php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62972 APC 3.1.12 with apc.filters segfauls massively
Submitted: 2012-08-29 20:45 UTC Modified: 2012-08-30 08:17 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: bof at bof dot de Assigned: ab (profile)
Status: Closed Package: APC (PECL)
PHP Version: Irrelevant OS: openSUSE 11.4 64bit
Private report: No CVE-ID: None
 [2012-08-29 20:45 UTC] bof at bof dot de
Description:
------------
(mistakenly reported on bug 62515, but not related, as I now see)

I encounter this problem with APC-3.1.12 on openSUSE 11.4 64bit, PHP 5.3.15 from 
OBS. Apache 2.2.17 from openSUSE 11.4 base, prefork.

As soon as I activate apc.filters and run some requests - requesing apc.php 
itself suffices, I see segfauls, and regularly glibc double-free reports as 
shown below (abbreviated).

APC-3.1.11 worked fine when trying, so I compared, and found the added pefree 
calls in apc.c apc_regex_destroy_array() to be the cause of the problem.

The attached patch reverts that function to the APC-3.1.11 state.

If I'm not mistaken, the problem stems from the fact that the PHP pcre library 
internally caches all compiled regexpen, returning the cached regexp whenever 
the same string is requested again.

APC compiles the same regexp source anew for each request. But PHP pcre returns 
the internally cached compiled regex. When it is destroyed at request exit time,  
by these pefree calls (really direct free()), the PHP pcre cache does not take 
notice. At the next request in the same process APC receives the already freed 
compiled regex pointer, which is already a problem with arbitrary consequences, 
but then at second-request-exit frees it again -> double free from glibc.



Test script:
---------------
Not applicable / happens with any script called multiple times in the described setup

Expected result:
----------------
No segfaults

Actual result:
--------------
[Wed Aug 29 21:00:52 2012] [notice] child pid 24852 exit signal Aborted (6)
*** glibc detected *** /usr/sbin/httpd2-prefork: double free or corruption 
(!prev): 0x00007f75673324f0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x733b6)[0x7f7565e1a3b6]
/lib64/libc.so.6(cfree+0x6c)[0x7f7565e1f2dc]
/usr/lib64/apache2/mod_php5.so(+0x4666b1)[0x7f7561c826b1]
/usr/lib64/apache2/mod_php5.so(zend_hash_clean+0x73)[0x7f7561de07e3]
/usr/lib64/apache2/mod_php5.so(pcre_get_compiled_regex_cache+0x4c6)
[0x7f7561c83126]
/usr/lib64/apache2/mod_php5.so(pcre_get_compiled_regex+0x2b)[0x7f7561c831eb]
/usr/lib64/php5/extensions/apc.so(apc_regex_compile_array+0x6ab)[0x7f755dbac17b]
/usr/lib64/php5/extensions/apc.so(apc_request_init+0xa2)[0x7f755dbb6be2]
/usr/lib64/php5/extensions/apc.so(+0xb8c5)[0x7f755dbac8c5]

Patches

apc-3.1.12-regex-no-pefree.patch (last revision 2012-08-29 20:46 UTC by bof at bof dot de)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-08-29 21:45 UTC] ab@php.net
Automatic comment from SVN on behalf of ab
Revision: http://svn.php.net/viewvc/?view=revision&revision=327370
Log: deactivate this piece of code as suggested in bug #62972, more tests to go
 [2012-08-30 08:17 UTC] laruence@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: ab
 [2012-08-30 08:17 UTC] laruence@php.net
seems the codes has already be reverted by ab :) close this
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Aug 18 23:01:26 2019 UTC