PHP :: Bug #18863 :: PHP leaves a SYSV semaphore unclosed (php -v). Denial of service possibility.

Bug #18863

PHP leaves a SYSV semaphore unclosed (php -v). Denial of service possibility.

Submitted:

2002-08-12 00:34 UTC

Modified:

2002-10-26 01:00 UTC

Votes:	6
Avg. Score:	4.8 ± 0.4
Reproduced:	6 of 6 (100.0%)
Same Version:	4 (66.7%)
Same OS:	5 (83.3%)

From:

bryce at redhat dot com

Assigned:

Status:

No Feedback

Package:

Unknown/Other Function

PHP Version:

4.1.2

OS:

RHAT Linux (i386 and Alpha)

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	bryce at redhat dot com
New email:
PHP Version:		OS:

New Comment:

[2002-08-12 00:34 UTC] bryce at redhat dot com

I've been contacted by a php user in the wild who told me that by simply issuing 'php -v', a semaphore that php opens for session management is not closed on exit.

This becomes bad news because the ipc system on linux is a global resource and not based per user, so it's possible for a local user to DOS the box by running php -v repeatidly.

[test@alpha3 test]$ ipcs > l
[test@alpha3 test]$ php -v
Content-type: text/html
4.1.2
[test@alpha3 test]$ ipcs > ll
[test@alpha3 test]$ diff l ll
9a10,11
> 0x00000000 65538      test      600        1         
> 0x00000000 98307      test      600        1         

I tried to trace this out between 4.1.2 and 4.2.2 (4.2.2 does not exhibit this behaviour) but I can find no obvious differances in the codepaths between versions. This behaviour seems to be present all the way back to 4.0.6 from the little additional checking I made.

Please see 
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=71097
For a more detailed analysis

The RH 4.1.2 configure incantation:
./configure --prefix=/usr --with-config-file-path=/etc --enable-force-cgi-redirect --disable-debug --enable-pic --disable-rpath --enable-inline-optimization --with-bz2 --with-db3 --with-curl --with-dom=/usr --with-exec-dir=/usr/bin --with-freetype-dir=/usr --with-png-dir=/usr --with-gd --enable-gd-native-ttf --with-ttf --with-gdbm --with-gettext --with-ncurses --with-gmp --with-iconv --with-jpeg-dir=/usr --with-mm --with-openssl --with-png --with-pspell --with-regex=system --with-xml --with-expat-dir=/usr --with-zlib --with-layout=GNU --enable-bcmath --enable-debugger --enable-exif --enable-ftp --enable-magic-quotes --enable-safe-mode --enable-sockets --enable-sysvsem --enable-sysvshm --enable-discard-path --enable-track-vars --enable-trans-sid --enable-yp --enable-wddx --without-oci8 --with-imap=shared --with-imap-ssl --with-kerberos=/usr/kerberos --with-ldap=shared --with-mysql=shared,/usr --with-pgsql=shared --with-snmp=shared,/usr --with-snmp=shared --enable-ucd-snmp-hack --with-unixODBC=shared --enable-memory-limit --enable-bcmath --enable-shmop --enable-versioning --enable-calendar --enable-dbx --enable-dio --enable-mbstring --enable-mbstr-enc-trans --enable-force-cgi-redirect


Phil
=--=

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-08-12 09:51 UTC] sander@php.net

IIRC, this was fixed someday...  if it works with 4.2.2 than it's no longer a bug. Please try a (non-STABLE) snapshot from http://snaps.php.net and reopen this report if the problem still persists.

[2002-10-10 00:25 UTC] mrfloppy at ntrippy dot net

I have just compiled and tested this on RH7.2 ans 4.2.4-dev and the same behaviour still exists.

If you run php -v enough times (in my case 58 times) you end up with a whole bunch of semaphore arrays that have not been cleaned up and php dying when run fit rom the command line with:

$ php -v
Content-type: text/html

PHP Fatal error:  Unable to start session mm module in Unknown on line 0

[2002-10-10 06:47 UTC] wez@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-latest.zip

[2002-10-26 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over 2 weeks, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Oct 27 16:01:27 2024 UTC