PHP :: Bug #51350 :: recursively including non existing file causes segfault

Bug #51350	recursively including non existing file causes segfault
Submitted:	2010-03-22 17:08 UTC	Modified:	2010-03-22 22:52 UTC
From:	slogster at gmail dot com	Assigned:
Status:	Not a bug	Package:	Reproducible crash
PHP Version:	5.2.13	OS:	freebsd & linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	slogster at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2010-03-22 17:08 UTC] slogster at gmail dot com

Description:
------------
function a(){include("/nofile"); a();} a();

/nofine is non existing file

Test script:
---------------
function a(){include("/nofile"); a();} a();

/nofile is non existing file

Expected result:
----------------
should not segfault

Actual result:
--------------
segfault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-03-22 17:45 UTC] johannes@php.net

-Status: Open +Status: Bogus

[2010-03-22 17:45 UTC] johannes@php.net

Recusrion in PHP leads to a stack overflow for the process, which we can't properly handle ourselves so the operating system terminates the PHP process. This is the expected behavior.

[2010-03-22 21:25 UTC] tyra3l at gmail dot com

suhosin protects against infinite recursion since 2006.
if you can crash the php engine from userland, then you can reset the seed
http://www.baohx.com/extras/zendcon/lesserknownsecurityproblemsinphpapplications.pdf
page 33: attacker can get fresh seed by crashing php.
so its not only an inconvinience, but can be a security problem also.

Tyrael

[2010-03-22 21:29 UTC] pajoye@php.net

That's known and there is no bug per se here.

Not everything the suhosin patch does is the right thing to do to solve a problem. As far as I remember there was a (long) discussion on internals about this. You may find it interesting.

[2010-03-22 21:39 UTC] tyra3l at gmail dot com

should worth to reading it.
could you at least give me the year for that discussion?
I think, that in this case the script should terminate by memory exhaustion (memory_limit) or time_limit exhaustion, not with segfault.
In a managed language I shouldn't be able to do stack overflow from userspace.
At least not this easily.

[2010-03-22 22:52 UTC] slogster at gmail dot com

I've tried it with Suhosin-Patch 0.9.7 and it segfaults too

[2010-07-14 23:31 UTC] tyra3l at gmail dot com

afaik you need the suhosin extension for this functionality, not just the patch. 
http://www.hardened-php.net/suhosin/configuration.html#suhosin.executor.max_depth

Tyrael

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 03:01:28 2024 UTC