php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #67466 Mapping error during startup leads to unpredictable AV in opcode cache
Submitted: 2014-06-18 15:37 UTC Modified: 2014-06-25 14:14 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: ericsten@php.net Assigned: ericsten (profile)
Status: Closed Package: WinCache (PECL)
PHP Version: 5.4.29 OS: Windows
Private report: No CVE-ID: None
View Developer Edit
 [2014-06-18 15:37 UTC] ericsten@php.net 
Description:
------------
Problem:
Two processes race in to create the cross-process, shared memory map for the opcode cache.  During initialization of that memory mapped file, there's an error, that leaves partial information about the memory mapped file in a different chunk of cross-process, shared memory used to figure out where Wincache mapped things (php_wincache!filemap_global_context).  This partial information guarantees that all Wincache instances will attempt to map the opcode cache at different addresses.  The failures may not be instantaneous, since some processes might "accidently" map their opcode cache at the same address as a majority of other instances.
  
Fix:
Detect this failure, and clear out the (now invalid) filemap_global_context entry, so other processes don't accidently use the entry.

Expected result:
----------------
No AV

Actual result:
--------------
AV deref'ing a zend_op_array in an address not mapped to the current process.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-06-18 15:37 UTC] ericsten@php.net
-Assigned To: +Assigned To: ericsten
 [2014-06-20 16:51 UTC] ericsten@php.net 
Automatic comment from SVN on behalf of ericsten
Revision: http://svn.php.net/viewvc/?view=revision&revision=333880
Log: PHP 5.6 RC1 build
BUG #67466: Mapping error during startup leads to unpredictable AV in opcode cache
 [2014-06-25 14:14 UTC] ericsten@php.net
-Status: Assigned +Status: Closed
 [2014-06-25 14:14 UTC] ericsten@php.net 
Confirmed SVN 333880 fixes customer issue.
 [2014-07-02 21:41 UTC] mattficken@php.net 
BTW, when Opcache detects the equivalent of this condition, it produces the 'unable to reattach to base address' error message and then exits.

When Opcache detects this condition, it should replace the file (at least for that PHP process), which is what this patch to Wincache does (code looks different b/c Wincache can have multiple memory mapped files, while Opcache only has 1).

If Wincache can fix this issue this way, so can Opcache.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jul 03 14:01:34 2025 UTC