PHP :: Bug #59503 :: Double free causing crash on startup if server is not

Bug #59503	Double free causing crash on startup if server is not
Submitted:	2010-11-09 18:30 UTC	Modified:	2011-03-14 00:30 UTC
From:	samm at os2 dot kiev dot ua	Assigned:	hradtke (profile)
Status:	Closed	Package:	memcache (PECL)
PHP Version:	5.3.2	OS:	Ubuntu Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2010-11-09 18:30 UTC] samm at os2 dot kiev dot ua

Description:
------------
--- memcache_session.c	2010-10-03 23:41:21.000000000 +0200
+++ memcache_session.c.patched	2010-11-10 00:27:08.814717875 +0100
@@ -298,9 +298,6 @@
 				 mmc_pool_schedule(pool, mmc, lockrequest TSRMLS_CC) != MMC_OK ||
 				 /*pool->protocol != &mmc_binary_protocol && */mmc_pool_schedule(pool, mmc, addrequest TSRMLS_CC) != MMC_OK ||
 				 mmc_pool_schedule(pool, mmc, datarequest TSRMLS_CC) != MMC_OK) {
-				mmc_pool_release(pool, lockrequest);
-				mmc_pool_release(pool, addrequest);
-				mmc_pool_release(pool, datarequest);
 				mmc_queue_push(&skip_servers, mmc);
 				continue;
 			}


Reproduce code:
---------------
<?php
ini_set("session.save_handler","memcache");
// using bad port, no server listening
ini_set("session.save_path", "tcp://127.0.0.1:444"); 
ini_set("session.gc_maxlifetime", 5000);
session_start();
 if(!isset($_SESSION["tst"])) $_SESSION["tst"]=0;
 $_SESSION["tst"]++;
echo $_SESSION["tst"]."<br>".session_id();
phpinfo();
?>


Expected result:
----------------
error notice 

Actual result:
--------------
crash. PHP is crashing because it is trying to free pools which are already free

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-11-25 13:11 UTC] hradtke@php.net

I tested this again PHP 5.3.3 and the 3.0.6 of the memcache extension and could not reproduce this.

What version of the memcache extension are you using?  Can you reproduce this against the 3.0.6 version?

[2010-11-25 13:47 UTC] samm at os2 dot kiev dot ua

I am able to reproduce this bug on php 5.1 (from RHEL) and 5.2.14. I don`t see 3.0.6 in the packages list - please tell me how to get it and i will do the test.

[2010-11-25 16:05 UTC] hradtke@php.net

Sorry, I meant 3.0.5.  http://pecl.php.net/package/memcache/3.0.5

[2010-11-25 16:28 UTC] samm at os2 dot kiev dot ua

As you could find - i tested it already with 5.2.14 and 5.1. I will now test it with latest php 5.3 and then will post the results.

[2011-03-11 04:36 UTC] samm at os2 dot kiev dot ua

More details on this report:

1) Ubuntu 10.10 x86_64 with PHP5.3.3 and pecl-memcache 3.0.4 (from packages) 

samm@samm-dell:~/tmp$ php -v
PHP 5.3.3-1ubuntu9.3 with Suhosin-Patch (cli) (built: Jan 12 2011 16:07:38) 
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies

samm@samm-dell:~/tmp$ php test.php 
1<br>94va84uuucad6r51rfg4oesf53zend_mm_heap corrupted

2) Latest php from php53 svn on 10.10, compiled on 11 Mar 2011, with pecl-memcache 3.0.5

samm@samm-dell:~/tmp$ /home/samm/local/php53-svn/bin/php test.php 
1<br>7134ba04726c461a77b3664cc2c9c459
Warning: Unknown: Failed to write session data (memcache). Please verify that the current setting of session.save_path is correct (tcp://127.0.0.1:444) in Unknown on line 0
zend_mm_heap corrupted


As you could see - bug is very easy to reproduce. Also i am able to reproduce it on RHEL, both with 5.2 and 5.3. Please tell me if you need anything else. If you need - i can provide you shell access or VM image.

[2011-03-11 09:53 UTC] hradtke@php.net

This bug exists in 3.0.4.  It does not exist in 3.0.5 or trunk however.  Please confirm if you can get this to break in 3.0.5.

[2011-03-11 12:04 UTC] samm at os2 dot kiev dot ua

This bug WAS NOT fixed in the 3.0.5, as i already mentioned.
> 2) Latest php from php53 svn on 10.10, compiled on 11 Mar 2011, with
pecl-memcache 3.0.5


This is a proof, once again:
echo '<?php phpinfo(INFO_MODULES) ?>'|/home/samm/local/php53-svn/bin/php
[...skip]
memcache support => enabled
Version => 3.0.5
Revision => $Revision: 303968 
...

samm@samm-dell:~$ /home/samm/local/php53-svn/bin/php ~/tmp/test.php 
1<br>af520a18f678aff121ac0fa0710204ba
Warning: Unknown: Failed to write session data (memcache). Please verify that the current setting of session.save_path is correct (tcp://127.0.0.1:444) in Unknown on line 0
zend_mm_heap corrupted



See "zend_mm_heap corrupted".

There is no memcached server on 444 port, as i wrote before. If i`m launching memcached on this port then script produce no errors.

[2011-03-11 13:12 UTC] hradtke@php.net

You are right, it is not fixed in 3.0.5.  I was testing against trunk and assumed it was working in 3.0.5 as well.  I  can verify the crash happens in 3.0.4 and 3.0.5.  The new memcache build should have this fixed.

[2011-03-11 17:13 UTC] samm at os2 dot kiev dot ua

Yes, 3.0.5-dev (svn) works fine with my test. I hope 3.0.6 will be releases soon.

[2011-03-14 00:30 UTC] hradtke@php.net

Closing since this is fixed in svn.  New version should be released this month.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed May 01 22:01:31 2024 UTC