php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68571 core dump when webserver close the socket
Submitted: 2014-12-09 06:40 UTC Modified: -
From: redfoxli069 at gmail dot com Assigned:
Status: Closed Package: FPM related
PHP Version: 5.5.19 OS: linux
Private report: No CVE-ID:
 [2014-12-09 06:40 UTC] redfoxli069 at gmail dot com
Description:
------------
There is several conditions when core dump
1 don't use error_log in php.ini.
2 a lot of stderr log generate
3 webserver close the socket after send the request(request timeout will lead the action)



Test script:
---------------
<?php
  for($i = 0; $i < 70000; ++$i)
  {  
     strpos("", "");
  } 

Actual result:
--------------
core dumped 
backtrace is here:

#0  fcgi_write (req=0x7fff41f48230, type=FCGI_STDERR,                                                                                                                                                         
    str=0xe41fa0 "PHP message: PHP Warning:  strpos(): Empty needle in /xxxx/test/index.php on line 13\n", len=116)
    at /xxxx/code/php/php-5.5.19/sapi/fpm/fpm/fastcgi.c:910
910             req->out_hdr->type = type;
(gdb) bt
#0  fcgi_write (req=0x7fff41f48230, type=FCGI_STDERR,
    str=0xe41fa0 "PHP message: PHP Warning:  strpos(): Empty needle in /xxxx/test/index.php on line 13\n", len=116)
    at /xxxx/code/php/php-5.5.19/sapi/fpm/fpm/fastcgi.c:910
#1  0x000000000076a6b3 in sapi_cgi_log_fastcgi (level=Variable "level" is not available.
) at /xxxx/code/php/php-5.5.19/sapi/fpm/fpm/fpm_main.c:675
#2  0x00000000007728f4 in zlog_ex (function=0xab3c50 "sapi_cgi_log_message", line=685, flags=2, fmt=0xab3163 "PHP message: %s")
    at /xxxx/code/php/php-5.5.19/sapi/fpm/fpm/zlog.c:119
#3  0x0000000000657d3d in php_log_err (
    log_message=0x7fa6314bee00 "PHP Warning:  strpos(): Empty needle in /xxxx/test/index.php on line 13")
    at /xxxx/code/php/php-5.5.19/main/main.c:661
#4  0x0000000000658b49 in php_error_cb (type=2, error_filename=0x7fa6314beca0 "/xxxx/test/index.php", error_lineno=13,
    format=Variable "format" is not available.
) at /xxxx/code/php/php-5.5.19/main/main.c:1074
#5  0x00000000006bc2bc in zend_error (type=2, format=0xa9854e "%s") at /xxxx/code/php/php-5.5.19/Zend/zend.c:1131
#6  0x00000000006580d8 in php_verror (docref=0x7fa63148c290 "strpos(): Empty needle", params=0xa7250a "", type=2, format=Variable "format" is not available.
)
    at /xxxx/code/php/php-5.5.19/main/main.c:870
#7  0x00000000006584af in php_error_docref0 (docref=Variable "docref" is not available.
) at /xxxx/code/php/php-5.5.19/main/main.c:882
#8  0x000000000061e43d in zif_strpos (ht=Variable "ht" is not available.
) at /xxxx/code/php/php-5.5.19/ext/standard/string.c:1834
#9  0x00000000006e7a68 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fa63148c688)
    at /xxxx/code/php/php-5.5.19/Zend/zend_vm_execute.h:550
#10 0x00000000006e66b8 in execute_ex (execute_data=0x7fa63148c688) at /xxxx/code/php/php-5.5.19/Zend/zend_vm_execute.h:363
#11 0x00000000006bd0cf in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /xxxx/code/php/php-5.5.19/Zend/zend.c:1330
#12 0x000000000065aed8 in php_execute_script (primary_file=0x7fff41f4a280) at /xxxx/code/php/php-5.5.19/main/main.c:2506
#13 0x000000000076b95b in main (argc=0, argv=Variable "argv" is not available.
) at /xxxx/code/php/php-5.5.19/sapi/fpm/fpm/fpm_main.c:1949
(gdb) f 0 
#0  fcgi_write (req=0x7fff41f48230, type=FCGI_STDERR,
    str=0xe41fa0 "PHP message: PHP Warning:  strpos(): Empty needle in /xxxx/test/index.php on line 13\n", len=116)
    at /xxxx/code/php/php-5.5.19/sapi/fpm/fpm/fastcgi.c:910
910             req->out_hdr->type = type;
(gdb) ptype req 
type = struct _fcgi_request {
    int listen_socket;
    int fd; 
    int id; 
    int keep;
    int closed;
    int in_len;
    int in_pad;
    fcgi_header *out_hdr;
    unsigned char *out_pos;
    unsigned char out_buf[8192];
    unsigned char reserved[16];
    HashTable *env;
} *
(gdb) p *req         
$1 = {listen_socket = 0, fd = 3, id = 1, keep = 0, closed = 0, in_len = 0, in_pad = 0, out_hdr = 0x7fff41f4b000,
  out_pos = 0x7fff41f4b000 <Address 0x7fff41f4b000 out of bounds>,
  out_buf = "\001\a\000\001\037鳿000\000/lihongbin/test/index.php on line 13\nPHP message: PHP Warning:  strpos(): Empty needle in /xxxx/test/index.php on line 13\nPHP message: PHP Warning"..., reserved = "
\001\a\000\001\000\000\000\000\001\a\000\001\000\000\000",
  env = 0x1000701}
(gdb) p (req->out_pos - req->out_buf)
$2 = 11680

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-12 05:37 UTC] redfoxli069 at gmail dot com
PR is here:
https://github.com/php/php-src/pull/948
 [2015-01-27 14:15 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8c2d91761aaa3b7b25c70df4d2320f85e9322e79
Log: Also Fixed #68571 in CGI SAPI, and some cleanup
 [2015-01-27 14:15 UTC] laruence@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sat Feb 25 06:01:34 2017 UTC