PHP :: Bug #45217 :: crash if -z and -m are used together

Bug #45217	crash if -z and -m are used together
Submitted:	2008-06-09 16:14 UTC	Modified:	2009-12-08 15:45 UTC
From:	dmda at yandex dot ru	Assigned:
Status:	Closed	Package:	CGI/CLI related
PHP Version:	5.2.9	OS:	win32 only
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2008-06-09 16:14 UTC] dmda at yandex dot ru

Description:
------------
if -z and -m command line options are used together, php-cgi will crash.

It happens b'ze print_extensions() function in cgi_main.c has a serious flaw:
1) it first makes a copy of the main list of zend_extensions
2) then it dumps out the content
3) then it destroys its copy of the list
Duding phase 3, the list destructor is called and it UNLOADS all the zend_extensions. SHULD be noted that at this time the main list still has original copies of zend_extensions and that's why php will crash during shutdown in attempt to walk through the list and shutdown the extensions.

You may replicate the problem with _ANY_ zend_extension. Better to do it under Windows that unmaps memory regions and shutdown will try call non-existing code. So the crash is inavoidable.

Reproduce code:
---------------
no code necessary

Expected result:
----------------
no crash is expected

Actual result:
--------------
backtrace from VC6:

015c2049()
zend_extension_shutdown(_zend_extension * 0x014c4568, void * * * 0x01021c70) line 129 + 10 bytes
zend_llist_apply(_zend_llist * 0x10508620 _zend_extensions, void (void *, void * * *)* 0x1007536c zend_extension_shutdown(_zend_extension *, void * * *), void * * * 0x01021c70) line 193 + 14 bytes
zend_shutdown_extensions(void * * * 0x01021c70) line 166 + 19 bytes
zend_shutdown(void * * * 0x01021c70) line 741 + 9 bytes
php_module_shutdown(void * * * 0x01021c70) line 1887 + 9 bytes
main(int 4, char * * 0x01021cd0) line 2058 + 10 bytes
PHP-CGI! mainCRTStartup + 227 bytes
KERNEL32! 7c816fd7()

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-04-21 13:19 UTC] dmda at yandex dot ru

php-cgi.exe from the latest snapshot php-5.2-win32-VC6-x86-latest (threadsafe) still crashes with the following command:

php-cgi.exe -z C:\test\ioncube_loader_win_5.2.dll -m

Note #1, to get -z option to work you need a zend extension, for example ioncube loader.

Note #2, the order of the options is important. If you put -m before -z, it does not crash.

Note #3, empty php.ini is enough to replicate the problem. No php extensions are needed.

[2009-04-21 13:26 UTC] dmda at yandex dot ru

just checked with php compiled from sources php5.2-200904211030.tar.gz - it is crashed too:

zend_llist_apply(_zend_llist * 0x105171a0 _zend_extensions, void (void *, void * * *)* 0x1007b61c zend_extension_shutdown(_zend_extension *, void * * *), void * * * 0x00342650) line 193 + 14 bytes
zend_shutdown_extensions(void * * * 0x00342650) line 166 + 19 bytes
zend_shutdown(void * * * 0x00342650) line 741 + 9 bytes
php_module_shutdown(void * * * 0x00342650) line 1906 + 9 bytes
main(int 4, char * * 0x00342540) line 2140 + 10 bytes
PHP-CGI! mainCRTStartup + 227 bytes
KERNEL32! 7c817077()

[2009-04-25 15:48 UTC] jani@php.net

I can not reproduce on linux using latest CVS checkout of PHP_5_2 and 
xdebug.

[2009-04-25 17:49 UTC] dmda at yandex dot ru

the change below has fixed the bug I reported on Jun 9 2008:

 static void print_extensions(TSRMLS_D)
 {
 	zend_llist sorted_exts;
 
 	zend_llist_copy(&sorted_exts, &zend_extensions);
+	sorted_exts.dtor = NULL;
 	zend_llist_sort(&sorted_exts, extension_name_cmp TSRMLS_CC);
 	zend_llist_apply_with_argument(&sorted_exts,  (llist_apply_with_arg_func_t) print_extension_info, NULL TSRMLS_CC);
 	zend_llist_destroy(&sorted_exts);
 }

The list's destructor if it is not cleared, would FREE up all the loaded module just 3 lines below in zend_llist_destroy() call and php would try to FREE them up once again in the final shutdown procedure. Hope my wording is clear.

And no, it was not only WIN32 problem. Please remote "OS: win32 only".

Regarding followup I sent on Apr 21 1:26pm UTC, crash is still in effect but with ioncube only. Honestly I don't care in this case.
Feel free to close the issue.

[2009-12-08 15:45 UTC] felipe@php.net

Closing... Bug already fixed in 2008. Thanks.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 25 08:01:28 2024 UTC