php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60743 rmdir() with wincache triggers memory corruption and eventually php crash
Submitted: 2012-01-13 13:20 UTC Modified: 2012-01-22 19:47 UTC
Votes:20
Avg. Score:4.7 ± 0.7
Reproduced:18 of 19 (94.7%)
Same Version:12 (66.7%)
Same OS:16 (88.9%)
From: krejci at ped dot muni dot cz Assigned: ruslany
Status: Assigned Package: WinCache (PECL)
PHP Version: 5.3SVN-2012-01-12 (snap) OS: Windows Server 2008 R2 SP1
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2012-01-13 13:20 UTC] krejci at ped dot muni dot cz
Description:
------------
Using latest 5.3x nts snapshot r322018, wincache 1.2.1208.0, IIS 7.5

PHP (configured as NTS+FastCGI) crashes when updating extension files in typo3 while wincache is enabled. The crash php sript is typo3 script for updating typo3 modules. The problem happens when the script tries to update files that are cached by wincache. The updating script should report an error (permissions or directory not empty), but instead it crashes PHP. Tracked it down to rmdir() causing or triggering memory corruption. 
Full dump available on request.

WinCache 1.2.614 doesnt have this bug. Older wincache versions not tested.


Backtrace:
Function     Arg 1     Arg 2     Arg 3     Arg 4   Source 
php5!_zend_mm_alloc_int+55     00000039     019f73e8     019f73b4     0f3f3420   d:\php-sdk\snap_5_3\vc9\x86\nts-windows-vc9-x86\zend\zend_alloc.c @ 1835 
php_wincache!fcnotify_check+c1     019e4078     0f3f3420     019f73e4     019f73e8   f:\php-sdk\php53dev\vc9\x86\pecl\wincache\wincache_fcnotify.c @ 1090 + 6 
php_wincache!create_aplist_data+1f6     0f3f3420     0098c5fc     0185f108     00000000   f:\php-sdk\php53dev\vc9\x86\pecl\wincache\wincache_aplist.c @ 378 + 9 
php_wincache!aplist_getentry+13f     02c55bd3     0f3f3420     00000427     0098c63c   f:\php-sdk\php53dev\vc9\x86\pecl\wincache\wincache_aplist.c @ 1371 + d 
php_wincache!aplist_fcache_get+254     00000000     0f3f3420     00000000     0098c6b0   f:\php-sdk\php53dev\vc9\x86\pecl\wincache\wincache_aplist.c @ 1856 + d 
php_wincache!wincache_rmdir+cf     00000001     0f3ff0b0     00000000     00000000   f:\php-sdk\php53dev\vc9\x86\pecl\wincache\php_wincache.c @ 2682 + 1d 
php5!zend_do_fcall_common_helper_SPEC+74f     0bd73a70     0f38ad10     0bd73a70     000000a6   d:\php-sdk\snap_5_3\vc9\x86\nts-windows-vc9-x86\zend\zend_vm_execute.h @ 320 + 40 
php5!ZEND_DO_FCALL_SPEC_CONST_HANDLER+115     0098c778     0098da70     0098d818     00000000   d:\php-sdk\snap_5_3\vc9\x86\nts-windows-vc9-x86\zend\zend_vm_execute.h @ 1640 + d 
php5!execute+1f0     0bd3ede8     0098da70     00000000     00000000   d:\php-sdk\snap_5_3\vc9\x86\nts-windows-vc9-x86\zend\zend_vm_execute.h @ 107 + 8 
php5!zend_execute_scripts+be     00000008     00000000     00000003     00000000   d:\php-sdk\snap_5_3\vc9\x86\nts-windows-vc9-x86\zend\zend.c @ 1236 + d 
php5!php_execute_script+1e2     0098da70     00fea500     00000001     00000000   d:\php-sdk\snap_5_3\vc9\x86\nts-windows-vc9-x86\main\main.c @ 2308 + 10 
php_cgi!main+c0c     00000001     00b92c08     00b91a60     3a4ddd9c   d:\php-sdk\snap_5_3\vc9\x86\nts-windows-vc9-x86\sapi\cgi\cgi_main.c @ 2112 + a 
php_cgi!__tmainCRTStartup+10f     7efde000     0098fbc4     77609ef2     7efde000   f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 586 + 17 
kernel32!BaseThreadInitThunk+e     7efde000     7536a6b7     00000000     00000000    
ntdll!__RtlUserThreadStart+70     00fe652a     7efde000     ffffffff     7769736f    
ntdll!_RtlUserThreadStart+1b     00fe652a     7efde000     00000000     00000000    

Exception Information
PHP5!_ZEND_MM_ALLOC_INT+55In php-cgi__PID__3980__Date__01_12_2012__Time_02_52_17PM__217__Second_Chance_Exception_C0000005.dmp the assembly instruction at php5!_zend_mm_alloc_int+55 in C:\PHP53\php5.dll from The PHP Group has caused an access violation exception (0xC0000005) when trying to read from memory location 0x692f3a4b on thread 0



Test script:
---------------
memory corruption test script:
<?php
$removePath = 'C:/inetpub/wwwroot/test/automaketemplate/';
var_export($removePath);
echo("<br>");
rmdir($removePath);
var_export($removePath);
?>

the full crash script is not available, it is typo3 script to update cms module.
ie. http://localhost:80/typo3/mod/tools/em/index.php?CMD[importExt]=automaketemplate&CMD[extVersion]=0.1.3&CMD[loc]=L

the typo3 function importExtFromRep is at
http://phpxref.com/xref/typo3/typo3/mod/tools/em/class.em_index.php.source.html#l1612

Expected result:
----------------
'C:/inetpub/wwwroot/test/automaketemplate/'
'C:/inetpub/wwwroot/test/automaketemplate/'

+ PHP Error being reported


Actual result:
--------------
test script results:
'C:/inetpub/wwwroot/test/automaketemplate/'
'đéŃnetpub/wwwroot/test/automaketemplate/'

or:
'C:/inetpub/wwwroot/test/automaketemplate/'
'(đÔ' . "\0" . 'netpub/wwwroot/test/automaketemplate/'
etc.

+ PHP Crash with typo3 update script before PHP Error is reported

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-01-22 19:47 UTC] rasmus@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: ruslany
 [2012-02-09 01:35 UTC] drewmeyer at 1parkplace dot com
I have experienced this as well with 1.2.1208 wincache extension and wordpress. When trying to update or install/remove plugins, it causes php to crash.

1.2.614 does not throw this error, but I have run in to problems with this version as well under moderate to heavy load, so hoping there will be a resolution to this mixup so we can update to the latest build.
 [2012-08-30 19:50 UTC] ohameiri at gmail dot con
also happned to me:
Win 2008R2, iis 7.5, wincache 1.3, PHP 5.4

HELP!
the only way to avoid this issue is to disable wincache al toghether, which is 
very bad for my performance-wise.

thanks !
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 05:03:21 2014 UTC