PHP :: Bug #61099 :: FPM - memory corruption in request parsing code

Bug #61099

FPM - memory corruption in request parsing code

Submitted:

2012-02-15 20:58 UTC

Modified:

2013-02-18 00:35 UTC

Votes:	4
Avg. Score:	3.2 ± 0.4
Reproduced:	0 of 0 (0.0%)

From:

socrtp at soclab dot pl

Assigned:

fat (profile)

Status:

No Feedback

Package:

FPM related

PHP Version:

5.3.10

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

[2012-02-15 20:58 UTC] socrtp at soclab dot pl

Description:
------------
I've found a bug in FPM code. Sometimes the worker process segfaults. I spent some time debugging it and now I'm able to reproduce this bug. Following data was collected on Debian Linux with PHP packages from dotdeb (www.dotdeb.org). I can test this on other distro with PHP compiled from sources if needed. PHP version used here is PHP 5.3.6, but the bug is also present in 5.3.10.

Configuration is simple, nginx redirects ^(.*)$ to /index.php/$1. The request looks like this:

http://ttt/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php

"ttt" is the vhost used for testing. The important things here are: exact size of query string, ".php" suffix. Next important thing is the freshness of php-fpm process. The process will always segfault when this request is the first request processed. Otherwise the process may survive the request - don't know whether it corrupts any data at affected pointer.

Also I know that my nginx configuration is buggy - nginx should call just index.php - but PHP process shouldn't segfault in any case.


php.ini that can be used to trigger the bug is the original php.ini-production with only one modification:

cgi.fix_pathinfo = 1

Modules loaded seems to have no influence on the bug.


ltrace from accepting the connection to crash: http://pastebin.com/UDuET7Sv

strace (contains full dump of data received from socket): http://pastebin.com/b1Ad9AAh


Backtrace (5.3.6):
#0  _zend_hash_add_or_update (ht=0x1fe79e8, arKey=0xb45047 "SCRIPT_NAME", nKeyLength=12, pData=0x7fff8598f1f0, nDataSize=8, pDest=0x7fff8598ee78, flag=7648604)
    at /usr/src/php5/source/php5-5.3.6/Zend/zend_hash.c:418
#1  0x000000000074b55c in fcgi_putenv (req=0x7fff8598f1f0, var=0xca59ccba5f40 <Address 0xca59ccba5f40 out of bounds>, var_len=11, val=0x1fe9538 "")
    at /usr/src/php5/source/php5-5.3.6/sapi/fpm/fpm/fastcgi.c:1096
#2  0x0000000000753bc7 in main (argc=33455768, argv=0x1fe8d60) at /usr/src/php5/source/php5-5.3.6/sapi/fpm/fpm/fpm_main.c:1255

Backtrace (5.3.10):
(gdb) bt
#0  _zend_hash_add_or_update (ht=0x279fb08, arKey=0xb4c7cb "SCRIPT_NAME", nKeyLength=12, pData=0x7fff1bd33ac0, nDataSize=8, pDest=0x7fff1bd33758, flag=7664444)
    at /usr/src/php5/source/php5-5.3.10/Zend/zend_hash.c:418
#1  0x000000000074f33c in fcgi_putenv (req=0x7fff1bd33ac0, var=0xca59ccba5f40 <Address 0xca59ccba5f40 out of bounds>, var_len=11, val=0x27a1560 "")
    at /usr/src/php5/source/php5-5.3.10/sapi/fpm/fpm/fastcgi.c:1067
#2  0x0000000000759114 in main (argc=41549640, argv=0x27a0c90) at /usr/src/php5/source/php5-5.3.10/sapi/fpm/fpm/fpm_main.c:1189


Headers received by PHP process from nginx (extracted from strace dump):

QUERY_STRING
REQUEST_METHOD GET
CONTENT_TYPE
CONTENT_LENGTH
SCRIPT_NAME /index.php/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php
REQUEST_URI /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php
DOCUMENT_URI /index.php/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php
DOCUMENT_ROOT /tmp/ttt
SERVER_PROTOCOL HTTP/1.1
HTTPS off
GATEWAY_INTERFACE CGI/1.1
SERVER_SOFTWARE nginx/1.0.12
REMOTE_ADDR 127.0.0.1
REMOTE_PORT 38004
SERVER_ADDR 127.0.0.1
SERVER_PORT 80
SERVER_NAME ttt
REDIRECT_STATUS 200
SCRIPT_FILENAME /tmp/ttt/index.php/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php
PATH_INFO
PATH_TRANSLATED /tmp/ttt/index.php/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php
SERVER_NAME ttt
HTTP_USER_AGENT curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6
HTTP_HOST ttt
HTTP_PROXY_CONNECTION Keep-Alive

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-05-22 16:13 UTC] fat@php.net

-Assigned To: +Assigned To: fat

[2012-05-26 17:04 UTC] fat@php.net

Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.


Can you please post your nginx configuration (don't forget to include fastcgi.conf 
if it's included in your configuration).

thx
++ Jerome

[2012-05-26 17:04 UTC] fat@php.net

-Status: Assigned +Status: Feedback

[2013-02-18 00:35 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Jan 02 19:01:28 2025 UTC