|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2009-11-23 17:25 UTC] graham dot simpson at hsbcib dot com
Description:
------------
Reproducible SIGSEGV fault whilst accessing protected variable via a method in a class using ssh2 functions.
-
Note, this happens in php 5.3.0 and php 5.3.1. My current live host is php 5.0.4 where this code happily runs.
Reproduce code:
---------------
#!/opt/sybase/php-5.3.1/bin/php -q
<?php
class Ssh {
protected $authmethods;
protected $negotiatedmethods;
protected $stdio;
protected $connection;
protected $sessionparams = array ();
public function __construct () {
$this->sessionparams = array ('hostname'=>'darkstar','username'=>'batman','port'=>'22',
'publickey'=>'/dbai/.ssh/id_rsa.pub',
'privatekey'=>'/dbai/.ssh/id_rsa','passphrase'=>'mypassphrase');
$this->stdio = array();
}
public function Connect () {
$this->connection = ssh2_connect($this->GetParameter("hostname"),
$this->GetParameter("port"),
array('hostkey'=>'ssh-rsa,ssh-dss'));
if (!$this->connection) die ('Connection failed');
$this->negotiatedmethods = ssh2_methods_negotiated ($this->connection);
$this->authmethods = ssh2_auth_none($this->connection,"userthatcannotexist");
if (in_array('publickey',$this->authmethods)) {
unset ($this->connection);
$this->connection = ssh2_connect($this->GetParameter("hostname"),
$this->GetParameter("port"),
array('hostkey'=>'ssh-rsa,ssh-dss'));
}
$rs = ssh2_auth_pubkey_file($this->connection,
$this->GetParameter("username"),
$this->GetParameter("publickey"),
$this->GetParameter("privatekey"),
$this->GetParameter("passphrase"));
}
public function Exec () {
$stdiostream = ssh2_exec($this->connection,"uname -a");
stream_set_blocking($stdiostream,TRUE);
$output = array();
while ($line = fgets($stdiostream)) {
flush();
$output[] = $line;
}
fclose ($stdiostream);
$this->stdio = $output;
}
public function GetStdOut () {
return $this->stdio;
}
public function Disconnect () {
unset($this->connection);
}
protected function GetParameter ($parameter) {
if ($this->sessionparams[$parameter]) {
return $this->sessionparams[$parameter];
}
return FALSE;
}
}
$conn = new Ssh();
$conn->Connect();
$conn->Exec();
$output = $conn->GetStdOut();
print_r($output);
$conn->Disconnect();
?>
Expected result:
----------------
Output from a basic ssh df -k command.
Actual result:
--------------
In the example above, the call to method $output=$conn->GetStdOut accesses $this->stdio which causes a SIGSEGV in the calling script as soon as $output is printed.
-
Note: More often than not the memory fault occurs - but not always! Sometimes it works!!
-
Strace shows a SIGSEGV, but here's the gdb output:
(gbl00358) /tmp/gsi2 > ./repro.php
Memory fault
(gbl00358) /tmp/gsi2 > gdb /opt/sybase/php-5.3.1/bin/php
GNU gdb 6.6
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "x86_64-suse-linux"...
Using host libthread_db library "/lib64/libthread_db.so.1".
(gdb) run -qe repro.php
Starting program: /opt/sybase/php-5.3.1/bin/php -qe repro.php
[Thread debugging using libthread_db enabled]
[New Thread 47746607593328 (LWP 13931)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47746607593328 (LWP 13931)]
0x0000000000767b6f in _zend_mm_alloc_int ()
(gdb) bt
#0 0x0000000000767b6f in _zend_mm_alloc_int ()
#1 0x0000000000769158 in _emalloc ()
#2 0x000000000079cf7d in _zend_hash_quick_add_or_update ()
#3 0x00000000007ba950 in _get_zval_cv_lookup ()
#4 0x0000000000863f75 in ZEND_ASSIGN_SPEC_CV_VAR_HANDLER ()
#5 0x00000000007bcce4 in execute ()
#6 0x000000000078e87e in zend_execute_scripts ()
#7 0x000000000071a14f in php_execute_script ()
#8 0x0000000000874b39 in main ()
So next, I disable ZEND mm...
(gbl00358) /tmp/gsi2 > USE_ZEND_ALLOC=0
(gbl00358) /tmp/gsi2 > export USE_ZEND_ALLOC
(gbl00358) /tmp/gsi2 > ./repro.php
*** glibc detected *** /opt/sybase/php-5.3.1/bin/php: malloc(): memory corruption: 0x0000000000e80a30 ***
======= Backtrace: =========
/lib64/libc.so.6[0x2aaac6bcc31e]
/lib64/libc.so.6[0x2aaac6bce3b4]
/lib64/libc.so.6(malloc+0x86)[0x2aaac6bcf766]
/opt/sybase/php-5.3.1/bin/php(_emalloc+0x33)[0x769142]
/opt/sybase/libssh2-1.2.1/lib/libssh2.so.1(libssh2_session_init_ex+0x50)[0x2aaac706f920]
/opt/sybase/php-5.3.1/lib/php/extensions/ssh2.so(php_ssh2_session_connect+0xa0)[0x2aaac6f54160]
/opt/sybase/php-5.3.1/lib/php/extensions/ssh2.so(zif_ssh2_connect+0x6b)[0x2aaac6f549bb]
/opt/sybase/php-5.3.1/bin/php[0x7bdbe0]
/opt/sybase/php-5.3.1/bin/php[0x7c37cb]
/opt/sybase/php-5.3.1/bin/php(execute+0x3b4)[0x7bcce4]
/opt/sybase/php-5.3.1/bin/php(zend_execute_scripts+0x249)[0x78e87e]
/opt/sybase/php-5.3.1/bin/php(php_execute_script+0x36e)[0x71a14f]
/opt/sybase/php-5.3.1/bin/php[0x874b39]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x2aaac6b7e184]
/opt/sybase/php-5.3.1/bin/php[0x426ef9]
======= Memory map: ========
00400000-00b41000 r-xp 00000000 fd:04 68948 /opt/sybase/php-5.3.1/bin/php
00c40000-00ca3000 rw-p 00740000 fd:04 68948 /opt/sybase/php-5.3.1/bin/php
00ca3000-00e99000 rw-p 00ca3000 00:00 0 [heap]
2aaac5904000-2aaac591f000 r-xp 00000000 08:02 758954 /lib64/ld-2.4.so
2aaac591f000-2aaac5921000 rw-p 2aaac591f000 00:00 0
2aaac5a1e000-2aaac5a20000 rw-p 0001a000 08:02 758954 /lib64/ld-2.4.so
2aaac5a20000-2aaac5a29000 r-xp 00000000 08:02 758965 /lib64/libcrypt-2.4.so
2aaac5a29000-2aaac5b28000 ---p 00009000 08:02 758965 /lib64/libcrypt-2.4.so
2aaac5b28000-2aaac5b2b000 rw-p 00008000 08:02 758965 /lib64/libcrypt-2.4.so
2aaac5b2b000-2aaac5b59000 rw-p 2aaac5b2b000 00:00 0
2aaac5b59000-2aaac5b6b000 r-xp 00000000 fd:04 148941 /opt/sybase/libxslt-1.1.26/lib/libexslt.so.0.8.15
2aaac5b6b000-2aaac5c6a000 ---p 00012000 fd:04 148941 /opt/sybase/libxslt-1.1.26/lib/libexslt.so.0.8.15
2aaac5c6a000-2aaac5c6b000 rw-p 00011000 fd:04 148941 /opt/sybase/libxslt-1.1.26/lib/libexslt.so.0.8.15
2aaac5c6b000-2aaac5c6c000 rw-p 2aaac5c6b000 00:00 0
2aaac5c6c000-2aaac5c80000 r-xp 00000000 08:02 761030 /lib64/libz.so.1.2.3
2aaac5c80000-2aaac5d7f000 ---p 00014000 08:02 761030 /lib64/libz.so.1.2.3
2aaac5d7f000-2aaac5d80000 rw-p 00013000 08:02 761030 /lib64/libz.so.1.2.3
2aaac5d80000-2aaac5dd4000 r-xp 00000000 08:02 758969 /lib64/libm-2.4.so
2aaac5dd4000-2aaac5ed3000 ---p 00054000 08:02 758969 /lib64/libm-2.4.so
2aaac5ed3000-2aaac5ed5000 rw-p 00053000 08:02 758969 /lib64/libm-2.4.so
2aaac5ed5000-2aaac5ee6000 r-xp 00000000 08:02 758989 /lib64/libresolv-2.4.so
2aaac5ee6000-2aaac5fe5000 ---p 00011000 08:02 758989 /lib64/libresolv-2.4.so
2aaac5fe5000-2aaac5fe7000 rw-p 00010000 08:02 758989 /lib64/libresolv-2.4.so
2aaac5fe7000-2aaac5fea000 rw-p 2aaac5fe7000 00:00 0
2aaac5fea000-2aaac5ff2000 r-xp 00000000 08:02 758991 /lib64/librt-2.4.so
2aaac5ff2000-2aaac60f1000 ---p 00008000 08:02 758991 /lib64/librt-2.4.so
2aaac60f1000-2aaac60f3000 rw-p 00007000 08:02 758991 /lib64/librt-2.4.so
2aaac60f3000-2aaac6102000 r-xp 00000000 08:02 761051 /lib64/libbz2.so.1.0.0
2aaac6102000-2aaac6201000 ---p 0000f000 08:02 761051 /lib64/libbz2.so.1.0.0
2aaac6201000-2aaac6203000 rw-p 0000e000 08:02 761051 /lib64/libbz2.so.1.0.0
2aaac6203000-2aaac624a000 r-xp 00000000 fd:04 147581 /opt/sybase/openssl-0.9.8k/lib/libssl.so.0.9.8
2aaac624a000-2aaac6349000 ---p 00047000 fd:04 147581 /opt/sybase/openssl-0.9.8k/lib/libssl.so.0.9.8
2aaac6349000-2aaac6350000 rw-p 00046000 fd:04 147581 /opt/sybase/openssl-0.9.8k/lib/libssl.so.0.9.8
2aaac6350000-2aaac6351000 rw-p 2aaac6350000 00:00 0
2aaac6351000-2aaac64a5000 r-xp 00000000 fd:04 147578 /opt/sybase/openssl-0.9.8k/lib/libcrypto.so.0.9.8
2aaac64a5000-2aaac65a5000 ---p 00154000 fd:04 147578 /opt/sybase/openssl-0.9.8k/lib/libcrypto.so.0.9.8
2aaac65a5000-2aaac65ca000 rw-p 00154000 fd:04 147578 /opt/sybase/openssl-0.9.8k/lib/libcrypto.so.0.9.8
2aaac65ca000-2aaac65cd000 rw-p 2aaac65ca000 00:00 0
2aaac65cd000-2aaac65e0000 r-xp 00000000 08:02 758972 /lib64/libnsl-2.4.so
2aaac65e0000-2aaac66df000 ---p 00013000 08:02 758972 /lib64/libnsl-2.4.so
2aaac66df000-2aaac66e1000 rw-p 00012000 08:02 758972 /lib64/libnsl-2.4.so
2aaac66e1000-2aaac66e3000 rw-p 2aaac66e1000 00:00 0
2aaac66e3000-2aaac671b000 r-xp 00000000 fd:04 148946 /opt/sybase/libxslt-1.1.26/lib/libxslt.so.1.1.26
2aaac671b000-2aaac681a000 ---p 00038000 fd:04 148946 /opt/sybase/libxslt-1.1.26/lib/libxslt.so.1.1.26
2aaac681a000-2aaac681c000 rw-p 00037000 fd:04 148946 /opt/sybase/libxslt-1.1.26/lib/libxslt.so.1.1.26
2aaac681c000-2aaac681d000 rw-p 2aaac681c000 00:00 0
2aaac681d000-2aaac6953000 r-xp 00000000 fd:04 148677 /opt/sybase/libxml2-2.7.5/lib/libxml2.so.2.7.5
2aaac6953000-2aaac6a53000 ---p 00136000 fd:04 148677 /opt/sybase/libxml2-2.7.5/lib/libxml2.so.2.7.5
2aaac6a53000-2aaac6a5c000 rw-p 00136000 fd:04 148677 /opt/sybase/libxml2-2.7.5/lib/libxml2.so.2.7.5
2aaac6a5c000-2aaac6a5d000 rw-p 2aaac6a5c000 00:00 0
2aaac6a5d000-2aaac6a5f000 r-xp 00000000 08:02 758967 /lib64/libdl-2.4.so
2aaac6a5f000-2aaac6b5f000 ---p 00002000 08:02 758967 /lib64/libdl-2.4.so
2aaac6b5f000-2aaac6b61000 rw-p 00002000 08:02 758967 /lib64/libdl-2.4.so
2aaac6b61000-2aaac6c97000 r-xp 00000000 08:02 758961 /lib64/libc-2.4.so
2aaac6c97000-2aaac6d97000 ---p 00136000 08:02 758961 /lib64/libc-2.4.so
2aaac6d97000-2aaac6d9a000 r--p 00136000 08:02 758961 /lib64/libc-2.4.so
2aaac6d9a000-2aaac6d9c000 rw-p 00139000 08:02 758961 /lib64/libc-2.4.so
2aaac6d9c000-2aaac6da2000 rw-p 2aaac6d9c000 00:00 0
2aaac6da2000-2aaac6db6000 r-xp 00000000 08:02 758987 /lib64/libpthread-2.4.so
2aaac6db6000-2aaac6eb5000 ---p 00014000 08:02 758987 /lib64/libpthread-2.4.so
2aaac6eb5000-2aaac6eb7000 rw-p 00013000 08:02 758987 /lib64/libpthread-2.4.so
2aaac6eb7000-2aaac6f4d000 rw-p 2aaac6eb7000 00:00 0
2aaac6f4d000-2aaac6f5b000 r-xp 00000000 fd:04 82425 /opt/sybase/php-5.3.1/lib/php/extensions/no-debug-non-zts-20090626/ssh2.so
2aaac6f5b000-2aaac705b000 ---p 0000e000 fd:04 82425 /opt/sybase/php-5.3.1/lib/php/extensions/no-debug-non-zts-20090626/ssh2.so
2aaac705b000-2aaac705c000 rw-p 0000e000 fd:04 82425 /opt/sybase/php-5.3.1/lib/php/extensions/no-debug-non-zts-20090626/ssh2.so
2aaac705c000-2aaac707f000 r-xp 00000000 fd:04 149059 /opt/sybase/libssh2-1.2.1/lib/libssh2.so.1.0.1
2aaac707f000-2aaac717f000 ---p 00023000 fd:04 149059 /opt/sybase/libssh2-1.2.1/lib/libssh2.so.1.0.1
2aaac717f000-2aaac7180000 rw-p 00023000 fd:04 149059 /opt/sybase/libssh2-1.2.1/lib/libssh2.so.1.0.1
2aaac7181000-2aaac7203000 rw-p 2aaac7181000 00:00 0
2aaac7203000-2aaac7238000 r--s 00000000 fd:02 475169 /var/run/nscd/dbxABy5I (deleted)
2aaac7300000-2aaac7321000 rw-p 2aaac7300000 00:00 0
2aaac7321000-2aaac7400000 ---p 2aaac7321000 00:00 0
2aaac7400000-2aaac740d000 r-xp 00000000 08:02 761033 /lib64/libgcc_s.so.1
2aaac740d000-2aaac750c000 ---p 0000d000 08:02 761033 /lib64/libgcc_s.so.1
2aaac750c000-2aaac750d000 rw-p 0000c000 08:02 761033 /lib64/libgcc_s.so.1
7fffe5190000-7fffe51a4000 rwxp 7fffe5190000 00:00 0 [stack]
7fffe51a4000-7fffe51a6000 rw-p 7fffe51a4000 00:00 0
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0 [vdso]
Abort
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Apr 27 06:01:30 2024 UTC |
BTW, I used PHP 5.3.1, libssh2-1.2.1 with openssl-0.9.8.k. Also used a minimal php configure, here it is: CFLAGS="-DSYB_LP64" ./configure --with-libdir=lib64 --prefix=${TDIR}/php-5.3.1 --with-gnu-ld --enable-libgcc --with-openssl=${TDIR}/openssl-0.9.8k --with-ssh2=${TDIR}/libssh2-1.2.1 --with-libxml-dir=${TDIR}/libxml2-2.7.5 --with-xsl=${TDIR}/libxslt-1.1.26 \ --with-zlib --disable-cgi --with-bz2 --with-apxs2=${TDIR}/httpd-2.2.13/bin/apxs