php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34731 segmentation fault during request shutdown
Submitted: 2005-10-04 15:59 UTC Modified: 2005-10-04 20:16 UTC
From: novicky at aarongroup dot cz Assigned: tony2001 (profile)
Status: Closed Package: OCI8 related
PHP Version: 5CVS-2005-10-04 (CVS) OS: All
Private report: No CVE-ID: None
 [2005-10-04 15:59 UTC] novicky at aarongroup dot cz
Description:
------------
There is an incorrect session destructor registration. The pointer registered by zend_list_insert points to a memory block which is then released by efree. This can lead to segmentation fault when destructor is called. A proposed patch follows (the same problem is id development branch)

--- php5-STABLE-200510041238/ext/oci8/oci8.c.ORIG       2005-10-04 15:39:42.301952856 +0200
+++ php5-STABLE-200510041238/ext/oci8/oci8.c    2005-10-04 15:40:58.979935427 +0200
@@ -2879,7 +2879,6 @@
                )
        );

-       session->num = zend_list_insert(session, le_session);
        session->is_open = 1;

        mutex_lock(mx_lock);
@@ -2892,6 +2891,7 @@
                }
        mutex_unlock(mx_lock);

+       session->num = zend_list_insert(session, le_session);
        oci_debug("_oci_open_session new sess=%d user=%s",session->num,username);

        return session;



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-10-04 18:29 UTC] sniper@php.net
Assigned to the maintainer.
 [2005-10-04 18:48 UTC] tony2001@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc.

If possible, make the script source available online and provide
an URL to it here. Try to avoid embedding huge scripts into the report.


 [2005-10-04 19:38 UTC] novicky at aarongroup dot cz
It is hard to reproduce but working on deallocated memory blocks is extremely dangerous. We had problems with segmentation faults on Sparc/Solaris 9.
Have a look on following code coming from oci8.c - first a session pointer is inserted into the list zend_list_insert(), while few lines bellow the session structure is copied into a new location zend_llist_add_element() and the original memory block is deallocated by efree(). Thus destructor applied on list would work on deallocated memory!!!

	session->num = zend_list_insert(session, le_session);
 	session->is_open = 1;

	mutex_lock(mx_lock);
		num_links++;
		if (!exclusive) {
			zend_llist_add_element(session_list, session);
			efree(session);
			session = (oci_session*) session_list->tail->data;
			num_persistent++;
		}
	mutex_unlock(mx_lock);

	oci_debug("_oci_open_session new sess=%d user=%s",session->num,username);

	return session;
 [2005-10-04 20:16 UTC] tony2001@php.net
Patch committed, thanks.
But I'd really recommend you to switch to the new OCI8 from PECL (see http://pecl.php.net/oci8).

 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sat Jul 02 00:05:44 2022 UTC