php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60256 64kB memory leak in exec() and related functions
Submitted: 2011-11-10 13:42 UTC Modified: 2011-11-11 10:31 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: andreas dot ringlstetter at gmail dot com Assigned:
Status: Not a bug Package: Program Execution
PHP Version: 5.3.8 OS: Windows XP SP3 32bit
Private report: No CVE-ID: None
 [2011-11-10 13:42 UTC] andreas dot ringlstetter at gmail dot com
Description:
------------
For each call to exec(), system(), popen() oder proc_open(), Windows will show 
an 
increase of 64kB in total commited memory. Those 64kB don't add to the memory 
commited by PHP and Windows won't free the memory when the php process 
terminates.  
The memory will only be freed, when the user closes the windows session.

Repeated calls (depending on your system memory somewhere around 10-50.000 
calls) 
to those functions will render the system unable to start new threads and cause 
the windows kernel to force a reboot. This was confirmed on 3 independent 
machines.

This problem occures both in cli mode and with mod_php as Apache module. This 
problems even occurs when proc_open is used with the "bypass_shell" option.

The problem appears similiar to #42602, but every other script engine does just 
fine on this machine, so it must somehow be related to the way php starts 
processes in Windows.

Test script:
---------------
<?php
// 1000 calls = 1000 * 64kB = 64MB memory leak
for($i = 0; $i < 1000; $i++) {
	exec("who"); // Or any other command of your choice
	if($i%100 == 0) {
		// Shows constant amount
		echo memory_get_usage()."\r\n";
		// Also constant
		echo memory_get_usage(true)."\r\n";
	}
}

Expected result:
----------------
The amount commited memory of the system should go back to normal when the php 
process amd all started child processes terminate.

Actual result:
--------------
For each call of exec(), additional 64kB of memory will be commited, allthough 
windows claims that this memory is not assigned to any process. This memory will 
only be freed, when the windows session is closed.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-11-11 00:51 UTC] cataphract@php.net
-Status: Open +Status: Feedback
 [2011-11-11 00:51 UTC] cataphract@php.net
I can't reproduce in Windows 7 64-bit (32-bit binaries). Are you able to test this on this OS?
 [2011-11-11 09:55 UTC] andreas dot ringlstetter at gmail dot com
I can't reproduce the bug on Windows 7 either, but it looks much like the memory 
leak is caused by the antivir software running on the same machine (McAfee with 
active IPS, onaccessscan and software firewall).

However, disabling those services is not an option and since every other 
scriptengine (tested perl, python, vbs and even java on this machine) is 
unaffected and those services are enforced by company guideline. This leads to 
the conclusion that there must be something about the way php starts or ends 
processes in windows. Bug #42602 was only "fixed" by deactivating the software 
firewall on that system, but that is no solution on productive systems. Also 
this means, that this bug at least exists since 2007.

This bug therefore causes a DoS vulnerability in any php application which makes 
use of exec() and is running on a Windows XP machine with McAfee as IPS 
solution, possibly other IPS solutions are also affected.
 [2011-11-11 09:55 UTC] andreas dot ringlstetter at gmail dot com
-Status: Feedback +Status: Open
 [2011-11-11 10:31 UTC] pajoye@php.net
Please report this problem to the author(s) of these services, as it is clearly 
not a PHP problem.
 [2011-11-11 10:31 UTC] pajoye@php.net
-Status: Open +Status: Bogus
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 17:01:29 2024 UTC