fb976815030, retval@entry=0x0, file_count=file_count@entry=3)
    at /usr/local/src/php/php-src/Zend/zend.c:1428
#7  0x000000000072ac40 in php_execute_script (primary_file=primary_file@entry=0x7ffc7526c290)
    at /usr/local/src/php/php-src/main/main.c:2471
#8  0x000000000043f30c in main (argc=<optimized out>, argv=<optimized out>) at /usr/local/src/php/php-src/sapi/fpm/fpm/fpm_main.c:1944

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-11-10 05:43 UTC] reeze@php.net

-Status: Open +Status: Feedback

[2015-11-10 05:43 UTC] reeze@php.net

Please try using this snapshot:

  http://snaps.php.net/php-trunk-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

it should been fixed in master. try master branch please.

[2015-11-10 16:37 UTC] JosiahBradley at gmail dot com

Unfortunately there was a change, SHA3, to ext/hash that is preventing compilation on either the master or PHP-7.0 branches. Should I file another bug about the SHA3 compilation error or wait until the 12th for the final PHP 7.0 release?

Also the link to the snapshot is dead so I continued to use the git source.

[2015-11-12 01:51 UTC] yohgaki@php.net

-Assigned To: +Assigned To: yohgaki

[2015-11-12 01:51 UTC] yohgaki@php.net

According to backtrace, it seems empty save_path is causing the segfault.

#0  ps_files_path_create (buf=0x7ffc75268dc0 "", data=0x0, key=0x7fb976803068 "DKMeRn,GkcwqPerBP6zex4FaSg3", buflen=4096)
    at /usr/local/src/php/php-src/ext/session/mod_files.c:117

However, I don't get segfault on my Fedora22.

[yohgaki@dev PHP-7.0]$ ./php-bin 
<?php
ini_set('session.hash_function',1);
ini_set('session.hash_bits_per_character',6);
ob_start();
session_start();
var_dump(session_save_path(),session_id());
session_regenerate_id();
var_dump(session_save_path(),session_id());
var_dump(ini_get('session.hash_function'),ini_get('session.hash_bits_per_character'));
?>

string(0) ""
string(27) "vwUp0sl8ZjlJL0kE-7WjVi6WXFb"
string(0) ""
string(27) "wq1vwpb9mH6,M,aLjurTV3TWQz1"
string(1) "1"
string(1) "6"

Empty save_path should use the default tmp directory, usually "/tmp" on Linux. If you use invalid save_path like "/", you should get something like

[yohgaki@dev PHP-7.0]$ ./php-bin 
<?php
ini_set('session.save_path','/');
ini_set('session.hash_function',1);
ini_set('session.hash_bits_per_character',6);
ob_start();
session_start();
var_dump(session_save_path(),session_id());
session_regenerate_id();
var_dump(session_save_path(),session_id());
var_dump(ini_get('session.hash_function'),ini_get('session.hash_bits_per_character'));
?>


Warning: session_start(): open(//sess_jxSkw0LA19QJ59sPJz3PR8dyyN2, O_RDWR) failed: Permission denied (13) in - on line 6
string(1) "/"
string(27) "jxSkw0LA19QJ59sPJz3PR8dyyN2"

Warning: session_regenerate_id(): open(//sess_jxSkw0LA19QJ59sPJz3PR8dyyN2, O_RDWR) failed: Permission denied (13) in - on line 8

Warning: session_regenerate_id(): Session write failed. ID: files (path: /) in - on line 8
string(1) "/"
string(27) "jxSkw0LA19QJ59sPJz3PR8dyyN2"
string(1) "1"
string(1) "6"


What is your "session.save_path" setting? Do you see any difference if you set it to "/tmp" explicitly?

[2015-11-12 02:48 UTC] JosiahBradley at gmail dot com

session.save_path => /usr/local/php5/sessions

When running your code:

sudo -u php php
<?php
ini_set('session.save_path','/');
ini_set('session.hash_function',1);
ini_set('session.hash_bits_per_character',6);
ob_start();
session_start();
var_dump(session_save_path(),session_id());
session_regenerate_id();
var_dump(session_save_path(),session_id());
var_dump(ini_get('session.hash_function'),ini_get('session.hash_bits_per_character'));
?>
PHP Warning:  session_start(): open(//sess_ZXiPpBRkQ80MdKYrhWszKREGL83, O_RDWR) failed: Permission denied (13) in - on line 6
PHP Warning:  session_regenerate_id(): open(//sess_ZXiPpBRkQ80MdKYrhWszKREGL83, O_RDWR) failed: Permission denied (13) in - on line 8
PHP Warning:  session_regenerate_id(): Session write failed. ID: files (path: /) in - on line 8
string(1) "/"
string(27) "ZXiPpBRkQ80MdKYrhWszKREGL83"
string(1) "/"
string(27) "ZXiPpBRkQ80MdKYrhWszKREGL83"
string(1) "1"
string(1) "6"

When changing the directory to /tmp where user php can write to the CLI segfaults and there is no output.

Here is the output of strace:

"<?php\n", 1024)                = 6
session_regenerate_id();
var_dump(session_save_path(),session_id());
var_dump(ini_get('session.hash_function'),ini_get('session.hash_bits_per_character'));
read(0, "ini_set('session.save_path','/tm"..., 1024) = 37
?>read(0, "ini_set('session.hash_function',"..., 1024) = 36
read(0, "ini_set('session.hash_bits_per_c"..., 1024) = 46
read(0, "ob_start();\n", 1024)          = 12
read(0, "session_start();\n", 1024)     = 17
read(0, "var_dump(session_save_path(),ses"..., 1024) = 44
read(0, "session_regenerate_id();\n", 1024) = 25
read(0, "var_dump(session_save_path(),ses"..., 1024) = 44
read(0, "var_dump(ini_get('session.hash_f"..., 1024) = 87
read(0,
"?>\n", 1024)                   = 3
read(0, "", 1024)                       = 0
gettimeofday({1447295001, 211980}, NULL) = 0
gettimeofday({1447295001, 212072}, NULL) = 0
gettimeofday({1447295001, 212158}, NULL) = 0
open("/dev/urandom", O_RDONLY)          = 3
read(3, "_\21A\31\325\376p\251\241+\246\235*n\336\351\305\275\22\307\374'S\206\230\352\325>\334\31\7\350", 32) = 32
close(3)                                = 0
stat("/tmp/sess_ei0-lWyGDQzU2Ad0xzgOvv5S04e", 0x7ffc18c18240) = -1 ENOENT (No such file or directory)
open("/tmp/sess_ei0-lWyGDQzU2Ad0xzgOvv5S04e", O_RDWR|O_CREAT|O_NOFOLLOW, 0600) = 3
fstat(3, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
getuid()                                = 501
flock(3, LOCK_EX)                       = 0
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
fstat(3, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
pwrite(3, "", 0, 0)                     = 0
close(3)                                = 0
gettimeofday({1447295001, 219125}, NULL) = 0
open("/dev/urandom", O_RDONLY)          = 3
read(3, "2\352\22\17q\201\33\17VaS\17\203Y\350\212}d\276}\0F\323\24\236\31\303\32/\331m\320", 32) = 32
close(3)                                = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x18} ---
+++ killed by SIGSEGV +++
Segmentation fault


Notice that the file /tmp/sess_ei0-lWyGDQzU2Ad0xzgOvv5S04e is created.

My latest build is from commit fdb14346dce221842310f237a7fa8029bda5d5cc on master. I can't update past that commit because of hash.c not wanting to compile because of missing SHA3 references.

[2015-11-12 19:53 UTC] JosiahBradley at gmail dot com

-Status: Feedback +Status: Closed

[2015-11-12 19:53 UTC] JosiahBradley at gmail dot com

Latest build of master fixes the issue.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Apr 16 09:01:25 2025 UTC