php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66150 SOAP WSDL cache race condition causes Segmentation Fault
Submitted: 2013-11-22 17:12 UTC Modified: -
Votes:4
Avg. Score:4.5 ± 0.5
Reproduced:3 of 3 (100.0%)
Same Version:0 (0.0%)
Same OS:3 (100.0%)
From: askalski at gmail dot com Assigned:
Status: Closed Package: SOAP related
PHP Version: master-Git-2013-11-22 (Git) OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: askalski at gmail dot com
New email:
PHP Version: OS:

 

 [2013-11-22 17:12 UTC] askalski at gmail dot com
Description:
------------
The SOAP module does not write out the WSDL cache files atomically (temp file + rename.)  Thus a race condition exists where if another process attempts to read the partially written cache file, a Segmentation Fault occurs in get_sdl_from_cache.


Test script:
---------------
The issue is easiest to reproduce with a large WSDL file, on a multi-core machine with relatively slow disks.  (Don't point your WSDL cache directory at a tmpfs or SSD filesystem.)

Download the following files into the script directory before testing:

http://www.paypalobjects.com/wsdl/PayPalSvc.wsdl
http://www.paypalobjects.com/wsdl/CoreComponentTypes.xsd
http://www.paypalobjects.com/wsdl/eBLBaseComponents.xsd
http://www.paypalobjects.com/wsdl/EnhancedDataTypes.xsd

<?php
ini_set("soap.wsdl_cache_ttl", "1");
$s = new soapclient("PayPalSvc.wsdl");
?>

Use Apache Bench or other stress testing tool to hit the test script with concurrency.  Watch the error logs for the segmentation faults:
$ ab -k -n20000 -c20 http://localhost/path/to/soap-test-script.php


Expected result:
----------------
No segmentation fault.  PHP should write to a temporary file, and use rename() to replace the cache file when finished.  There should be some protection against stampedes -- other concurrent processes should be able to use the old cache file (if it exists) while it is being rebuilt.


Actual result:
--------------
Two example gdb backtraces follow (line numbers refer to php-src git commit id 7f0d637de4b0fe169dcae4437a86077ece3e3acd):

(gdb) bt 5
#0  memcpy () at ../sysdeps/x86_64/memcpy.S:399
#1  0x00007f66fe9c07af in sdl_deserialize_string (in=0x7fff9a94d650) at /home/askalski/php-src/ext/soap/php_sdl.c:1208
#2  0x00007f66fe9c5470 in sdl_deserialize_type (type=0x7f671082dac8, types=0x7f67094994b0, encoders=0x7f67107c4be0, 
    in=0x7fff9a94d650) at /home/askalski/php-src/ext/soap/php_sdl.c:1326
#3  0x00007f66fe9c55cc in sdl_deserialize_type (type=0x7f67107c0ab8, types=0x7f67094994b0, encoders=0x7f67107c4be0, 
    in=0x7fff9a94d650) at /home/askalski/php-src/ext/soap/php_sdl.c:1378
#4  0x00007f66fe9cbeef in get_sdl_from_cache (this_ptr=<value optimized out>, 
    uri=0x7f670937d240 "http://127.0.10.1/~askalski/soap/PayPalSvc.wsdl", cache_wsdl=<value optimized out>)
    at /home/askalski/php-src/ext/soap/php_sdl.c:1642
(More stack frames follow...)

(gdb) bt 5
#0  0x00007f66fe9c54ec in sdl_deserialize_type (type=0x7f671090a8c0, types=0x7f67107e2ad0, encoders=0x7f67107efc78, 
    in=0x7fff9a94d650) at /home/askalski/php-src/ext/soap/php_sdl.c:1335
#1  0x00007f66fe9c55cc in sdl_deserialize_type (type=0x7f67094a32a8, types=0x7f67107e2ad0, encoders=0x7f67107efc78, 
    in=0x7fff9a94d650) at /home/askalski/php-src/ext/soap/php_sdl.c:1378
#2  0x00007f66fe9cbeef in get_sdl_from_cache (this_ptr=<value optimized out>, 
    uri=0x7f670937d240 "http://127.0.10.1/~askalski/soap/PayPalSvc.wsdl", cache_wsdl=<value optimized out>)
    at /home/askalski/php-src/ext/soap/php_sdl.c:1642
#3  get_sdl (this_ptr=<value optimized out>, uri=0x7f670937d240 "http://127.0.10.1/~askalski/soap/PayPalSvc.wsdl", 
    cache_wsdl=<value optimized out>) at /home/askalski/php-src/ext/soap/php_sdl.c:3251
#4  0x00007f66fe99bcdd in zim_SoapClient_SoapClient (ht=1, return_value=<value optimized out>, 
    return_value_ptr=<value optimized out>, this_ptr=0x7f67094993e0, return_value_used=<value optimized out>)
    at /home/askalski/php-src/ext/soap/soap.c:2520
(More stack frames follow...)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2023-10-19 16:36 UTC] git@php.net
Automatic comment on behalf of nielsdos
Revision: https://github.com/php/php-src/commit/43e63168e920af5ba504c6b8e98678b9dc6a991e
Log: Fix bug #66150: SOAP WSDL cache race condition causes Segmentation Fault
 [2023-10-19 16:36 UTC] git@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Nov 04 18:01:28 2024 UTC