php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41545 Mhash extension SegFaults on MD5 algorithm
Submitted: 2007-05-30 22:04 UTC Modified: 2007-05-31 21:17 UTC
From: wdierkes at 5dollarwhitebox dot org Assigned:
Status: Not a bug Package: Reproducible crash
PHP Version: 5.2.2 OS: Redhat Enterprise Linux ES 3
Private report: No CVE-ID:
 [2007-05-30 22:04 UTC] wdierkes at 5dollarwhitebox dot org
Description:
------------
The Mhash extension SegFaults on Redhat Enterprise Linux ES 3 when using the MD5 algorithm.  All other algorithms seem to work except MD5.

NOTE: This appears to possibly be related to bug #30983 which is closed (and I could not touch it).  In that bug, it was claimed to 'not imply a bug in PHP itself'.  This may be true, however similar tests against the Mhash library itself using C code function as expected.


I ran the same test against the Mhash library using the following C code located here:

http://www.5dollarwhitebox.org/tmp/mhash_test.c


You must install the Mhash library obviously, then compile and run the test file:

[rpm-dev@linuxbox ~]$ gcc -lmhash -o mhash_test mhash_test.c
[rpm-dev@linuxbox ~]$ ./mhash_test



The issue exists on Rhel3 i386/x86_64, but does *not* exist on Rhel4..  and I am using Mhash-0.9.9

Reproduce code:
---------------
PHP Code:

<?php
    $input = "PassW0rd";
    print "clear text input: " . $input . "\n";
    $tmp_hash_name = mhash_get_hash_name(MHASH_MD5);
    print "hash name: " . $tmp_hash_name . "\n";
    print "hash follows: "; 
    print bin2hex(mhash(MHASH_MD5, $input)) . "\n";
?>

Expected result:
----------------
Expected PHP Output:

[rpm-dev@linuxbox ~]$ php mhash_test.php 
clear text input: PassW0rd
hash name: MD5
hash follows: 298cde70c32a57b84d0a546fedbb2596


Actual result:
--------------
Actual PHP Output:

[rpm-dev@linuxbox ~/]$ php mhash_test.php 
clear text input: PassW0rd
hash name: MD5
hash follows: Segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-05-30 23:53 UTC] wdierkes at 5dollarwhitebox dot org
The problem does not exist when php-ldap extension is *not* loaded.  unloading ldap from the running PHP fixes the problem.
 [2007-05-31 09:11 UTC] sniper@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.


 [2007-05-31 17:06 UTC] wdierkes at 5dollarwhitebox dot org
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1218525024 (LWP 4690)]
0x0068c5b8 in malloc_consolidate () from /lib/tls/libc.so.6

(gdb) bt
#0  0x0068c5b8 in malloc_consolidate () from /lib/tls/libc.so.6
#1  0x0068bd59 in _int_malloc () from /lib/tls/libc.so.6
#2  0x0068b0fd in malloc () from /lib/tls/libc.so.6
#3  0x00dbe5a2 in apr_allocator_set_mutex () from /usr/lib/libapr-0.so.0
#4  0x00117942 in apr_bucket_alloc () from /usr/lib/libaprutil-0.so.0
#5  0x001171c2 in apr_brigade_write () from /usr/lib/libaprutil-0.so.0
#6  0x08077557 in ap_old_write_filter ()
#7  0x08077667 in ap_rwrite ()
#8  0x07439d4b in php_apache_sapi_ub_write (
    str=0xb73931cc "clear text input: PassW0rd\nname: MD5\nhash follows: ", '0' <repeats 32 times>, "\n", str_length=84)
    at /usr/src/debug/php-5.2.2/sapi/apache2handler/sapi_apache2.c:78
#9  0x0737b765 in php_ub_body_write_no_header (
    str=0xb73931cc "clear text input: PassW0rd\nname: MD5\nhash follows: ", '0' <repeats 32 times>, "\n", str_length=84)
    at /usr/src/debug/php-5.2.2/main/output.c:688
#10 0x0737b859 in php_ub_body_write (
    str=0xb73931cc "clear text input: PassW0rd\nname: MD5\nhash follows: ", '0' <repeats 32 times>, "\n", str_length=84)
    at /usr/src/debug/php-5.2.2/main/output.c:721
#11 0x0737a98b in php_end_ob_buffer (send_buffer=1 '\001', just_flush=0 '\0') at /usr/src/debug/php-5.2.2/main/output.c:300
#12 0x0737ab46 in php_end_ob_buffers (send_buffer=1 '\001') at /usr/src/debug/php-5.2.2/main/output.c:339
#13 0x07366eaf in php_request_shutdown (dummy=0x0) at /usr/src/debug/php-5.2.2/main/main.c:1291
#14 0x0743aafa in php_apache_request_dtor (r=0x9e31920) at /usr/src/debug/php-5.2.2/sapi/apache2handler/sapi_apache2.c:463
#15 0x0743b292 in php_handler (r=0x9e31920) at /usr/src/debug/php-5.2.2/sapi/apache2handler/sapi_apache2.c:635
#16 0x08068625 in ap_run_handler ()
#17 0x08068c3f in ap_invoke_handler ()
#18 0x08065266 in ap_process_request ()
#19 0x080608dc in _start ()
#20 0x09e31920 in ?? ()
#21 0x00000004 in ?? ()
#22 0x09e31920 in ?? ()
#23 0x009dd2f7 in modperl_process_connection_handler () from /etc/httpd/modules/mod_perl.so
#24 0x080723d5 in ap_run_process_connection ()
#25 0x08066b01 in ap_graceful_stop_signalled ()
#26 0x08066d1a in ap_graceful_stop_signalled ()
#27 0x08066d76 in ap_graceful_stop_signalled ()
#28 0x080675cd in ap_mpm_run ()
#29 0x0806dbcf in main ()



NOTE: A co-worker of mine mentioned that he ran into this a while ago.  He mentioned that the issue was that the ldap module, and Mhash library had conflicting function names (possibly relating to SSL)... etc.  Therefore, it is likely not a PHP issue directly, though not certain of the proper path to take in resolving the matter.
 [2007-05-31 17:13 UTC] tony2001@php.net
Well, if some third party libraries have a symbol with the same name, we can hardly fix them.
The problem is clearly not in the extensions, since they don't have any similar symbols at all.
Please report the problem to OpenLDAP/Mhash developers if/when you have more details.
 [2007-05-31 21:17 UTC] wdierkes at 5dollarwhitebox dot org
This issue can be followed up at the following Mhash bug track:

http://sourceforge.net/tracker/index.php?func=detail&aid=1729145&group_id=4286&atid=104286


A patch has been submitted to work around this issue, and can be downloaded from there.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 03:02:42 2014 UTC