php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73497 memcache session handler with two backend servers Fatal Error (out of memory)
Submitted: 2016-11-11 09:00 UTC Modified: -
Votes:84
Avg. Score:5.0 ± 0.1
Reproduced:82 of 82 (100.0%)
Same Version:77 (93.9%)
Same OS:6 (7.3%)
From: php at bof dot de Assigned:
Status: Open Package: Session related
PHP Version: 5.6.28 OS: openSUSE 11.4 + 13.1, x86_64
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: php at bof dot de
New email:
PHP Version: OS:

 

 [2016-11-11 09:00 UTC] php at bof dot de
Description:
------------
Using memcache as session handler. Works with a single backend server, fails as indicated below when using two backend servers.

This has been working forever, and is in production using 5.6.27 built the same way as 5.6.28 now. It fails with 5.6.28 on two separate build + test environments (openSUSE 11.4 + 13.1) using different GCC versions and external library base, so it is not build environment related.


Test script:
---------------
?php
# ^session CLI ini variables before call:
#
# session.save_handler = files
# session.save_path = "/var/lib/php5"
# session.use_cookies = 1
# session.use_only_cookies = 1
# session.name = PHPSESSID
# session.auto_start = 0
# session.cookie_lifetime = 0
# session.cookie_path = /
# session.cookie_domain =
# session.cookie_httponly = 1
# session.serialize_handler = php
# session.gc_probability = 1
# session.gc_divisor = 1000
# session.gc_maxlifetime = 1440
# session.bug_compat_42 = Off
# session.bug_compat_warn = Off
# session.referer_check =
# session.entropy_length = 32
# session.entropy_file = /dev/urandom
# session.cache_limiter = nocache
# session.cache_expire = 180
# session.use_trans_sid = 0
# session.hash_function = 3
# session.hash_bits_per_character = 5

# these three just for testing, to suppress headers-sent warning
ini_set('session.use_cookies', '0');
ini_set('session.use_only_cookies', '0');
ini_set('session.use_trans_sid', '1');

function test() {
        session_name('SID_bof');
        session_id('abcdef');
        if (!session_start()) {
                var_dump('session_start failed');
                exit(1);
        }
        var_dump($_SESSION);
        $_SESSION['bof.test'] = 42;
        session_write_close();
}

ini_set('session.save_handler', 'memcache');
ini_set('session.save_path', 'tcp://192.168.0.2:11211');
test();
ini_set('session.save_path', 'tcp://192.168.0.3:11211');
test();
ini_set('session.save_path', 'tcp://192.168.0.2:11211, tcp://192.168.0.3:11211');
test();
?>

Expected result:
----------------
# on second run, otherwise these are empty arrays first
array(1) {
  'bof.test' =>
  int(42)
}
array(1) {
  'bof.test' =>
  int(42)
}
array(1) {
  'bof.test' =>
  int(42)
}

Actual result:
--------------
# on second run, otherwise these are empty arrays
array(1) {
  'bof.test' =>
  int(42)
}
array(1) {
  'bof.test' =>
  int(42)
}

Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 4294967160 bytes) in /tmp/badsess.php on line 37

Call Stack:
    0.0001     234880   1. {main}() /tmp/badsess.php:0
    0.0028     253808   2. test() /tmp/badsess.php:52
    0.0028     253856   3. session_start() /tmp/badsess.php:37

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-11 09:16 UTC] php at bof dot de
Additional information: the memcache module is from https://git.php.net/repository/pecl/caching/memcache.git checked out with tag memcache-3.0.8 - source files are identical between my 5.6.27 (works) and 5.6.28 (breaks) builds.
 [2016-11-13 13:59 UTC] angeloxx at angeloxx dot it
Same version of PHP and Memcache plugin and same issue (try to allocate 4GB of memory).
 [2016-11-15 14:02 UTC] php at bof dot de
Reproducing with my test script and an --enable-debug build, gives some hint:

Fatal error: Allowed memory size of 134217728 bytes exhausted at /usr/src/phb/build/dbg-5.6.28/php-src/ext/standard/url.c:343 (tried to allocate 4294967291 bytes) in /tmp/badsess.php on line 37

url.c:343 is php_url_parse_ex() line
        ret->path = estrndup(s, (ue-s));

Trying to run under gdb with a breakpoint set there, gives the error in a different place:

Fatal error: Allowed memory size of 134217728 bytes exhausted at /usr/src/phb/build/dbg-5.6.28/php-src/ext/standard/url.c:339 (tried to allocate 4294965800 bytes) in /tmp/badsess.php on line 37

That url.c:339 line is:
	ret->fragment = estrndup(p, (ue-p));

Also setting a breakpoint there. Result:

Breakpoint 2, php_url_parse_ex (
    str=0x7ffff7fcc830 "tcp://192.168.8.57:11211, tcp://192.168.8.58:11211", 
    length=24) at /usr/src/phb/build/dbg-5.6.28/php-src/ext/standard/url.c:339
339				ret->fragment = estrndup(p, (ue-p));

The plot thickens... :)

(gdb) print p
$1 = 0x7ffff7fcce21 "\001"
(gdb) print ue
$2 = 0x7ffff7fcc848 ", tcp://192.168.8.58:11211"
(gdb) print ue-p
$3 = -1497

That "p" is "(p = memchr(s, '#', (ue - s)))" from line 329.

(gdb) print s
$4 = 0x7ffff7fcc84e "//192.168.8.58:11211"
(gdb) print ue-s
$5 = -6

So we have a memchr() call already with negative length (probably undefined behaviour).

Here is the change between 5.6.27 and 5.6.28:

--- ../release-5.6.27/php-src/ext/standard/url.c	2016-10-20 17:59:31.906609491 +0200
+++ ./php-src/ext/standard/url.c	2016-11-14 19:01:25.283278279 +0100
@@ -217,28 +217,7 @@
 		goto nohost;
 	}
 
-	e = ue;
-
-	if (!(p = memchr(s, '/', (ue - s)))) {
-		char *query, *fragment;
-
-		query = memchr(s, '?', (ue - s));
-		fragment = memchr(s, '#', (ue - s));
-
-		if (query && fragment) {
-			if (query > fragment) {
-				e = fragment;
-			} else {
-				e = query;
-			}
-		} else if (query) {
-			e = query;
-		} else if (fragment) {
-			e = fragment;
-		}
-	} else {
-		e = p;
-	}
+	e = s + strcspn(s, "/?#");
 
 	/* check for login and password */
 	if ((p = zend_memrchr(s, '@', (e-s)))) {

Given the input string "tcp://192.168.8.57:11211, tcp://192.168.8.58:11211" and "s" already past the initial "tcp://", the old code would have
found the '/', then wouldn't have found '?' or '#' - AND THUS WOULD HAVE LEFT "e" alone.

After that change, "e" will be at the first '/' of the SECOND "argument", so that the code further effectively tries to parse "192.168.8.57:11211, tcp:" and then goes astray....
 [2016-11-15 14:48 UTC] php at bof dot de
adding to my previous "analysis".... I was a bit confused because I found that I couldn't use the PHP level parse_url() function with the same argument as the memcache handler stuff, to get the same (bad result).

Now, looking closely, the difference is that the memcache extension calls php_url_parse_ex with the two-server string BUT length SET TO 24, i.e. only covering the first of the two servers in the string.

But then php_url_parse_ex obviously does not really limit itself to examining the passed-in length, and happily scans the string further.
 [2016-11-15 15:10 UTC] php at bof dot de
The following patch fixes the issue for the memcache extension, by making a temporary copy of the single server parts of save_path before calling php_url_parse_ex:

--- ../release-5.6.28//memcache/memcache_session.c	2016-11-10 16:27:45.963096097 +0100
+++ ./memcache/memcache_session.c	2016-11-15 16:07:09.186618020 +0100
@@ -90,7 +90,10 @@
 				efree(path);
 			}
 			else {
-				url = php_url_parse_ex(save_path+i, j-i);
+				int len = j-i;
+				char *path = estrndup(save_path+i, len);
+				url = php_url_parse_ex(path, strlen(path));
+				efree(path);
 			}
 
 			if (!url) {
 [2016-11-16 09:55 UTC] php at bof dot de
Re-reported against package "memcache (PECL)" in https://bugs.php.net/bug.php?id=73539
 [2016-11-22 08:57 UTC] christian dot lechner at brain dot at
This bug can also be reproduced with php 7.0.13 and memcache 3.0.9-dev
 [2016-12-29 18:44 UTC] marcos dot gonzalez at bol dot com dot br
This bug also happens with redis as a backend for session handling. As long as you put multiple servers on session.save_path, separated by commas.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 17:01:32 2024 UTC