php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #34731 segmentation fault during request shutdown
Submitted: 2005-10-04 15:59 UTC Modified: 2005-10-04 20:16 UTC
From: novicky at aarongroup dot cz Assigned: tony2001 (profile)
Status: Closed Package: OCI8 related
PHP Version: 5CVS-2005-10-04 (CVS) OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
22 - 21 = ?
Subscribe to this entry?

 
 [2005-10-04 15:59 UTC] novicky at aarongroup dot cz 
Description:
------------
There is an incorrect session destructor registration. The pointer registered by zend_list_insert points to a memory block which is then released by efree. This can lead to segmentation fault when destructor is called. A proposed patch follows (the same problem is id development branch)

--- php5-STABLE-200510041238/ext/oci8/oci8.c.ORIG       2005-10-04 15:39:42.301952856 +0200
+++ php5-STABLE-200510041238/ext/oci8/oci8.c    2005-10-04 15:40:58.979935427 +0200
@@ -2879,7 +2879,6 @@
                )
        );

-       session->num = zend_list_insert(session, le_session);
        session->is_open = 1;

        mutex_lock(mx_lock);
@@ -2892,6 +2891,7 @@
                }
        mutex_unlock(mx_lock);

+       session->num = zend_list_insert(session, le_session);
        oci_debug("_oci_open_session new sess=%d user=%s",session->num,username);

        return session;

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-10-04 18:29 UTC] sniper@php.net 
Assigned to the maintainer.
 [2005-10-04 18:48 UTC] tony2001@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc.

If possible, make the script source available online and provide
an URL to it here. Try to avoid embedding huge scripts into the report.
 [2005-10-04 19:38 UTC] novicky at aarongroup dot cz 
It is hard to reproduce but working on deallocated memory blocks is extremely dangerous. We had problems with segmentation faults on Sparc/Solaris 9.
Have a look on following code coming from oci8.c - first a session pointer is inserted into the list zend_list_insert(), while few lines bellow the session structure is copied into a new location zend_llist_add_element() and the original memory block is deallocated by efree(). Thus destructor applied on list would work on deallocated memory!!!

	session->num = zend_list_insert(session, le_session);
 	session->is_open = 1;

	mutex_lock(mx_lock);
		num_links++;
		if (!exclusive) {
			zend_llist_add_element(session_list, session);
			efree(session);
			session = (oci_session*) session_list->tail->data;
			num_persistent++;
		}
	mutex_unlock(mx_lock);

	oci_debug("_oci_open_session new sess=%d user=%s",session->num,username);

	return session;
 [2005-10-04 20:16 UTC] tony2001@php.net 
Patch committed, thanks.
But I'd really recommend you to switch to the new OCI8 from PECL (see http://pecl.php.net/oci8).
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 25 00:01:41 2024 UTC