php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44872 canary mismatch on efree() - heap overflow detected
Submitted: 2008-04-30 17:19 UTC Modified: 2010-02-09 13:50 UTC
Votes:56
Avg. Score:4.6 ± 0.8
Reproduced:51 of 51 (100.0%)
Same Version:13 (25.5%)
Same OS:4 (7.8%)
From: mattr at shoplet dot com Assigned:
Status: Closed Package: MySQLi related
PHP Version: 5.2.5 OS: FreeBSD 6.2
Private report: No CVE-ID: None
 [2008-04-30 17:19 UTC] mattr at shoplet dot com
Description:
------------
The execution of the attached script halts unexpectedly with "ALERT - canary mismatch on efree() - heap overflow detected (attacker 'REMOTE_ADDR not set', file '../library/Zend/Db/Statement/Mysqli.php', line 113)" in the apache error log.


PHP Info:
-----------------------
PHP Version => 5.2.5
System => FreeBSD localhost 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 11:05:30 UTC 2007     root@dessler.cse.buff
alo.edu:/usr/obj/usr/src/sys/SMP i386
Configure Command =>  './configure'  '--with-layout=GNU' '--with-config-file-scan-dir=/usr/local/etc/php' '--disable-all' '--e
nable-libxml' '--with-libxml-dir=/usr/local' '--enable-reflection' '--program-prefix=' '--enable-fastcgi' '--with-apxs=/usr/lo
cal/sbin/apxs' '--with-regex=php' '--with-zend-vm=CALL' '--enable-debug' '--enable-zend-multibyte' '--prefix=/usr/local' '--ma
ndir=/usr/local/man' '--infodir=/usr/local/info/'
PHP API => 20041225
PHP Extension => 20060613
Zend Extension => 220060519
Debug Build => yes
Thread Safety => disabled
Zend Memory Manager => enabled
IPv6 Support => enabled

This server is protected with the Suhosin Patch 0.9.6.2
Copyright (c) 2006 Hardened-PHP Project

-----------------------

Script fails on another machine running Debian 4 in the same reproducible manner with and without the Suhosin patch.




Reproduce code:
---------------
#!/usr/local/bin/php
<?php

set_include_path('../library/'. PATH_SEPARATOR . '../application/lib/' . PATH_SEPARATOR . get_include_path());

require_once('Zend/Db.php');
// Zend Db classes can be found here: http://framework.zend.com
// Can attach to the ticket later if needed.

date_default_timezone_set('America/New_York');

$db = Zend_Db::factory('mysqli',Array('host'=>'localhost','username'=>'','password'=>'','dbname'=>'eproc'));
$order_num = 1208212550;

$sql = $db->quoteInto("SELECT * FROM `eproc`.`Orders` WHERE `order_num`=? LIMIT 1",$order_num);
$q = $db->fetchAll($sql);

$batch_status = $db->fetchOne("SELECT `to_po` FROM `eproc2`.`batch_status` WHERE `status`='done' ORDER BY `to_po` DESC LIMIT 1");

$items = $db->fetchAll("SELECT * FROM `eproc`.`Order_Item` WHERE `order_num`='{$order_num}' ORDER BY `line_num` ASC");

$notes = $db->fetchAll("SELECT * FROM `eproc`.`notes` WHERE `order_num`='{$order_num}' ORDER BY `sticky` DESC, `date_modified` ASC");


$emails = $db->fetchAll("SELECT `message_id`,`from_email`,`to_email`,`subject`,`date_received` FROM `email_store`.`email` WHERE `order_num`='{$order_num}' ORDER BY `date_received` ASC");

$attachments = $db->fetchAll("SELECT * FROM `files`.`order_attachments` WHERE `order_num`='{$order_num}' ORDER BY `timestampAdded` ASC");

print_r($q);
print_r($order_id);
print_r($batch_status);
print_r($items);
print_r($notes);
print_r($emails);
print_r($attachments);


Expected result:
----------------
Several Arrays of database results

Actual result:
--------------
Execution:
[Wed Apr 30 12:45:01 2008]  Script:  './index.php'
---------------------------------------
/usr/ports/lang/php5/work/php-5.2.5/Zend/zend_opcode.c(238) : Block 0x0828d0e0 status:
Invalid pointer: ((prev=0x00000045) != (prev.size=0x00000000))
---------------------------------------
[Wed Apr 30 12:45:01 2008]  Script:  './index.php'
---------------------------------------
/usr/ports/lang/php5/work/php-5.2.5/Zend/zend_variables.h(35) : Block 0x0828d09c status:
/usr/ports/lang/php5/work/php-5.2.5/Zend/zend_variables.c(36) : Actual location (location was relayed)
Invalid pointer: ((size=0x00000000) != (next.prev=0x0000003d))
---------------------------------------
[Wed Apr 30 12:45:01 2008]  Script:  './index.php'
/usr/ports/databases/php5-mysqli/work/php-5.2.5/ext/mysqli/mysqli_api.c(362) :  Freeing 0x0828D060 (0 bytes), script=./index.php
zend_mm_heap corrupted
Segmentation fault (core dumped)




Backtrace:

#0  0x28583ecb in kill () from /lib/libc.so.6
#1  0x08150f51 in zend_mm_panic (message=0x8252700 "zend_mm_heap corrupted")
    at /usr/ports/lang/php5/work/php-5.2.5/Zend/zend_alloc.c:94
#2  0x08151ef5 in zend_mm_find_leaks (segment=0x827e000, b=0x828d02c)
    at /usr/ports/lang/php5/work/php-5.2.5/Zend/zend_alloc.c:1223
#3  0x08152070 in zend_mm_check_leaks (heap=0x827d400) at /usr/ports/lang/php5/work/php-5.2.5/Zend/zend_alloc.c:1277
#4  0x08152aaf in zend_mm_shutdown (heap=0x827d400, full_shutdown=0, silent=0)
    at /usr/ports/lang/php5/work/php-5.2.5/Zend/zend_alloc.c:1632
#5  0x08154a76 in shutdown_memory_manager (silent=0, full_shutdown=0)
    at /usr/ports/lang/php5/work/php-5.2.5/Zend/zend_alloc.c:2553
#6  0x0812479b in php_request_shutdown (dummy=0x0) at /usr/ports/lang/php5/work/php-5.2.5/main/main.c:1510
#7  0x081d7677 in main (argc=2, argv=0xbfbfeca0) at /usr/ports/lang/php5/work/php-5.2.5/sapi/cli/php_cli.c:1327



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-05-10 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2008-07-21 04:24 UTC] mike at gmi dot co dot nz
Experiencing the same thing with an MSSQL query (mssql_query()) on Debian and using PHP 5.2.6-2 with Suhosin-Patch 0.9.6.2 (cli) (built: Jul  3 2008 07:52:34)
 [2008-09-08 20:43 UTC] ndwolf at gmail dot com
same error with PHP Version 5.2.4-2ubuntu5.3
with the Suhosin Patch 0.9.6.2
Zend Engine v2.2.0
with Zend Extension Manager v1.2.0
with Zend Optimizer v3.2.6
with jobqueue_client wrapper v1.0
with DISABLED Zend Download Server v1.0.6
with DISABLED Zend Platform v3.0.1
with Zend Debugger v5.2.5
with gd wrapper v1.0

executing line 83 of Zend/Loader.php (Zend Framework 1.6.0)

the line is a "include_once $file"
 [2008-09-30 11:39 UTC] donald at designknights dot com
php version = 5.2.4-2ubuntu5.3

I am getting this same problem with the following bit of code

//class I wrote to make doing things on a remote machine easier 
$ssh->init($server, $port, $username, $password);

$command = "if [ -d '$path' ]; then echo \"true\"; else echo \"false\"; fi 2> /dev/null";

//this executes the command above on the remote and gathers a true or false answer form the ssh stream
$answer = $ssh->execute_return($command);

//this line is where it barfes all over the memory
if ($answer === "true\n"){
    return true;
}
else {
    return false;
}
 [2008-10-10 09:50 UTC] krister dot karlstrom at arcada dot fi
I'm experiencing the same bug using PHP 5.2.4-2ubuntu5.3 with Suhosin-Patch 0.9.6.2 (cli) on a Ubuntu Hardy 8.0.4 server.

The following simplified example shows the problem, the last echo row is not executed because of mssql_free_result() fails:

<?php

$link = mssql_connect('xxxx.xx', 'xxx', 'xxxx');

if(is_resource($link))
{
	if(mssql_select_db('kursbok', $link))
	{
		$result = mssql_query('select * from Utbildningsprogram order by up_nr');
		
		if(is_resource($result))
		{
			$obj = mssql_fetch_object($result);
			echo $obj->up_nr."\n";
			
			mssql_free_result($result);
		}
	}
}
	
echo "Here I am - NOT!";

?>

OUTPUT
==================================================================
201000
ALERT - canary mismatch on efree() - heap overflow detected (attacker 'REMOTE_ADDR not set', file '/var/www/xxxx/TestMsSQL.php', line 16)
 [2009-03-11 09:17 UTC] dballance at roydshall dot org
I have the same error when running certain queries with mssql_query(). There seems to be no way to predict which queries will run and which fail - although if a query fails it always fails and if it runs then it alway runs. The more complex the query, the more likely to fail.

I am running PHP Version 5.2.4-2ubuntu5.5 with Suhosin Patch 0.9.6.2. 
Example code that trips the switch:

$dbhandle = mssql_connect($myServer, $myUser, $myPass);
$selected = mssql_select_db($myDB, $dbhandle);

$query = "SELECT * FROM sims.curr_group INNER JOIN sims.curr_class_period ON sims.curr_group.base_group_id = sims.curr_class_period.base_group_id INNER JOIN sims.sims_person ON sims.sims_person.person_id = sims.curr_class_period.person_id
WHERE (sims.curr_group.short_name = '9b/It1')";

$result = mssql_query($query);

while($row = mssql_fetch_array($result)) {
   print_r($row);
}

//close the connection
mssql_close($dbhandle);
 [2009-03-22 19:38 UTC] mr dot jony at gmail dot com
i have this same problem in a fresh install of ubuntu 8.04 lts

and i dont have the suhosin patch

please help
 [2009-04-21 14:39 UTC] fr33z at inmail dot cz
I have the same issue with PHP Version 5.2.9-pl2-gentoo
'./configure' '--prefix=/usr/lib64/php5' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/lib64/php5/man' '--infodir=/usr/lib64/php5/info' '--sysconfdir=/etc' '--cache-file=./config.cache' '--with-libdir=lib64' '--with-pcre-regex=/usr' '--enable-maintainer-zts' '--disable-cli' '--with-apxs2=/usr/sbin/apxs2' '--with-config-file-path=/etc/php/apache2-php5' '--with-config-file-scan-dir=/etc/php/apache2-php5/ext-active' '--without-pear' '--disable-bcmath' '--with-bz2' '--disable-calendar' '--with-curl' '--with-curlwrappers' '--disable-dbase' '--enable-exif' '--without-fbsql' '--without-fdftk' '--enable-ftp' '--with-gettext' '--without-gmp' '--disable-ipv6' '--disable-json' '--without-kerberos' '--enable-mbstring' '--with-mcrypt' '--with-mhash' '--without-msql' '--without-mssql' '--with-ncurses' '--with-openssl' '--with-openssl-dir=/usr' '--disable-pcntl' '--without-pgsql' '--without-pspell' '--without-recode' '--disable-shmop' '--without-snmp' '--disable-soap' '--enable-sockets' '--without-sybase' '--without-sybase-ct' '--disable-sysvmsg' '--disable-sysvsem' '--disable-sysvshm' '--without-tidy' '--disable-wddx' '--without-xmlrpc' '--with-xsl' '--enable-zip' '--with-zlib' '--disable-debug' '--enable-dba' '--without-cdb' '--with-db4' '--disable-flatfile' '--with-gdbm' '--without-qdbm' '--with-freetype-dir=/usr' '--with-t1lib=/usr' '--disable-gd-jis-conv' '--with-jpeg-dir=/usr' '--with-png-dir=/usr' '--without-xpm-dir' '--with-gd' '--with-mysql=/usr' '--with-mysql-sock=/var/run/mysqld/mysqld.sock' '--without-mysqli' '--without-pdo-dblib' '--with-pdo-mysql=/usr' '--without-pdo-odbc' '--without-pdo-pgsql' '--without-pdo-sqlite' '--with-readline' '--without-libedit' '--without-mm' '--without-sqlite' '--with-pic'
 [2009-05-03 13:48 UTC] ewilded at gmail dot com
Same situation on PHP 5.2.9 with Suhosin-Patch 0.9.7 (cli) (built: May  2 2009 14:51:38), OS: Slackware 12, i'm connecting to Oracle DB on remote machine using PDO, script gets killed while trying to execute simple SELECT statement without any params (same code works fine with MySQL).
 [2009-05-06 14:16 UTC] j dot vd dot broek at home dot nl
This solution I saw on another website might help fixing it in a next build of PHP or at least show people with the same problem a way out of it:
http://chrisblunt.com/blog/2009/05/01/php-fixing-mismatched-canaries-how-to-remove-suhosin-from-debianubuntu-packages/
 [2009-07-17 09:13 UTC] emiel dot molenaar at gmail dot com
Any news about this one? Having the same issue here on Debian:

PHP 5.2.10-2 with Suhosin-Patch 0.9.7 (cli) (built: Jul 10 2009 
01:47:03)
 [2009-08-06 00:18 UTC] robert at robert-gonzalez dot com
I am having this same issue on Ubuntu 8.10 running against Sybase 12.5. This actually just started happening against the CLI version of PHP when attempting to connect more than once to the database server in the same request. Any idea when this might get fixed? Or if not, anyone have a reliable work around?
 [2009-08-07 12:44 UTC] werner at flyingdog dot de
I also can reproduce this error (Suhosin Patch installed). Very simple test script: 


<?php
$demo_user[]=(object)array("first" => 1);
$demo_user[]=(object)array("second" => 2);
$demo_user[]=(object)array("third" => 3);

echo "<pre>"; var_dump($demo_user); echo "</pre>";

?>

Error Log:
[Fri Aug 07 14:38:06 2009] [error] [client xx.xx.xx.xx] ALERT - canary mismatch on efree() - heap overflow detected (attacker 'xx.xx.xx.xx', file '/somedir/somedir/htdocs/f.php', line 2)

Version Info:

Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch proxy_html/3.0.0 Server at xxxxxx Port 80
 [2009-08-20 07:42 UTC] p dot elagin at gmail dot com
PHP Version 5.2.10-2
Linux xxxxxxx.ru 2.6.26-2-amd64 #1 SMP Fri Aug 14 07:12:04 UTC 2009 x86_64
___
Same Problem
[Thu Aug 20 11:34:09 2009] [error] [client 212.16.10.34] ALERT - canary mismatch on efree() - heap overflow detected (attacker 'xxxxxxx', file 'xxxxxxx/index.php'), referer: http://text.foothold.ru/index.php

Linux - Debian ( squeeze )

i have this problem when i install 5.2.10-1, i reinstall to 5.2.9 all is ok. now i update my system and problem restore ((((
 [2009-09-09 09:56 UTC] joeysmith at gmail dot com
Sorry for the noise - testing the assertion that CAPTCHAs are broken.
 [2009-09-09 10:07 UTC] neofutur dot php at ww7 dot be
your bugtool dont accept my comment after 40 attempts, so I just post the pastebin url containing all my comments and logs :

http://dpaste.com/91360/
 [2009-09-09 10:21 UTC] neofutur dot php at ww7 dot be
I also tried the code suggested :

<?php
$demo_user[]=(object)array("first" => 1);
$demo_user[]=(object)array("second" => 2);
$demo_user[]=(object)array("third" => 3);

echo "<pre>"; var_dump($demo_user); echo "</pre>";

?>

 This doesnt trigger any error message here
 [2009-09-09 12:03 UTC] neofutur dot php at ww7 dot be
update/workaround . . . but scary . . .

 someone on ##php tols me to restart apache, that when you get one of  those canary mismatch on efree() you get many until you restart apache.
 I didnt pay attention at the beginning but finally tried it.

 Its simply true, when you get those messages , restart apache and you will see no more of them ( until the next apache overflow ? )
 [2009-09-09 20:51 UTC] squarious at gmail dot com
I have the same error on 5.2.10 with suhosin patch.
Linux 2.6.31-10-generic #30-Ubuntu SMP Tue Sep 8 12:32:38 UTC 2009 x86_64 GNU/Linux

The tested site was working perfectly on Ubuntu 8.04 LTS with untouched PHP 5.2.4 (with suhosin patch). The behaviour however is not standard and it depends if the page is first time visite
 [2010-02-09 13:22 UTC] jimmy at pixelant dot se
Feb  9 13:51:36 xxxxxxxxxxxxxx suhosin[4498]: ALERT - canary mismatch on efree() - heap overflow detected (attacker 'x.x.x.x', file 'class.t3lib_htmlmail.php', line 718)


Upgrade to php 5.2.12 resolved this issue.
 [2010-03-12 01:57 UTC] capitalplus at yandex dot ru
In my situation helped this solution:

Open php.ini and set parameter

mssql.datetimeconvert = Off

restart Apache. Error no longer appears.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 13:01:28 2024 UTC