PHP :: Bug #51159 :: session_set_save_handler Memory Corruption

Bug #51159

session_set_save_handler Memory Corruption

Submitted:

2010-02-26 18:39 UTC

Modified:

2013-02-18 00:34 UTC

Votes:	5
Avg. Score:	4.6 ± 0.5
Reproduced:	5 of 5 (100.0%)
Same Version:	3 (60.0%)
Same OS:	4 (80.0%)

From:

achristianson at yakabod dot com

Assigned:

Status:

No Feedback

Package:

Scripting Engine problem

PHP Version:

5.3.1

OS:

CentOS 5.4

Private report:

CVE-ID:

None

View Developer Edit

[2010-02-26 18:39 UTC] achristianson at yakabod dot com

Description:
------------
Use of session_set_save_handler seems to cause memory corruption under 
certain conditions.

Inside of _write, there is code that causes a fatal error. The 
corruption seems to not happen if this is removed.

I get the problem in both 5.3.1 and 5.3.2RC3

Reproduce code:
---------------
<?php
session_set_save_handler('_open', '_close', '_read', '_write', '_destroy', '_gc');
session_start();
session_write_close();
function _write() {
  self::$x = null;
}
function _destroy() {}
function _gc() {}
function _open() {}
function _close() {}
function _read() {}
for($i = 0; $i < 10000; $i++)
{
  $exampleArray[] = new C();
}
class C { }


Expected result:
----------------
No segmentation fault

Actual result:
--------------
5.2.1 backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x014899c0 in ZEND_ASSIGN_SPEC_CV_CONST_HANDLER 
(execute_data=0x9a6ee80) at /root/php-5.3.1/Zend/zend_execute.c:302
302                zval ***ptr = &CV_OF(node->u.var);
(gdb) bt
#0  0x014899c0 in ZEND_ASSIGN_SPEC_CV_CONST_HANDLER 
(execute_data=0x9a6ee80) at /root/php-5.3.1/Zend/zend_execute.c:302
#1  0x0142d55d in execute (op_array=0x9a0e260) at /root/php-
5.3.1/Zend/zend_vm_execute.h:104
#2  0x0140bd57 in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /root/php-5.3.1/Zend/zend.c:1194
#3  0x013bbf4e in php_execute_script (primary_file=0xbfa7c8c0) at 
/root/php-5.3.1/main/main.c:2225
#4  0x0148ad2b in php_handler (r=0x9a56160) at /root/php-
5.3.1/sapi/apache2handler/sapi_apache2.c:648
#5  0x08077bf3 in ap_invoke_handler ()
#6  0x080868df in ap_process_request ()
#7  0x080839e8 in ?? ()
#8  0x09a56160 in ?? ()
#9  0x00000004 in ?? ()
#10 0x09a56160 in ?? ()
#11 0x0987c2f8 in ?? ()
#12 0x00000002 in ?? ()
#13 0x09a43be8 in ?? ()
#14 0xbfa7c9c8 in ?? ()
#15 0x0807ff45 in ap_process_connection ()

5.2.3RC3 backtrace:

Program received signal SIGSEGV, Segmentation fault.
_zval_ptr_dtor (zval_ptr=0xbf900928) at /root/php-
5.3.2RC3/Zend/zend.h:385
385                return --pz->refcount__gc;
(gdb) bt
#0  _zval_ptr_dtor (zval_ptr=0xbf900928) at /root/php-
5.3.2RC3/Zend/zend.h:385
#1  0x014674fc in zend_do_fcall_common_helper_SPEC 
(execute_data=0x8558d30) at /root/php-5.3.2RC3/Zend/zend_execute.h:316
#2  0x01441b3d in execute (op_array=0x84f66d0) at /root/php-
5.3.2RC3/Zend/zend_vm_execute.h:104
#3  0x01420207 in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /root/php-5.3.2RC3/Zend/zend.c:1194
#4  0x013cfe7e in php_execute_script (primary_file=0xbf902c10) at 
/root/php-5.3.2RC3/main/main.c:2260
#5  0x0149f22b in php_handler (r=0x853e5b8) at /root/php-
5.3.2RC3/sapi/apache2handler/sapi_apache2.c:655
#6  0x08077bf3 in ap_invoke_handler ()
#7  0x080868df in ap_process_request ()
#8  0x080839e8 in ?? ()
#9  0x0853e5b8 in ?? ()
#10 0x00000004 in ?? ()
#11 0x0853e5b8 in ?? ()
#12 0x08388758 in ?? ()
#13 0x00000002 in ?? ()
#14 0x0852c040 in ?? ()
#15 0xbf902d18 in ?? ()
#16 0x0807ff45 in ap_process_connection ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-02-26 18:49 UTC] achristianson at yakabod dot com

Small typo: I put 5.2.1 and 5.2.3RC3 text along with my backtraces. I 
meant to type 5.3.1 and 5.3.2RC3 respectively.

[2010-02-26 19:08 UTC] achristianson at yakabod dot com

We tried this with Zend MM and garbage collection turned on and off. No 
change in result.

[2010-02-28 16:52 UTC] jani@php.net

Try turn garbage collection of so we know if it's that.. zend.enable_gc = off, IIRC. :)

[2010-03-01 12:46 UTC] achristianson at yakabod dot com

We tried with GC off and we get the same result.

[2010-03-02 23:12 UTC] felipe@php.net

-Package: Session related +Package: Scripting Engine problem

[2010-05-26 19:37 UTC] info at das-peter dot ch

Hi there,

can confirm this behavior with gc enabled/disabled.
My current installation:
php 5.3.2 for win x86 [API220090626,TS,VC6 ]
Compiler VC6, thread safe

Run under Apache 2.2

Cheers,
Peter

[2011-01-27 22:23 UTC] sa at yakabod dot com

Any chance someone can take a look at this issue that is now approaching 1 year 
in the queue.  We have recently reproduced it on PHP 5.3.4 on CentOS 5.5.  We are 
willing to help out with debugging.  Thanks.

[2012-03-29 21:14 UTC] arpad@php.net

The reproduce code correctly gives a fatal error ("Fatal error: Cannot access self:: when no class scope is active" and no crash) in the current 5.3 branch and trunk. Changing it to a normal variable assignment works fine.

Please let us know if you can reproduce this bug with another script without this error, or a current PHP version.

[2012-03-29 21:14 UTC] arpad@php.net

-Status: Open +Status: Feedback

[2013-02-18 00:34 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.

[2013-03-01 12:18 UTC] office at xtreme-vision dot net

Hi,

We confirm the reproduce code crashes with a segault on CentOS 6 (Linux 2.6.32-
279.22.1.el6.x86_64 #1 SMP Wed Feb 6 03:10:46 UTC 2013 x86_64 x86_64 x86_64 
GNU/Linux) and php 5.3.3 (php-5.3.3-14.el6_3.x86_64).

Also, we get this result in a core dump for Apache 2.2.15 (httpd-2.2.15-
15.el6.centos.1.x86_64):

Core was generated by `/usr/sbin/httpd'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f4aef304e94 in _get_zval_ptr_cv (execute_data=0x7f4afb6d0658) at 
/usr/src/debug/php-5.3.3/Zend/zend_execute.c:251
251             zval ***ptr = &CV_OF(node->u.var);

Can someone look at this problem, as it's causing major crashes of our 
webserver.

Thanks,
Michael.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 13:01:31 2024 UTC