php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61099 FPM - memory corruption in request parsing code
Submitted: 2012-02-15 20:58 UTC Modified: 2013-02-18 00:35 UTC
Votes:4
Avg. Score:3.2 ± 0.4
Reproduced:0 of 0 (0.0%)
From: socrtp at soclab dot pl Assigned: fat (profile)
Status: No Feedback Package: FPM related
PHP Version: 5.3.10 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2012-02-15 20:58 UTC] socrtp at soclab dot pl
Description:
------------
I've found a bug in FPM code. Sometimes the worker process segfaults. I spent some time debugging it and now I'm able to reproduce this bug. Following data was collected on Debian Linux with PHP packages from dotdeb (www.dotdeb.org). I can test this on other distro with PHP compiled from sources if needed. PHP version used here is PHP 5.3.6, but the bug is also present in 5.3.10.

Configuration is simple, nginx redirects ^(.*)$ to /index.php/$1. The request looks like this:

http://ttt/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php

"ttt" is the vhost used for testing. The important things here are: exact size of query string, ".php" suffix. Next important thing is the freshness of php-fpm process. The process will always segfault when this request is the first request processed. Otherwise the process may survive the request - don't know whether it corrupts any data at affected pointer.

Also I know that my nginx configuration is buggy - nginx should call just index.php - but PHP process shouldn't segfault in any case.


php.ini that can be used to trigger the bug is the original php.ini-production with only one modification:

cgi.fix_pathinfo = 1

Modules loaded seems to have no influence on the bug.


ltrace from accepting the connection to crash: http://pastebin.com/UDuET7Sv

strace (contains full dump of data received from socket): http://pastebin.com/b1Ad9AAh


Backtrace (5.3.6):
#0  _zend_hash_add_or_update (ht=0x1fe79e8, arKey=0xb45047 "SCRIPT_NAME", nKeyLength=12, pData=0x7fff8598f1f0, nDataSize=8, pDest=0x7fff8598ee78, flag=7648604)
    at /usr/src/php5/source/php5-5.3.6/Zend/zend_hash.c:418
#1  0x000000000074b55c in fcgi_putenv (req=0x7fff8598f1f0, var=0xca59ccba5f40 <Address 0xca59ccba5f40 out of bounds>, var_len=11, val=0x1fe9538 "")
    at /usr/src/php5/source/php5-5.3.6/sapi/fpm/fpm/fastcgi.c:1096
#2  0x0000000000753bc7 in main (argc=33455768, argv=0x1fe8d60) at /usr/src/php5/source/php5-5.3.6/sapi/fpm/fpm/fpm_main.c:1255

Backtrace (5.3.10):
(gdb) bt
#0  _zend_hash_add_or_update (ht=0x279fb08, arKey=0xb4c7cb "SCRIPT_NAME", nKeyLength=12, pData=0x7fff1bd33ac0, nDataSize=8, pDest=0x7fff1bd33758, flag=7664444)
    at /usr/src/php5/source/php5-5.3.10/Zend/zend_hash.c:418
#1  0x000000000074f33c in fcgi_putenv (req=0x7fff1bd33ac0, var=0xca59ccba5f40 <Address 0xca59ccba5f40 out of bounds>, var_len=11, val=0x27a1560 "")
    at /usr/src/php5/source/php5-5.3.10/sapi/fpm/fpm/fastcgi.c:1067
#2  0x0000000000759114 in main (argc=41549640, argv=0x27a0c90) at /usr/src/php5/source/php5-5.3.10/sapi/fpm/fpm/fpm_main.c:1189


Headers received by PHP process from nginx (extracted from strace dump):

QUERY_STRING
REQUEST_METHOD GET
CONTENT_TYPE
CONTENT_LENGTH
SCRIPT_NAME /index.php/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php
REQUEST_URI /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php
DOCUMENT_URI /index.php/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php
DOCUMENT_ROOT /tmp/ttt
SERVER_PROTOCOL HTTP/1.1
HTTPS off
GATEWAY_INTERFACE CGI/1.1
SERVER_SOFTWARE nginx/1.0.12
REMOTE_ADDR 127.0.0.1
REMOTE_PORT 38004
SERVER_ADDR 127.0.0.1
SERVER_PORT 80
SERVER_NAME ttt
REDIRECT_STATUS 200
SCRIPT_FILENAME /tmp/ttt/index.php/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php
PATH_INFO
PATH_TRANSLATED /tmp/ttt/index.php/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php
SERVER_NAME ttt
HTTP_USER_AGENT curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6
HTTP_HOST ttt
HTTP_PROXY_CONNECTION Keep-Alive



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-05-22 16:13 UTC] fat@php.net
-Assigned To: +Assigned To: fat
 [2012-05-26 17:04 UTC] fat@php.net
Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.


Can you please post your nginx configuration (don't forget to include fastcgi.conf 
if it's included in your configuration).

thx
++ Jerome
 [2012-05-26 17:04 UTC] fat@php.net
-Status: Assigned +Status: Feedback
 [2013-02-18 00:35 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC