php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #46444 invalid session.save_path crashes when --with-pic is used
Submitted: 2008-10-31 23:12 UTC Modified: 2009-04-14 01:00 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: hostmaster at uuism dot net Assigned:
Status: No Feedback Package: Session related
PHP Version: 5.2CVS-2008-11-02 OS: Fedora Core 4
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2008-10-31 23:12 UTC] hostmaster at uuism dot net
Description:
------------
when I run test ext/session/tests/016.phpt, I still get a core dump with PHP 5.2.6 and FC4 and Linux Kernel 2.6.20.1.  The script run-tests puts FAIL in front of the description.  

This same problem was reported in Bug #43361 invalid session.save_path test cause php crash 

Here are the results:

# TEST_PHP_EXECUTABLE=sapi/cli/php sapi/cli/php run-tests.php ext/session/tests/016.phpt

=====================================================================
PHP         : sapi/cli/php
PHP_SAPI    : cli
PHP_VERSION : 5.2.6
ZEND_VERSION: 2.2.0
PHP_OS      : Linux - Linux host.uuserver.net 2.6.20.1 #16 SMP Thu Nov 8 14:19:44 EST 2007 i686
INI actual  : /usr/local/src/php-5.2.6/sapi/cli/php.ini
More .INIs  : /etc/php.d/mysql.ini,/etc/php.d/mysqli.ini
CWD         : /usr/local/src/php-5.2.6
Extra dirs  :
=====================================================================
Running selected tests.
FAIL invalid session.save_path should not cause a segfault [ext/session/tests/016.phpt]
=====================================================================
Number of tests :    1                 1
Tests skipped   :    0 (  0.0%) --------
Tests warned    :    0 (  0.0%) (  0.0%)
Tests failed    :    1 (100.0%) (100.0%)
Tests passed    :    0 (  0.0%) (  0.0%)
---------------------------------------------------------------------
Time taken      :    1 seconds
=====================================================================

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
invalid session.save_path should not cause a segfault [ext/session/tests/016.phpt]
=====================================================================


Reproduce code:
---------------
--INI--
session.save_path="123;:/really\\completely:::/invalid;;,23123;213"
session.use_cookies=0
session.cache_limiter=
session.save_handler=files
session.serialize_handler=php
--FILE--
<?php
error_reporting(E_ALL);

@session_start();
$HTTP_SESSION_VARS["test"] = 1;
@session_write_close();
print "I live\n";
?>


Expected result:
----------------
no core dump

Actual result:
--------------
core dump



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-11-01 23:20 UTC] jani@php.net
Are you loading any shared extensions? 
 [2008-11-02 00:55 UTC] hostmaster at uuism dot net
Modules:  mbstring.so; mysql.so; mysqli.so; soap.so; and xmlrpc.so

I reran the test without any modules and the results were the same.

Configuration string:

--build=i386-redhat-linux --host=i386-redhat-linux --target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --cache-file=../config.cache --with-libdir=lib --with-config-file-path=/etc --with-config-file-scan-dir=/etc/php.d --disable-debug --with-pic --disable-rpath --with-bz2 --with-curl --with-exec-dir=/usr/bin --with-freetype-dir=/usr --with-png-dir=/usr --enable-gd-native-ttf --without-gdbm --with-gettext --with-gmp --with-iconv --with-jpeg-dir=/usr --with-openssl --with-pspell --with-pcre-regex=/usr/local --with-zlib --with-layout=GNU --enable-exif --enable-ftp --enable-magic-quotes --enable-sockets --enable-sysvsem --enable-sysvshm --enable-sysvmsg --enable-wddx --with-pear=/usr/share/pear --with-kerberos --enable-ucd-snmp-hack --with-unixODBC=shared,/usr --enable-shmop --enable-calendar --with-mime-magic=/etc/httpd/conf/magic --without-sqlite --with-libxml-dir=/usr/local --enable-force-cgi-redirect --enable-pcntl --with-imap=shared --with-imap-ssl --enable-mbstring=shared --enable-mbregex --with-ncurses=shared --with-gd=shared --enable-bcmath=shared --enable-dba=shared --with-db4=/usr --with-xmlrpc=shared --with-ldap=shared --with-mysql=shared,/usr --with-mysqli=shared,/usr/bin/mysql_config --enable-dom=shared --with-pgsql=shared --with-snmp=shared,/usr --enable-soap=shared --with-xsl=shared,/usr --enable-fastcgi --with-pcre-dir=/usr/local --enable-xmlreader=shared --with-mcrypt --with-mhash --with-config-file-path=/etc/php-5.2.6 --with-config-file-scan-dir=/etc/php-5.2.6/php.d

Should it make any difference that I used --disable-debug?

I went back and ran configure again with --enable-debug and all the same other parameters.  This time the test PASSED.

I don't understand.

Jim




Jim
 [2008-11-04 02:59 UTC] hostmaster at uuism dot net
jani,

i reran my original configuration with '--disable debug' and got you more information from the backtrace

[snip]
Core was generated by `/usr/local/src/php5.2-200811022130/sapi/cli/php -n -c /usr/local/src/php5.2-200'.
Program terminated with signal 11, Segmentation fault.
#0  php_session_start () at /usr/local/src/php5.2-200811022130/ext/session/session.c:621
621             if (PG(register_long_arrays)) {
(gdb) bt
#0  php_session_start () at /usr/local/src/php5.2-200811022130/ext/session/session.c:621
#1  0x08190660 in zif_session_start (ht=0, return_value=0xb7c15b14, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /usr/local/src/php5.2-200811022130/ext/session/session.c:1824
#2  0x082b923a in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe7d78c)
    at /usr/local/src/php5.2-200811022130/Zend/zend_vm_execute.h:200
#3  0x082a8c2f in execute (op_array=0xb7c15f94) at /usr/local/src/php5.2-200811022130/Zend/zend_vm_execute.h:92
#4  0x08288190 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/local/src/php5.2-200811022130/Zend/zend.c:1134
#5  0x08240eb3 in php_execute_script (primary_file=0xbfe7fb88) at /usr/local/src/php5.2-200811022130/main/main.c:2023
#6  0x0831041e in main (argc=108, argv=0xbfe7fca4) at /usr/local/src/php5.2-200811022130/sapi/cli/php_cli.c:1134

(gdb) frame 3
#3  0x082a8c2f in execute (op_array=0xb7c15f94) at /usr/local/src/php5.2-200811022130/Zend/zend_vm_execute.h:92
92                      if (EX(opline)->handler(&execute_data TSRMLS_CC) > 0) {
(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x8436fdc "session_start"
(gdb) print (char *)executor_globals.active_op_array->function_name
$2 = 0x0
(gdb) print (char *)executor_globals.active_op_array->filename
$3 = 0xb7c16060 "/usr/local/src/php5.2-200811022130/ext/session/tests/016.php"

(gdb) frame 2
#2  0x082b923a in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe7d78c)
    at /usr/local/src/php5.2-200811022130/Zend/zend_vm_execute.h:200
200                             ((zend_internal_function *) EX(function_state).function)->handler(opline->extended_value, EX_T(opline->result.u.var).var.ptr, EX(function_state).function->common.return_reference?&EX_T(opline->result.u.var).var.ptr:NULL, EX(object), return_value_used TSRMLS_CC);
(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$4 = 0x8436fdc "session_start"
(gdb) print (char *)executor_globals.active_op_array->function_name
$5 = 0x0
(gdb) print (char *)executor_globals.active_op_array->filename
$6 = 0xb7c16060 "/usr/local/src/php5.2-200811022130/ext/session/tests/016.php"
 [2008-11-09 00:12 UTC] hostmaster at uuism dot net
jani,

It appears to be related to the -with-pic option.

Here are the results:

Case 1:  PASS ext/session/tests/016.phpt (ran twice)

./configure --disable-all --disable-cgi --enable-session --with-pcre-regex --build=i386-redhat-linux --host=i386-redhat-linux --target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --cache-file=../config.cache --with-libdir=lib --with-config-file-path=/etc --with-config-file-scan-dir=/etc/php.d --disable-debug

Case 2:  FAIL ext/session/tests/016.phpt

./configure --disable-all --disable-cgi --enable-session --with-pcre-regex --build=i386-redhat-linux --host=i386-redhat-linux --target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --cache-file=../config.cache --with-libdir=lib --with-config-file-path=/etc --with-config-file-scan-dir=/etc/php.d --disable-debug --with-pic

Jim
 [2008-11-11 18:49 UTC] jani@php.net
Try this:

# rm config.cache
# ./configure --disable-all --disable-cgi --enable-session --disable-
debug --with-pic
# make test TESTS=ext/session/tests/016.phpt


 [2008-11-17 16:45 UTC] hostmaster at uuism dot net
I run these commands:

#rm config.cache
#./configure --disable-all --disable-cgi --enable-session --disable-debug --with-pcre-regex --with-pic
#make clean
#make test TESTS=ext/session/tests/016.phpt

[snip]

=====================================================================
PHP         : /usr/local/src/php5.2-200811022130/sapi/cli/php
PHP_SAPI    : cli
PHP_VERSION : 5.2.7RC3-dev
ZEND_VERSION: 2.2.0
PHP_OS      : Linux - Linux host.uuserver.net 2.6.20.1 #16 SMP Thu Nov 8 14:19:44 EST 2007 i686
INI actual  : /usr/local/src/php5.2-200811022130/tmp-php.ini
More .INIs  :
CWD         : /usr/local/src/php5.2-200811022130
Extra dirs  :
VALGRIND    : Not used
=====================================================================
Running selected tests.
FAIL invalid session.save_path should not cause a segfault [ext/session/tests/016.phpt]
=====================================================================
Number of tests :    1                 1
Tests skipped   :    0 (  0.0%) --------
Tests warned    :    0 (  0.0%) (  0.0%)
Tests failed    :    1 (100.0%) (100.0%)
Expected fail   :    0 (  0.0%) (  0.0%)
Tests passed    :    0 (  0.0%) (  0.0%)
---------------------------------------------------------------------
Time taken      :    0 seconds
=====================================================================

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
invalid session.save_path should not cause a segfault [ext/session/tests/016.phpt]
=====================================================================
 [2009-01-02 15:41 UTC] crrodriguez at opensuse dot org
Same here

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5d56560 in strlen () from /lib64/libc.so.6
(gdb) bt full
#0  0x00007ffff5d56560 in strlen () from /lib64/libc.so.6
No symbol table info available.
#1  0x00000000005a06d8 in ps_open_files (mod_data=0xddd960, save_path=0x7b <Address 0x7b out of bounds>, session_name=0xaaa37a "PHPSESSID")
    at /home/cristian/php5/ext/session/mod_files.c:325
        data = (ps_files *) 0xfdfaf0
        p = 0xdeff7a ";213"
        last = 0xdeff74 ",23123;213"
        argv = {0xdeff50 "123;:/really\\completely:::/invalid;;,23123;213", 0xdeff54 ":/really\\completely:::/invalid;;,23123;213",
  0xdeff73 ";,23123;213"}
        argc = 4
        dirdepth = 123
        filemode = 0
#2  0x0000000000599118 in php_session_initialize () at /home/cristian/php5/ext/session/session.c:512
        val = 0xfde576 "L)\r&#65533;\r&#65533;\r&#65533;"
        vallen = 0
#3  0x000000000059d732 in php_session_start () at /home/cristian/php5/ext/session/session.c:1479
        ppid = (zval **) 0xfdc678
        data = (zval **) 0x78
        p = 0x887fd0 "H\211l$&#65533;L\211|$&#65533;H\215-&#65533;}M"
        value = 0x0
        nrand = 32767
        lensess = 9
#4  0x000000000059ed3d in zif_session_start (ht=0, return_value=0xfdc6c8, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /home/cristian/php5/ext/session/session.c:1886
No locals.
#5  0x0000000000818899 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7e6f090) at /home/cristian/php5/Zend/zend_vm_execute.h:313
        opline = (zend_op *) 0xfddff0
        should_change_scope = 0 '\0'
#6  0x000000000081df90 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7e6f090) at /home/cristian/php5/Zend/zend_vm_execute.h:1564
        opline = (zend_op *) 0xfddff0
        fname = (zval *) 0xfde020
#7  0x0000000000817987 in execute (op_array=0xfdd418) at /home/cristian/php5/Zend/zend_vm_execute.h:104
        ret = 0
        execute_data = (zend_execute_data *) 0x7ffff7e6f090
        nested = 1 '\001'
        original_in_execution = 0 '\0'
#8  0x00000000007e77e9 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/cristian/php5/Zend/zend.c:1181
        files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffffffb7e0, reg_save_area = 0x7fffffffb720}}
        i = 1
        file_handle = (zend_file_handle *) 0x7fffffffdc60
        orig_op_array = (zend_op_array *) 0x0
        orig_retval_ptr_ptr = (zval **) 0x0
#9  0x000000000076a1d9 in php_execute_script (primary_file=0x7fffffffdc60) at /home/cristian/php5/main/main.c:2101
        realfile = "/home/cristian/php5/ext/session/tests/016.phpt\000\000&#65533;&#65533;&#65533;&#65533;&#65533;\177\000\000&#65533;\n|\000\000\000\000\000&#65533;r&#65533;&#65533;&#65533;\177\000\000p~&#65533;", '\0' <repeats 13 times>, "uct\000&#65533;\a\000\000X\000\000\000\000\000&#65533;p&#65533;&#65533;&#65533;\177\000\000\020&#65533;&#65533;&#65533;&#65533;\177\000\000z\005\177\000\000\000\000\000\002\000\000\000&#65533;\177\000\000X\000\000\000\000\000V\a\000\000\000\000\000\000\202\005\000\000\000\000\000\000&#65533;mQ&#65533;&#65533;\177\000\000\210&#65533;&#65533;\000\000\000\00---Type <return> to continue, or q <return> to quit---
0\000P&#65533;&#65533;&#65533;&#65533;\177\000\000\030&#65533;&#65533;&#65533;&#65533;\177\000\000&#65533;\214\222D\000\000\000\000\000&#65533;&#65533;"...
        __orig_bailout = (jmp_buf *) 0x7fffffffdaf0
        __bailout = {{__jmpbuf = {8945616, 1504162217199220120, 4369584, 140737488346800, 0, 0, 1504162220334462360,
      -1504162127358118504}, __mask_was_saved = 0, __saved_mask = {__val = {140737353931176, 0, 4294967295, 47784, 14397440, 4369584,
        140737488346800, 0, 0, 0, 140737351963577, 1, 0, 0, 73014444032, 140737317299080}}}}
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {
      handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0,
      closer = 0}}, free_filename = 0 '\0'}
        append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0,
      isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}},
  free_filename = 0 '\0'}
        old_cwd = 0x7fffffffb800 ""
        use_heap = 0 '\0'
        retval = 0
#10 0x0000000000887449 in main (argc=5, argv=0x7fffffffdeb8) at /home/cristian/php5/sapi/cli/php_cli.c:1138
        __orig_bailout = (jmp_buf *) 0x0
        __bailout = {{__jmpbuf = {8945616, 1504162217448781208, 4369584, 140737488346800, 0, 0, 1504162217209705880,
      -1504161051082934888}, __mask_was_saved = 0, __saved_mask = {__val = {140737353925464, 140737488346240, 140737488346184, 2972705047,
        140737488346400, 61765110, 140737354121608, 0, 140737351945772, 140733193388033, 140737354118584, 0, 1, 1910330751,
        140737351946810, 8419355904}}}}
        exit_status = 0
        c = -1
        file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x7fffffffe302 "/home/cristian/php5/ext/session/tests/016.phpt",
  opened_path = 0x0, handle = {fd = 16635992, fp = 0xfdd858, stream = {handle = 0xfdd858, isatty = 0, mmap = {len = 495, pos = 0,
        map = 0x7ffff7ff7000, buf = 0x7ffff7ff7000 <Address 0x7ffff7ff7000 out of bounds>, old_handle = 0xff34c0,
        old_closer = 0x8029a0 <zend_stream_stdio_closer>}, reader = 0x802974 <zend_stream_stdio_reader>,
      fsizer = 0x8029d1 <zend_stream_stdio_fsizer>, closer = 0x802aea <zend_stream_mmap_closer>}}, free_filename = 0 '\0'}
        behavior = 1
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0x7fffffffe302 "/home/cristian/php5/ext/session/tests/016.phpt"
        arg_excp = (char **) 0x7fffffffded8
        script_file = 0x7fffffffe302 "/home/cristian/php5/ext/session/tests/016.phpt"
        interactive = 0
        module_started = 1
        request_started = 1
        lineno = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = 0x0
        hide_argv = 0
---Type <return> to continue, or q <return> to quit---
        ini_entries_len = 110
 [2009-04-06 12:14 UTC] bjori@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

Please try the next snapshot dated _after_ this message.
 [2009-04-14 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Wed Nov 30 13:05:54 2022 UTC