PHP :: Bug #73939 :: Memory allocation in signal handler causes segfault

Bug #73939	Memory allocation in signal handler causes segfault
Submitted:	2017-01-15 02:45 UTC	Modified:	-
From:	as@php.net	Assigned:
Status:	Closed	Package:	PCNTL related
PHP Version:	7.1.0	OS:	Linux 4.4
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	as@php.net
New email:
PHP Version:		OS:

New Comment:

[2017-01-15 02:45 UTC] as@php.net

Description:
------------
Memory allocation in signal handler introduced by https://wiki.php.net/rfc/additional-context-in-pcntl-signal-handler causes a segfault when compiled with HAVE_STRUCT_SIGINFO_T.

To reproduce, run `php test.php` in one terminal, and run `while true; do pkill -n -SIGTERM php; done` in another terminal. PHP will eventually segfault.

Sample stack trace:

0x00000000008f7073 in zend_mm_alloc_small (heap=0x7ffff3600040, size=64, bin_num=7, __zend_filename=0x104da28 "/home/adam/php-src/Zend/zend_string.h", __zend_lineno=122, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /home/adam/php-src/Zend/zend_alloc.c:1261
1261			heap->free_slot[bin_num] = p->next_free_slot;
(gdb) bt
#0  0x00000000008f7073 in zend_mm_alloc_small (heap=0x7ffff3600040, size=64, bin_num=7, __zend_filename=0x104da28 "/home/adam/php-src/Zend/zend_string.h", __zend_lineno=122, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /home/adam/php-src/Zend/zend_alloc.c:1261
#1  0x00000000008f7316 in zend_mm_alloc_heap (heap=0x7ffff3600040, size=64, __zend_filename=0x104da28 "/home/adam/php-src/Zend/zend_string.h", __zend_lineno=122, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /home/adam/php-src/Zend/zend_alloc.c:1332
#2  0x00000000008f9e56 in _emalloc (size=32, __zend_filename=0x104da28 "/home/adam/php-src/Zend/zend_string.h", __zend_lineno=122, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/adam/php-src/Zend/zend_alloc.c:2417
#3  0x0000000000951557 in zend_string_alloc (len=4, persistent=0) at /home/adam/php-src/Zend/zend_string.h:122
#4  0x00000000009515c0 in zend_string_init (str=0xffe6fe "code", len=4, persistent=0) at /home/adam/php-src/Zend/zend_string.h:158
#5  0x0000000000954035 in _zend_hash_str_update (ht=0x7ffff365a600, str=0xffe6fe "code", len=4, pData=0x7fffffffafb0, __zend_filename=0x104c288 "/home/adam/php-src/Zend/zend_hash.h", __zend_lineno=446)
    at /home/adam/php-src/Zend/zend_hash.c:650
#6  0x000000000093eaf0 in zend_symtable_str_update (ht=0x7ffff365a600, str=0xffe6fe "code", len=4, pData=0x7fffffffafb0) at /home/adam/php-src/Zend/zend_hash.h:446
#7  0x0000000000945351 in add_assoc_long_ex (arg=0x7fffffffb040, key=0xffe6fe "code", key_len=4, n=0) at /home/adam/php-src/Zend/zend_API.c:1325
#8  0x00000000006bb9f6 in pcntl_siginfo_to_zval (signo=15, siginfo=0x7fffffffb370, user_siginfo=0x7fffffffb040) at /home/adam/php-src/ext/pcntl/pcntl.c:1221
#9  0x00000000006bc0fe in pcntl_signal_handler (signo=15, siginfo=0x7fffffffb370, context=0x7fffffffb240) at /home/adam/php-src/ext/pcntl/pcntl.c:1384
#10 0x00000000009806cf in zend_signal_handler (signo=15, siginfo=0x7fffffffb370, context=0x7fffffffb240) at /home/adam/php-src/Zend/zend_signal.c:207
#11 0x000000000097feac in zend_signal_handler_defer (signo=15, siginfo=0x7fffffffb370, context=0x7fffffffb240) at /home/adam/php-src/Zend/zend_signal.c:101
#12 <signal handler called>
#13 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:238
#14 0x000000000093344e in concat_function (result=0x7ffff36150e0, op1=0x7ffff36150d0, op2=0x7fffffffb950) at /home/adam/php-src/Zend/zend_operators.c:1764
#15 0x0000000000a3013f in ZEND_CONCAT_SPEC_TMPVAR_CV_HANDLER () at /home/adam/php-src/Zend/zend_vm_execute.h:51598
#16 0x00000000009ac2e6 in execute_ex (ex=0x7ffff3615030) at /home/adam/php-src/Zend/zend_vm_execute.h:429
#17 0x00000000009ac4e7 in zend_execute (op_array=0x7ffff3672400, return_value=0x0) at /home/adam/php-src/Zend/zend_vm_execute.h:474
#18 0x000000000093e36a in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/adam/php-src/Zend/zend.c:1546
#19 0x000000000087755c in php_execute_script (primary_file=0x7fffffffd0b0) at /home/adam/php-src/main/main.c:2535
#20 0x0000000000a3ccca in do_cli (argc=2, argv=0x13b4cd0) at /home/adam/php-src/sapi/cli/php_cli.c:997
#21 0x0000000000a3e15c in main (argc=2, argv=0x13b4cd0) at /home/adam/php-src/sapi/cli/php_cli.c:1390


Test script:
---------------
<?php

declare(ticks = 1);
pcntl_signal(SIGTERM, function() {
    echo "signal\n";
});

$c = 0;
while(1) {
    $c += 1;
    str_repeat('a', 8192) . $c;
}


Expected result:
----------------
no segfault

Actual result:
--------------
segfault

Patches

patch.diff (last revision 2017-01-15 02:45 UTC by as@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-01-15 02:45 UTC] as@php.net

The following patch has been added/updated:

Patch Name: patch.diff
Revision:   1484448342
URL:        https://bugs.php.net/patch-display.php?bug=73939&patch=patch.diff&revision=1484448342

[2017-01-16 04:33 UTC] krakjoe@php.net

Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bac4c97602d53b6f07737ce0b51f8a39857cbf76
Log: Fix bug #73939 memory allocation in signal handler when HAVE_STRUCT_SIGINFO_T

[2017-01-16 04:33 UTC] krakjoe@php.net

-Status: Open +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri May 09 13:01:28 2025 UTC