php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55704 php_flag engine off crashes apache
Submitted: 2011-09-15 20:48 UTC Modified: 2012-03-05 15:09 UTC
From: j dot amend at gmail dot com Assigned:
Status: Closed Package: Apache2 related
PHP Version: 5.4SVN-2011-09-19 (snap) OS: Gentoo linux
Private report: No CVE-ID: None
 [2011-09-15 20:48 UTC] j dot amend at gmail dot com
Description:
------------
Since PHP 5.4 alpha 2 (alpha 1 still worked), apache crashes with a segmentation fault if "php_flag engine off" is anywhere in my apache configuration files.

Test script:
---------------
httpd.conf:
...
php_flag engine off
...

Expected result:
----------------
PHP is disabled in whatever context "php_flag engine off" is used.

Actual result:
--------------
Apache crashes with a segmentation fault, even for a configtest (apache2 -t).

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff04ddff9 in _zend_hash_add_or_update () from /usr/lib64/apache2/modules/libphp5.so

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-09-16 08:30 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2011-09-16 08:30 UTC] laruence@php.net
Please try using this snapshot:

  http://snaps.php.net/php5.4-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

I can not reproduce this in my environ, plz test with the svn-snap plz, thanks
 [2011-09-20 13:43 UTC] j dot amend at gmail dot com
-Status: Feedback +Status: Open -PHP Version: 5.4SVN-2011-09-15 (snap) +PHP Version: 5.4SVN-2011-09-19 (snap)
 [2011-09-20 13:43 UTC] j dot amend at gmail dot com
I just tried it with php5.4-201109192030 on my Mac (Apache/2.2.17, Mac OS X 10.6.7) with the same result.

#0  0x00000001012e9e72 in _zend_hash_add_or_update (ht=0x10087d118, arKey=0x18 <Address 0x18 out of bounds>, nKeyLength=7, pData=0x7fff5fbff350, nDataSize=24, pDest=0x0, flag=1) at /Users/Grayling/php5.4-201109192030/Zend/zend_hash.c:268
#1  0x000000010139a944 in real_value_hnd (cmd=0x7fff5fbff820, dummy=0x10087d118, name=0x100890f58 "engine", value=<value temporarily unavailable, due to optimizations>, status=2) at /Users/Grayling/php5.4-201109192030/sapi/apache2handler/apache_config.c:73
#2  0x000000010139a9dd in real_flag_hnd (cmd=0x7fff5fbff820, dummy=0x10087d118, arg1=0x100890f58 "engine", arg2=0x100890f60 "off", status=2) at /Users/Grayling/php5.4-201109192030/sapi/apache2handler/apache_config.c:98
#3  0x0000000100003595 in invoke_cmd ()
#4  0x00000001000047d8 in ap_walk_config_sub ()
#5  0x000000010000488b in ap_walk_config ()
#6  0x0000000100005ddd in ap_process_config_tree ()
#7  0x000000010000a26a in main ()
 [2011-09-20 14:32 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2011-09-20 14:32 UTC] laruence@php.net
this is so weird, since in the frame #0, the arkey is an invalid pointer, but it 
shoud be exactlly same as the name in #1, since I can not reproduce this in my 
environ,  could you do me a favor and try to find out the reason for how could 
this var be damaged?

you can try  to use gdb httpd, make a break point "b real_value_hnd", then exam it 
step by step, thanks
 [2011-09-20 16:46 UTC] j dot amend at gmail dot com
-Status: Feedback +Status: Open
 [2011-09-20 16:46 UTC] j dot amend at gmail dot com
I tried what I could, but I don't know C or how to use gdb properly. It looks like var name makes it to _zend_hash_add_or_update intact as arKey, but then the address of arKey mysteriously changes inside that function.

Breakpoint 1, _zend_hash_add_or_update (ht=0x10087d120, arKey=0x10088e298 "engine", nKeyLength=7, pData=0x7fff5fbff330, nDataSize=24, pDest=0x0, flag=1) at /Users/Grayling/php5.4-201109192030/Zend/zend_hash.c:201
201		TSRMLS_FETCH();
(gdb) info args
ht = (HashTable *) 0x10087d120
arKey = 0x10088e298 "engine"
nKeyLength = 7
pData = (void *) 0x7fff5fbff330
nDataSize = 24
pDest = (void **) 0x0
flag = 1
(gdb) print arKey
$6 = 0x10088e298 "engine"
(gdb) print &arKey
Address requested for identifier "arKey" which is in register $r13
(gdb) info address arKey
Symbol "arKey" is 

   0x1012e9a70 - 0x1012e9a98: in register rsi
   0x1012e9a98 - 0x1012e9ace: in register r13
   0x1012e9ace - 0x1012e9b94: in register rcx
   0x1012e9b94 - 0x1012e9bc1: in register r13
   0x1012e9bc1 - 0x1012e9c7c: in register rcx
   0x1012e9c7c - 0x1012e9cd2: in register r13
   0x1012e9d7f - 0x1012e9d8a: in register r13
   0x1012e9d90 - 0x1012e9d9e: in register r13
   0x1012e9da4 - 0x1012e9dff: in register r13
   0x1012e9e2b - 0x1012e9f0f: in register r13
   0x1012e9f15 - 0x1012e9f45: in register r13
   0x1012e9fb5 - 0x1012e9fc6: in register r13
   0x1012e9fd9 - 0x1012e9ff1: in register r13
   0x1012ea00a - 0x1012ea02b: in register r13
   0x1012ea062 - 0x1012ea0b0: in register r13.

(gdb) next
(gdb) print arKey
$6 = 0x10088e298 "engine"
(gdb) p/x $rcx
$17 = 0x10088e298
[...]
(gdb) next    
278			case 6: hash = ((hash << 5) + hash) + *arKey++; /* fallthrough... */
(gdb) p/x $rcx
$18 = 0x10088e299
[...]
(gdb) next
283			case 1: hash = ((hash << 5) + hash) + *arKey++; break;
(gdb) p/x $rcx
$21 = 0x10088e29e
(gdb) print (char*)0x10088e29e
$22 = 0x10088e29e ""
(gdb) next
218		p = ht->arBuckets[nIndex];
(gdb) print arKey
$24 = 0x10088e29e ""
(gdb) p/x *arKey
$27 = 0x0
[...]
(gdb) next
Breakpoint 8, _zend_hash_add_or_update (ht=0x10087d120, arKey=0x10088e298 "engine", nKeyLength=7, pData=0x7fff5fbff330, nDataSize=24, pDest=0x0, flag=1) at /Users/Grayling/php5.4-201109192030/Zend/zend_hash.c:253
253			p = (Bucket *) pemalloc(sizeof(Bucket) + nKeyLength, ht->persistent);
(gdb) p/x *arKey
$32 = 0x65
(gdb) p/x $rcx
$33 = 0x10088e29e
(gdb) next
258			memcpy((char*)p->arKey, arKey, nKeyLength);
(gdb) p/x arKey
$41 = 0x10088e298
(gdb) print arKey
$42 = 0x10088e298 "engine"
[...]
(gdb) next
262		p->h = h;
(gdb) print arKey
$48 = 0x18 <Address 0x18 out of bounds>
(gdb) p/x arKey
$49 = 0x18
(gdb) print *p
$51 = {
  h = 0, 
  nKeyLength = 7, 
  pData = 0x100222bf0, 
  pDataPtr = 0x0, 
  pListNext = 0x200000000, 
  pListLast = 0x600000001, 
  pNext = 0x5000021000000010, 
  pLast = 0x0, 
  arKey = 0x100222be8 "engine"
}
[...]
(gdb) next

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x000000005448523c
0x00000001012e9e72 in _zend_hash_add_or_update (ht=0x10087d120, arKey=0x18 <Address 0x18 out of bounds>, nKeyLength=7, pData=0x7fff5fbff330, nDataSize=24, pDest=0x0, flag=1) at /Users/Grayling/php5.4-201109192030/Zend/zend_hash.c:268
268		HANDLE_BLOCK_INTERRUPTIONS();
 [2012-03-05 15:09 UTC] j dot amend at gmail dot com
I just tested upgrading from RC4 and the release version, and I no longer get a segfault when I do a config test or graceful/restart.
 [2012-03-05 15:09 UTC] j dot amend at gmail dot com
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Dec 02 13:03:33 2021 UTC