php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #58960 Segmentation fault SIGSEGV with protected variable with ssh2
Submitted: 2009-11-24 03:54 UTC Modified: 2011-09-21 13:41 UTC
From: graham dot simpson at hsbcib dot com Assigned: bjori (profile)
Status: Closed Package: ssh2 (PECL)
PHP Version: 5_3 SVN-2009-11-24 (dev) OS: SuSE 10.2
Private report: No CVE-ID: None
View Developer Edit
 [2009-11-24 03:54 UTC] graham dot simpson at hsbcib dot com 
Description:
------------
Note: I am on php 5.3.1 stable (was not in dropdown)
-
I am using openssl-0.9.8k, libssh2-1.2.1 and php 5.3.1.
-
Reproducible SIGSEGV fault whilst accessing protected variable via a method in a class using ssh2 functions. 
-
Note, this happens in php 5.3.0 and php 5.3.1. My current live host is php 5.0.4 where this code happily runs.



Reproduce code:
---------------
#!/opt/sybase/php-5.3.1/bin/php -q
<?php
class Ssh {
protected $authmethods;
protected $negotiatedmethods;
protected $stdio;
protected $connection;
protected $sessionparams = array ();

public function __construct () {
  $this->sessionparams = array ('hostname'=>'darkstar','username'=>'batman','port'=>'22',
                                'publickey'=>'/dbai/.ssh/id_rsa.pub',
                                'privatekey'=>'/dbai/.ssh/id_rsa','passphrase'=>'mypassphrase');
  $this->stdio = array();
}

public function Connect () {
  $this->connection = ssh2_connect($this->GetParameter("hostname"),
                                   $this->GetParameter("port"),
                                   array('hostkey'=>'ssh-rsa,ssh-dss'));
  if (!$this->connection) die ('Connection failed');
  $this->negotiatedmethods = ssh2_methods_negotiated ($this->connection);
  $this->authmethods = ssh2_auth_none($this->connection,"userthatcannotexist");
  if (in_array('publickey',$this->authmethods)) {
    unset ($this->connection);
    $this->connection = ssh2_connect($this->GetParameter("hostname"),
                                     $this->GetParameter("port"),
                                     array('hostkey'=>'ssh-rsa,ssh-dss'));
  }
  $rs = ssh2_auth_pubkey_file($this->connection,
                              $this->GetParameter("username"),
                              $this->GetParameter("publickey"),
                              $this->GetParameter("privatekey"),
                              $this->GetParameter("passphrase"));
}
public function Exec () {
  $stdiostream = ssh2_exec($this->connection,"uname -a");
  stream_set_blocking($stdiostream,TRUE);
  $output = array();
  while ($line = fgets($stdiostream)) {
    flush();
    $output[] = $line;
  }
  fclose ($stdiostream);
  $this->stdio = $output;
}

public function GetStdOut () {
  return $this->stdio;
}

public function Disconnect () {
  unset($this->connection);
}

protected function GetParameter ($parameter) {
  if ($this->sessionparams[$parameter]) {
    return $this->sessionparams[$parameter];
  }
  return FALSE;
}

}

$conn = new Ssh();
$conn->Connect();
$conn->Exec();
$output = $conn->GetStdOut();
print_r($output);
$conn->Disconnect();

?>


Expected result:
----------------
The print_r should have printed out my ssh output.

Actual result:
--------------
In the example above, the call to method  output=$conn->GetStdOut
accesses $this->stdio which causes a SIGSEGV in the calling script as soon as $output is printed.
-
Note: More often than not the memory fault occurs - but not always! Sometimes it works!!
-
Strace shows a SIGSEGV, but here's the gdb output:
(gbl00358) debug > ./repro.php
Memory fault
(gbl00358) debug > gdb /opt/sybase/php-5.3.1/bin/php
GNU gdb 6.6
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-suse-linux"...
Using host libthread_db library "/lib64/libthread_db.so.1".
(gdb) run -qe repro.php
Starting program: /opt/sybase/php-5.3.1/bin/php -qe repro.php
[Thread debugging using libthread_db enabled]
[New Thread 47419463284592 (LWP 7903)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47419463284592 (LWP 7903)]
0x0000000000767b6f in _zend_mm_alloc_int ()
(gdb) bt
#0  0x0000000000767b6f in _zend_mm_alloc_int ()
#1  0x0000000000769158 in _emalloc ()
#2  0x000000000079cf7d in _zend_hash_quick_add_or_update ()
#3  0x00000000007ba950 in _get_zval_cv_lookup ()
#4  0x0000000000863f75 in ZEND_ASSIGN_SPEC_CV_VAR_HANDLER ()
#5  0x00000000007bcce4 in execute ()
#6  0x000000000078e87e in zend_execute_scripts ()
#7  0x000000000071a14f in php_execute_script ()
#8  0x0000000000874b39 in main ()
-
(gbl00358) debug > export USE_ZEND_ALLOC=0
(gbl00358) debug > ./repro.php
*** glibc detected *** /opt/sybase/php-5.3.1/bin/php: double free or corruption (fasttop): 0x0000000000e82050 ***
======= Backtrace: =========
/lib64/libc.so.6[0x2af84f41831e]
/lib64/libc.so.6(__libc_free+0x6c)[0x2af84f419d7c]
/opt/sybase/php-5.3.1/bin/php(_efree+0x33)[0x769195]
/opt/sybase/libssh2-1.2.1/lib/libssh2.so.1(libssh2_session_free+0x1c4)[0x2af84f8bae64]
/opt/sybase/php-5.3.1/bin/php[0x7a0739]
/opt/sybase/php-5.3.1/bin/php(zend_hash_del_key_or_index+0x203)[0x79db57]
/opt/sybase/php-5.3.1/bin/php(_zend_list_delete+0x69)[0x7a0206]
/opt/sybase/php-5.3.1/bin/php(_zval_dtor_func+0xcb)[0x78c007]
/opt/sybase/php-5.3.1/bin/php[0x77c716]
/opt/sybase/php-5.3.1/bin/php(_zval_ptr_dtor+0x85)[0x77ca13]
/opt/sybase/php-5.3.1/bin/php(zend_hash_del_key_or_index+0x203)[0x79db57]
/opt/sybase/php-5.3.1/bin/php[0x7b7660]
/opt/sybase/php-5.3.1/bin/php[0x833854]
/opt/sybase/php-5.3.1/bin/php(execute+0x3b4)[0x7bcce4]
/opt/sybase/php-5.3.1/bin/php(zend_execute_scripts+0x249)[0x78e87e]
/opt/sybase/php-5.3.1/bin/php(php_execute_script+0x36e)[0x71a14f]
/opt/sybase/php-5.3.1/bin/php[0x874b39]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x2af84f3ca184]
/opt/sybase/php-5.3.1/bin/php[0x426ef9]
======= Memory map: ========
00400000-00b41000 r-xp 00000000 fd:04 68948                              /opt/sybase/php-5.3.1/bin/php
00c40000-00ca3000 rw-p 00740000 fd:04 68948                              /opt/sybase/php-5.3.1/bin/php
00ca3000-00e99000 rw-p 00ca3000 00:00 0                                  [heap]
2af84e150000-2af84e16b000 r-xp 00000000 08:02 758954                     /lib64/ld-2.4.so
2af84e16b000-2af84e16d000 rw-p 2af84e16b000 00:00 0 
2af84e26a000-2af84e26c000 rw-p 0001a000 08:02 758954                     /lib64/ld-2.4.so
2af84e26c000-2af84e275000 r-xp 00000000 08:02 758965                     /lib64/libcrypt-2.4.so
2af84e275000-2af84e374000 ---p 00009000 08:02 758965                     /lib64/libcrypt-2.4.so
2af84e374000-2af84e377000 rw-p 00008000 08:02 758965                     /lib64/libcrypt-2.4.so
2af84e377000-2af84e3a5000 rw-p 2af84e377000 00:00 0 
2af84e3a5000-2af84e3b7000 r-xp 00000000 fd:04 148941                     /opt/sybase/libxslt-1.1.26/lib/libexslt.so.0.8.15
2af84e3b7000-2af84e4b6000 ---p 00012000 fd:04 148941                     /opt/sybase/libxslt-1.1.26/lib/libexslt.so.0.8.15
2af84e4b6000-2af84e4b7000 rw-p 00011000 fd:04 148941                     /opt/sybase/libxslt-1.1.26/lib/libexslt.so.0.8.15
2af84e4b7000-2af84e4b8000 rw-p 2af84e4b7000 00:00 0 
2af84e4b8000-2af84e4cc000 r-xp 00000000 08:02 761030                     /lib64/libz.so.1.2.3
2af84e4cc000-2af84e5cb000 ---p 00014000 08:02 761030                     /lib64/libz.so.1.2.3
2af84e5cb000-2af84e5cc000 rw-p 00013000 08:02 761030                     /lib64/libz.so.1.2.3
2af84e5cc000-2af84e620000 r-xp 00000000 08:02 758969                     /lib64/libm-2.4.so
2af84e620000-2af84e71f000 ---p 00054000 08:02 758969                     /lib64/libm-2.4.so
2af84e71f000-2af84e721000 rw-p 00053000 08:02 758969                     /lib64/libm-2.4.so
2af84e721000-2af84e732000 r-xp 00000000 08:02 758989                     /lib64/libresolv-2.4.so
2af84e732000-2af84e831000 ---p 00011000 08:02 758989                     /lib64/libresolv-2.4.so
2af84e831000-2af84e833000 rw-p 00010000 08:02 758989                     /lib64/libresolv-2.4.so
2af84e833000-2af84e836000 rw-p 2af84e833000 00:00 0 
2af84e836000-2af84e83e000 r-xp 00000000 08:02 758991                     /lib64/librt-2.4.so
2af84e83e000-2af84e93d000 ---p 00008000 08:02 758991                     /lib64/librt-2.4.so
2af84e93d000-2af84e93f000 rw-p 00007000 08:02 758991                     /lib64/librt-2.4.so
2af84e93f000-2af84e94e000 r-xp 00000000 08:02 761051                     /lib64/libbz2.so.1.0.0
2af84e94e000-2af84ea4d000 ---p 0000f000 08:02 761051                     /lib64/libbz2.so.1.0.0
2af84ea4d000-2af84ea4f000 rw-p 0000e000 08:02 761051                     /lib64/libbz2.so.1.0.0
2af84ea4f000-2af84ea96000 r-xp 00000000 fd:04 147581                     /oAbort

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-11-24 03:56 UTC] graham dot simpson at hsbcib dot com 
Also used a minimal php configure, here it is:
CFLAGS="-DSYB_LP64" ./configure --with-libdir=lib64
--prefix=${TDIR}/php-5.3.1 --with-gnu-ld --enable-libgcc
--with-openssl=${TDIR}/openssl-0.9.8k --with-ssh2=${TDIR}/libssh2-1.2.1
--with-libxml-dir=${TDIR}/libxml2-2.7.5
--with-xsl=${TDIR}/libxslt-1.1.26 \
        --with-zlib --disable-cgi --with-bz2
--with-apxs2=${TDIR}/httpd-2.2.13/bin/apxs
 [2009-11-24 05:00 UTC] graham dot simpson at hsbcib dot com 
Sorry forgot to mention that I'm using ssh2 0.11.
 [2009-11-24 09:53 UTC] graham dot simpson at hsbcib dot com 
Just tried re-compiling again but using latest libssh2-1.2.2. SIGSEGV still happens.
 [2009-11-25 05:15 UTC] graham dot simpson at hsbcib dot com 
Further investigation has revealed that the problem lies in the ssh2_auth_none method being called, followed by a subsequent re-connection of the $this->connection vai ssh2_connect.
In the above repro.php code, taking out the ssh2_auth_none makes the code work fine. I guess most people won't bother to negotiate and validate connection methods and will simply do the ssh2_connect, then ssh2_exec which explains why not many people have had this bug.
 [2009-11-25 06:50 UTC] graham dot simpson at hsbcib dot com 
Okay, went back to the compile of the ssh2 extension. No errors but did get these warnings...
 cc -I. -I/home/sybase/simpsong/src/ssh2-0.11.0 -DPHP_ATOM_INC -I/home/sybase/simpsong/src/ssh2-0.11.0/includ -I/home/sybase/simpsong/src/ssh2-0.11.0/main -I/home/sybase/simpsong/src/ssh2-0.11.0 -I/opt/sybase/php-5.3.1include/php -I/opt/sybase/php-5.3.1/include/php/main -I/opt/sybase/php-5.3.1/include/php/TSRM -I/opt/sybase/pp-5.3.1/include/php/Zend -I/opt/sybase/php-5.3.1/include/php/ext -I/opt/sybase/php-5.3.1/include/php/ext/datelib -I/opt/sybase/libssh2-1.2.2/include -DHAVE_CONFIG_H -g -O2 -c /home/sybase/simpsong/src/ssh2-0.11.0/ssh2.  -fPIC -DPIC -o .libs/ssh2.o
/home/sybase/simpsong/src/ssh2-0.11.0/ssh2.c: In function 'zif_ssh2_methods_negotiated':
/home/sybase/simpsong/src/ssh2-0.11.0/ssh2.c:502: warning: passing argument 4 of 'add_assoc_string_ex' discars qualifiers from pointer target type
/home/sybase/simpsong/src/ssh2-0.11.0/ssh2.c:503: warning: passing argument 4 of 'add_assoc_string_ex' discars qualifiers from pointer target type
/home/sybase/simpsong/src/ssh2-0.11.0/ssh2.c:507: warning: passing argument 4 of 'add_assoc_string_ex' discars qualifiers from pointer target type
/home/sybase/simpsong/src/ssh2-0.11.0/ssh2.c:508: warning: passing argument 4 of 'add_assoc_string_ex' discars qualifiers from pointer target type
/home/sybase/simpsong/src/ssh2-0.11.0/ssh2.c:509: warning: passing argument 4 of 'add_assoc_string_ex' discars qualifiers from pointer target type
/home/sybase/simpsong/src/ssh2-0.11.0/ssh2.c:510: warning: passing argument 4 of 'add_assoc_string_ex' discars qualifiers from pointer target type
/home/sybase/simpsong/src/ssh2-0.11.0/ssh2.c:515: warning: passing argument 4 of 'add_assoc_string_ex' discars qualifiers from pointer target type
/home/sybase/simpsong/src/ssh2-0.11.0/ssh2.c:516: warning: passing argument 4 of 'add_assoc_string_ex' discars qualifiers from pointer target type
/home/sybase/simpsong/src/ssh2-0.11.0/ssh2.c:517: warning: passing argument 4 of 'add_assoc_string_ex' discars qualifiers from pointer target type
/home/sybase/simpsong/src/ssh2-0.11.0/ssh2.c:518: warning: passing argument 4 of 'add_assoc_string_ex' discars qualifiers from pointer target type
/home/sybase/simpsong/src/ssh2-0.11.0/ssh2.c: In function 'zif_ssh2_publickey_add':
/home/sybase/simpsong/src/ssh2-0.11.0/ssh2.c:1044: warning: passing argument 1 of '_efree' discards qualifier from pointer target type
/home/sybase/simpsong/src/ssh2-0.11.0/ssh2.c: In function 'zif_ssh2_publickey_list':
/home/sybase/simpsong/src/ssh2-0.11.0/ssh2.c:1103: warning: passing argument 4 of 'add_assoc_stringl_ex' discrds qualifiers from pointer target type
/home/sybase/simpsong/src/ssh2-0.11.0/ssh2.c:1104: warning: passing argument 4 of 'add_assoc_stringl_ex' discrds qualifiers from pointer target type
 [2009-12-11 03:19 UTC] graham dot simpson at hsbcib dot com 
Hello. Anyone out there?
 [2011-09-21 13:41 UTC] bjori@php.net 
This bug has been fixed in SVN.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Dec 19 15:00:01 2025 UTC