php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69406 PHP crashes with 0xC00000005 (EACCESS): dangling pointer and double free?
Submitted: 2015-04-09 08:46 UTC Modified: 2015-05-03 04:22 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: jan dot starke at t-systems dot com Assigned: yohgaki (profile)
Status: No Feedback Package: Reproducible crash
PHP Version: 5.6.7 OS: Windows
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2015-04-09 08:46 UTC] jan dot starke at t-systems dot com
Description:
------------
Preconditions:
 - PHP running in IIS using FastCGI
 - error_log is set to "syslog"
 - session.save_path points to a directory to which the application pool user doesn't have write access


Test script:
---------------
<?
session_start();
echo (phpinfo());
?>

Expected result:
----------------
accessing the page should do:
 - report an error, such as "php[6288] PHP Warning:  session_start(): open(D:\sessions\sess_2bpr1lnu59pc559ng7dm0onau3, O_RDWR) failed: Permission denied (13) in [...]"
 - display the result of phpinfo()

Actual result:
--------------
On every first of two requests, php behaves as expected. On every second request, PHP:
 - logs a part of the response in the expected event entry, just before " session_start(): "

this looks like a dangling pointer, which should point to the name of the currently executed php function, but actually points to any place of the zend heap. possibly someone forgot to zero some pointer variable after freeing the memory it pointed to?

 - PHP crashes with 0xc0000005, the callstack is the following:
>	php5.dll!_efree(void * ptr=0x010aa660) Zeile 2440	C
 	php5.dll!closelog() Zeile 70	C
 	php5.dll!php_request_shutdown(void * dummy=0x00000000) Zeile 1854	C
 	php-cgi.exe!main(int argc=0x00000001, char * * argv=0x00bcafb0) Zeile 2508	C
 	php-cgi.exe!__tmainCRTStartup() Zeile 536	C


The error message is: "Unbehandelte Ausnahme bei 0x6DAE5189 (php5.dll) in php-cgi.exe_150318_151707.dmp: 0xC0000005: Zugriffsverletzung beim Lesen an Position 0x717418CC"

It seems the memory which is to be freed has already been freed before, but the pointer has not been set to NULL. The similar problem than before?


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-04-09 09:40 UTC] jan dot starke at t-systems dot com
-: jan dot starke at t-systems dot om +: jan dot starke at t-systems dot com
 [2015-04-09 09:40 UTC] jan dot starke at t-systems dot com
fixed typo in my email address, sorry
 [2015-04-10 09:33 UTC] laruence@php.net
-Assigned To: +Assigned To: yohgaki
 [2015-04-10 09:33 UTC] laruence@php.net
yohgaki, could you please take care of this?
 [2015-04-24 06:59 UTC] yohgaki@php.net
I couldn't reproduce crash with invalid save_path setting, but this is possible patch. It does not harm any, so I may commit it see if it works.

[yohgaki@dev github-php-src]$ git diff
diff --git a/ext/session/mod_files.c b/ext/session/mod_files.c
index 195104f..9dbe507 100644
--- a/ext/session/mod_files.c
+++ b/ext/session/mod_files.c
@@ -325,6 +325,7 @@ PS_CLOSE_FUNC(files)
 
        if (data->lastkey) {
                efree(data->lastkey);
+               data->lastkey = NULL;
        }
 
        efree(data->basedir);
 [2015-04-24 07:11 UTC] yohgaki@php.net
-Status: Assigned +Status: Feedback
 [2015-04-24 07:11 UTC] yohgaki@php.net
Applied from PHP-5.5 upto master.

https://github.com/php/php-src/commit/e881017a7556061a8cff084bc823319270d4044e

@jan, when you could test how it goes, please update this bug report.
Thank you.
 [2015-05-03 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2015-05-04 08:09 UTC] jan dot starke at t-systems dot com
We're still investigating this issue. I will reactivate this ticket when we found something new...

Regards, Jan
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 09:01:26 2024 UTC