php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #45188 Crash during request shutdown if mail server shuts down
Submitted: 2008-06-05 15:41 UTC Modified: 2009-06-03 11:41 UTC
From: thomas dot jarosch at intra2net dot com Assigned: fb-req-jani (profile)
Status: Closed Package: IMAP related
PHP Version: 5.2.6 OS: linux
Private report: No CVE-ID: None
 [2008-06-05 15:41 UTC] thomas dot jarosch at intra2net dot com
Description:
------------
Hello together,

if you use a webmail applications like Horde's IMP and restart the 
server while an IMAP command is processing, PHP segfaults on request 
shutdown.

Here's a backtrace of the crash:

(gdb) bt
#0  0x632f6564 in ?? ()
#1  0x01a6b575 in mail_close_full (stream=0x87b8ad8, options=0) at 
mail.c:1361
#2  0x01a494e3 in mail_close_it (rsrc=0xb7977840) 
at /usr/src/redhat/BUILD/php-5.2.6/ext/imap/php_imap.c:229
#3  0x006dacc7 in list_entry_destructor (ptr=0xb7977840) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_list.c:184
#4  0x006d8a3a in zend_hash_del_key_or_index (ht=0x7cb480, arKey=0x0, 
nKeyLength=0, h=81, flag=1) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_hash.c:497
#5  0x006da915 in _zend_list_delete (id=81) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_list.c:58
#6  0x006cb9ed in _zval_dtor_func (zvalue=0xb79d7a74) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_variables.c:60
#7  0x006be95e in _zval_dtor (zvalue=0xb79d7a74) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_variables.h:35
#8  0x006bebac in _zval_ptr_dtor (zval_ptr=0xb79a9610) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_execute_API.c:414
#9  0x006d8b33 in zend_hash_destroy (ht=0xb7a1a71c) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_hash.c:526
#10 0x006eae64 in zend_object_std_dtor (object=0xb7b9bf08) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_objects.c:45
#11 0x006eb287 in zend_objects_free_object_storage 
(object=0xb7b9bf08) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_objects.c:122
#12 0x006eec3f in zend_objects_store_free_object_storage 
(objects=0x7cb528) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_objects_API.c:89
#13 0x006be7c7 in shutdown_executor () 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_execute_API.c:299
#14 0x006cd48d in zend_deactivate () 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend.c:860
#15 0x0067d8d2 in php_request_shutdown (dummy=0x0) 
at /usr/src/redhat/BUILD/php-5.2.6/main/main.c:1486
#16 0x00742f2f in php_apache_request_dtor (r=0x8776f70) 
at /usr/src/redhat/BUILD/php-5.2.6/sapi/apache2handler/sapi_apache2.c:469
#17 0x007438ce in php_handler (r=0x8776f70) 
at /usr/src/redhat/BUILD/php-5.2.6/sapi/apache2handler/sapi_apache2.c:641
#18 0x08065f19 in ap_run_handler ()
#19 0x08068f61 in ap_invoke_handler ()
#20 0x080639d8 in ap_process_request ()
#21 0x0805e6b8 in _start ()

I took a look at the structures in #1 mail_close_full 
(stream=0x87b8ad8, options=0), the memory was totally bogus and 
already reused. To me this looks like a use-after-free issue.

While debugging I've found another crash in c-client's IMAP extension 
and I will submit a patch upstream.

I was unable to find the source of this crash, but I suspect the 
connection already gets closed and then PHP tries to close it twice 
or something like that.

Reproduce code:
---------------
Move mails via IMAP to another folder and restart your IMAP server.

Expected result:
----------------
Error message "Connection to server died".

Actual result:
--------------
Segfault.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-05-19 15:24 UTC] jani@php.net
Now, since you could fix the compile failure, does your original issue in this report exist or not using that snapshot? (we'll deal with that compile failure, don't worrry :)
 [2009-05-27 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2009-06-03 11:41 UTC] thomas dot jarosch at intra2net dot com
I was now able to verify that the issue does not occur
with PHP 5.2.x 200906030630 anymore. Case closed :-)
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Jul 16 10:01:26 2019 UTC