php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #59844 Value unserialization can lead to memory corruption and segfault
Submitted: 2011-07-09 18:40 UTC Modified: 2013-05-28 08:36 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (50.0%)
From: paul dot clifford+pecl at gmail dot com Assigned:
Status: Duplicate Package: memcache (PECL)
PHP Version: 5.3.6 OS: Fedora 14 and CentOS 5.6
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: paul dot clifford+pecl at gmail dot com
New email:
PHP Version: OS:

 

 [2011-07-09 18:40 UTC] paul dot clifford+pecl at gmail dot com
Description:
------------
Getting an object with a circular reference from memcache 
triggers memory corruption, sometimes leading to a 
segmentation fault.  It looks like a zval allocated on the 
stack ends up being garbage collected during the destruct 
sequence as a result of the code within the "if (flags & 
MMC_SERIALIZED) {" block in mmc_unpack_value, in 
memcache_pool.c

This may be the same problem reported at 
http://pecl.php.net/bugs/bug.php?id=14511, and does not seem 
to be present in 2.2.6

Reproduce code:
---------------
Put the following in "corruption.php":
<?php
$obj = new StdClass();
$obj->obj = $obj;
$memcache = new Memcache;
$memcache->connect('127.0.0.1', 11211);
$memcache->set('x', $obj, false, 300);
$x = $memcache->get('x');
$x = $memcache->get('x');

Run under valgrind (assuming memcached is running on 127.0.0.1:11211):
valgrind --tool=memcheck php corruption.php

A potential patch: http://pastebin.com/raw.php?i=p3sJXmEk

Expected result:
----------------
No errors, similar to:

$ valgrind --tool=memcheck php corruption.php
==10808== Memcheck, a memory error detector
==10808== Copyright (C) 2002-2009, and GNU GPL'd, by Julian 
Seward et al.
==10808== Using Valgrind-3.5.0 and LibVEX; rerun with -h for 
copyright info
==10808== Command: php corruption.php
==10808==
==10808==
==10808== HEAP SUMMARY:
==10808==     in use at exit: 85,004 bytes in 2,145 blocks
==10808==   total heap usage: 20,680 allocs, 18,535 frees, 
2,514,693 bytes allocated
==10808==
==10808== LEAK SUMMARY:
==10808==    definitely lost: 2,253 bytes in 31 blocks
==10808==    indirectly lost: 2,148 bytes in 49 blocks
==10808==      possibly lost: 0 bytes in 0 blocks
==10808==    still reachable: 80,603 bytes in 2,065 blocks
==10808==         suppressed: 0 bytes in 0 blocks
==10808== Rerun with --leak-check=full to see details of 
leaked memory
==10808==
==10808== For counts of detected and suppressed errors, 
rerun with: -v
==10808== ERROR SUMMARY: 0 errors from 0 contexts 
(suppressed: 216 from 13)


Actual result:
--------------
Lots of invalid reads and writes, similar to:
http://pastebin.com/raw.php?i=Mmm5QgUP

On some of my test machines it also triggers a segmentation 
fault.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-05-28 08:20 UTC] github at fabian-franz dot de
Thanks for the perfect bug description.

This was fixed as part of:

https://bugs.php.net/bug.php?id=63142

Should be closed as a duplicate.
 [2013-05-28 08:36 UTC] pajoye@php.net
See #63142
 [2013-05-28 08:36 UTC] pajoye@php.net
-Status: Open +Status: Duplicate
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Jul 29 16:01:24 2021 UTC