php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55121 Segfault with multipart/form-data POST / 404 request
Submitted: 2011-07-03 14:35 UTC Modified: 2011-12-23 06:22 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: nbpoole@php.net Assigned: laruence
Status: Closed Package: Built-in web server
PHP Version: 5.4SVN-2011-07-03 (snap) OS: Ubuntu 10.04.2 LTS (64-bit)
Private report: No CVE-ID:
 [2011-07-03 14:35 UTC] nbpoole@php.net
Description:
------------
The built-in webserver repeatably segfaults for me when I send the following requests (in this order):

1. A multipart/form-data POST request
2. A GET request for a non-existent file

Test script:
---------------
Create an empty (0 byte) PHP file named file.php. Start the webserver from that file's directory. Then run the following commands:

curl --form a=b http://127.0.0.1:8000/file.php
curl http://127.0.0.1:8000/does_not_exist

Expected result:
----------------
Requests should be returned by the server without segfaulting.

Actual result:
--------------
After the second request has been made, I receive a segfault:

Program received signal SIGSEGV, Segmentation fault.
_zend_mm_free_int (heap=0xc91250, p=0xc889c8) at /home/nbpoole/php/php5.4-201107031630/Zend/zend_alloc.c:2100
2100            if (ZEND_MM_IS_FREE_BLOCK(next_block)) {
(gdb) bt
#0  _zend_mm_free_int (heap=0xc91250, p=0xc889c8) at /home/nbpoole/php/php5.4-201107031630/Zend/zend_alloc.c:2100
#1  0x00000000006272f1 in destroy_uploaded_files_hash () at /home/nbpoole/php/php5.4-201107031630/main/rfc1867.c:199
#2  0x0000000000625585 in sapi_deactivate () at /home/nbpoole/php/php5.4-201107031630/main/SAPI.c:533
#3  0x000000000071fe81 in php_cli_server_send_error_page (server=<value optimized out>, client=<value optimized out>, status=<value optimized out>)
    at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:1524
#4  0x00000000007207c9 in php_cli_server_begin_send_static (server=0xc89ba0, client=0xdfecf0) at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:1635
#5  php_cli_server_dispatch (server=0xc89ba0, client=0xdfecf0) at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:1747
#6  php_cli_server_recv_event_read_request (server=0xc89ba0, client=0xdfecf0) at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:1890
#7  0x00000000007211ea in php_cli_server_do_event_for_each_fd_callback (_params=<value optimized out>, fd=<value optimized out>, event=<value optimized out>)
    at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:1976
#8  0x000000000072185a in php_cli_server_poller_iter_on_active (argc=<value optimized out>, argv=<value optimized out>)
    at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:670
#9  php_cli_server_do_event_for_each_fd (argc=<value optimized out>, argv=<value optimized out>) at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:2002
#10 php_cli_server_do_event_loop (argc=<value optimized out>, argv=<value optimized out>) at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:2012
#11 do_cli_server (argc=<value optimized out>, argv=<value optimized out>) at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:2097
#12 0x000000000071a33e in main (argc=<value optimized out>, argv=<value optimized out>) at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli.c:1359


Patches

fix-segfault-wit-multipart-form-data-POST-and-404-request (last revision 2011-12-09 02:52 UTC) by reeze dot xia at gmail dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-07-05 14:33 UTC] sixd@php.net
-Assigned To: +Assigned To: moriyoshi
 [2011-07-20 06:50 UTC] fa@php.net
Just tried this on Debian testing and 5_4-HEAD and can't reproduce it.

$ curl --form a=b  "http://localhost:8000/file.php"
$ curl  "http://localhost:8000/file2.php"

[Wed Jul 20 12:50:05 2011] ::1:50522 POST /file.php - Request read
[Wed Jul 20 12:50:05 2011] ::1:50522 POST /file.php - Response sent successfully 
(200)
[Wed Jul 20 12:50:13 2011] ::1:50523 GET /file.txt - Request read
[Wed Jul 20 12:50:13 2011] ::1:50523 GET /file.txt - No such file or directory
[Wed Jul 20 12:50:13 2011] ::1:50523 GET /file.txt - Sending error page (404)
 [2011-07-20 11:21 UTC] nbpoole@php.net
Hmm, previous test-case is no longer working for me either.

Try the following:

$ curl --form a=b  "http://localhost:8000/file.php"
$ curl  "http://localhost:8000/file2.php"
$ curl  "http://localhost:8000/file2.php"
$ curl --form a=b  "http://localhost:8000/file.php"

It results in a different segfault.


Program received signal SIGSEGV, Segmentation fault.
_zend_mm_alloc_int (heap=0x8649170, size=40) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_alloc.c:1906
1906				heap->cache[index] = best_fit->prev_free_block;
(gdb) bt
#0  _zend_mm_alloc_int (heap=0x8649170, size=40) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_alloc.c:1906
#1  0x082a79f0 in _ecalloc (nmemb=1, size=40) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_alloc.c:2556
#2  0x08275fc5 in multipart_buffer_new (content_type_dup=<value optimized out>, 
arg=0xb7fc42f8) at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/rfc1867.c:283
#3  rfc1867_post_handler (content_type_dup=<value optimized out>, 
arg=0xb7fc42f8) at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/rfc1867.c:749
#4  0x08273b46 in sapi_handle_post (arg=0xb7fc42f8) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/main/SAPI.c:182
#5  0x0827a628 in php_default_treat_data (arg=0, str=0x0, destArray=0x0) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/main/php_variables.c:330
#6  0x082792aa in php_auto_globals_create_post (name=0xb7ea9bf4 "_POST", 
name_len=5) at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/php_variables.c:690
#7  0x082a7d45 in zend_auto_global_init (auto_global=0x86524b8) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_compile.c:6233
#8  0x082d564f in zend_hash_apply (ht=0x8649478, apply_func=0x82a7d20 
<zend_auto_global_init>) at /home/nbpoole/Desktop/php/php5.4-
201107201430/Zend/zend_hash.c:716
#9  0x082b523b in zend_activate_auto_globals () at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_compile.c:6243
#10 0x0827a7df in php_hash_environment () at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/php_variables.c:650
#11 0x0826ba5d in php_request_startup () at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/main.c:1493
#12 0x0836e610 in php_cli_server_dispatch_script (server=0x86443c0, 
client=0x872d900) at /home/nbpoole/Desktop/php/php5.4-
201107201430/sapi/cli/php_cli_server.c:1599
#13 0x0836e8f5 in php_cli_server_dispatch (server=0x86443c0, client=0x872d900) 
at /home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:1755
#14 php_cli_server_recv_event_read_request (server=0x86443c0, client=0x872d900) 
at /home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:1924
#15 0x0836f0ff in php_cli_server_do_event_for_each_fd_callback 
(_params=0xbfffe15c, fd=6, event=1) at /home/nbpoole/Desktop/php/php5.4-
201107201430/sapi/cli/php_cli_server.c:2015
#16 0x0836fbd7 in php_cli_server_poller_iter_on_active (argc=3, argv=0xbffff394) 
at /home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:671
#17 php_cli_server_do_event_for_each_fd (argc=3, argv=0xbffff394) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:2036
#18 php_cli_server_do_event_loop (argc=3, argv=0xbffff394) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:2046
#19 do_cli_server (argc=3, argv=0xbffff394) at /home/nbpoole/Desktop/php/php5.4-
201107201430/sapi/cli/php_cli_server.c:2147
#20 0x08368143 in main (argc=3, argv=0xbffff394) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli.c:1359

This was done with the latest 5.4 from snaps.
 [2011-07-20 13:09 UTC] fa@php.net
I think the culprit lies in php_cli_server_client_populate_request_info
in the line
request_info->content_type = *val;
which doesn't terminate correctly at ; and reads
multipart/form-data; boundary=----------------------------c1e04e412bff
instead of
multipart/form-data;
 [2011-07-20 13:41 UTC] nbpoole@php.net
A similar segfault on OS X 10.6.7 can be caused using the original steps to 
reproduce:

$ curl --form a=b http://127.0.0.1:8000/file.php
$ curl http://127.0.0.1:8000/does_not_exist


Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x00000002011b0b30
0x000000010024a3b5 in _zend_mm_free_int (heap=0x101000000, p=0x1006651e0) at 
zend_alloc.c:2097
2097		heap->size -= size;
(gdb) bt
#0  0x000000010024a3b5 in _zend_mm_free_int (heap=0x101000000, p=0x1006651e0) at 
zend_alloc.c:2097
#1  0x000000010021e6af in destroy_uploaded_files_hash () at rfc1867.c:199
#2  0x000000010021b252 in sapi_deactivate () at SAPI.c:535
#3  0x00000001002fd61e in php_cli_server_send_error_page (server=0x7fff5fbfa730, 
client=0x100b4e6f0, status=404) at php_cli_server.c:1525
#4  0x00000001002fb31e in php_cli_server_dispatch [inlined] () at 
/Users/nbpoole/php-test/php5.4-201107201630/sapi/cli/php_cli_server.c:1636
#5  0x00000001002fb31e in php_cli_server_recv_event_read_request 
(server=0x7fff5fbfe970, client=0x1006651e0) at php_cli_server.c:1924
#6  0x00000001002fcae5 in php_cli_server_do_event_for_each_fd_callback [inlined] 
() at /Users/nbpoole/php-test/php5.4-201107201630/sapi/cli/php_cli_server.c:2010
#7  0x00000001002fcae5 in php_cli_server_do_event_for_each_fd [inlined] () at 
php_cli_server.c:671
#8  0x00000001002fcae5 in php_cli_server_poller_iter_on_active [inlined] () at 
/Users/nbpoole/php-test/php5.4-201107201630/sapi/cli/php_cli_server.c:2046
#9  0x00000001002fcae5 in php_cli_server_do_event_loop [inlined] () at 
/Users/nbpoole/php-test/php5.4-201107201630/sapi/cli/php_cli_server.c:2036
#10 0x00000001002fcae5 in do_cli_server (argc=4, argv=0x10) at 
php_cli_server.c:2147
#11 0x00000001002f6aa4 in main (argc=1606415328, argv=0x7fff5fbff400) at 
php_cli.c:1359
 [2011-07-25 16:45 UTC] fa@php.net
Automatic comment from SVN on behalf of fa
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=313677
Log: Fix #55121 Segfault with multipart/form-data POST
 [2011-07-25 16:47 UTC] fa@php.net
-Status: Assigned +Status: Feedback
 [2011-07-25 16:47 UTC] fa@php.net
Could you please try if this fix works on OS X as well?
Tested on debian stable.
 [2011-07-25 18:11 UTC] nbpoole@php.net
Tested latest snapshot on OS X. Same backtrace.
 [2011-07-25 20:18 UTC] nbpoole@php.net
OK. I retested again just now with the latest snapshot on both OS X and Ubuntu. No 
segfaults anymore.
 [2011-07-26 16:12 UTC] fa@php.net
-Status: Feedback +Status: Closed -Assigned To: moriyoshi +Assigned To: fa
 [2011-07-26 16:12 UTC] fa@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2011-08-19 08:29 UTC] laruence@php.net
-Status: Closed +Status: Re-Opened
 [2011-08-19 08:29 UTC] laruence@php.net
This cause #55450, need redone. 
btw: I can't reproduce this in Redhat Linux 64-bit
 [2011-08-19 08:30 UTC] laruence@php.net
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=315162
Log: Fixed #55450 (Built in web server not accepting file uploads), which might break #55121 fixing(r313677)
Reopened #55121 to let somebody redone the fixing(as I can't reproduce 55121 in redhat 64-bit).
 [2011-12-09 02:50 UTC] reeze dot xia at gmail dot com
Hi, the 5.4RC3 and the trunk still have this bug. 
After trace the core.
I found the SG(rfc1867_uploaded_files) did't set to NULL after sapi deactive.
when try to free the HashTable php core dumped on the next form-data post request.
So It's a one-fix.
I have attached a patch for this, patch tested on Mac OS X 10.6.7 & Redhat Linux.
 [2011-12-09 03:07 UTC] reeze dot xia at gmail dot com
To make it clear, the way to reproduce the core dump is:

$ curl --form a=b  "http://localhost:8000/file.php"
$ curl --form a=b  "http://localhost:8000/file-non-exist.php"

if the --enable-debug flag is enabled, cli-server will exit with a message "in 
consist hashtable", normally it simply core dumped.
 [2011-12-09 03:29 UTC] laruence@php.net
-Status: Re-Opened +Status: Closed
 [2011-12-09 03:29 UTC] laruence@php.net
Hi, this is a closed bug, and your problem is another issue, could you please open 
a new bug instead of reopening a closed one? 

thanks
 [2011-12-09 03:31 UTC] laruence@php.net
-Status: Closed +Status: Re-Opened
 [2011-12-09 03:31 UTC] laruence@php.net
ah, sorry, my mis-take, assumed the wrong one :)
 [2011-12-09 03:50 UTC] reeze dot xia at gmail dot com
haha, got you idea, I will open a new one.
This bug's is indeed differ from the one I updated:-)
 [2011-12-09 04:02 UTC] laruence@php.net
-Assigned To: fa +Assigned To: laruence
 [2011-12-09 05:40 UTC] laruence@php.net
Please try using this snapshot:

  http://snaps.php.net/php5.4-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/


 [2011-12-09 05:40 UTC] laruence@php.net
-Status: Re-Opened +Status: Feedback
 [2011-12-23 06:22 UTC] laruence@php.net
-Status: Feedback +Status: Closed
 [2011-12-23 06:22 UTC] laruence@php.net
fixed
 [2012-04-18 09:49 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7790c4d975084cf99a6cbd0cc6308caf8c2232b7
Log: Fixed #55450 (Built in web server not accepting file uploads), which might break #55121 fixing(r313677) Reopened #55121 to let somebody redone the fixing(as I can't reproduce 55121 in redhat 64-bit).
 [2012-04-18 09:49 UTC] laruence@php.net
Automatic comment on behalf of fa
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a06539a10d1ca6f83804115ce34b27b25ea77b8a
Log: Fix #55121 Segfault with multipart/form-data POST
 [2012-07-24 23:40 UTC] rasmus@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7790c4d975084cf99a6cbd0cc6308caf8c2232b7
Log: Fixed #55450 (Built in web server not accepting file uploads), which might break #55121 fixing(r313677) Reopened #55121 to let somebody redone the fixing(as I can't reproduce 55121 in redhat 64-bit).
 [2012-07-24 23:40 UTC] rasmus@php.net
Automatic comment on behalf of fa
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a06539a10d1ca6f83804115ce34b27b25ea77b8a
Log: Fix #55121 Segfault with multipart/form-data POST
 [2013-11-17 09:36 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7790c4d975084cf99a6cbd0cc6308caf8c2232b7
Log: Fixed #55450 (Built in web server not accepting file uploads), which might break #55121 fixing(r313677) Reopened #55121 to let somebody redone the fixing(as I can't reproduce 55121 in redhat 64-bit).
 [2013-11-17 09:37 UTC] laruence@php.net
Automatic comment on behalf of fa
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a06539a10d1ca6f83804115ce34b27b25ea77b8a
Log: Fix #55121 Segfault with multipart/form-data POST
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 09:02:23 2014 UTC