php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69823 PHP 7.0.0alpha1 segmentation fault when exactly 33 extensions are loaded
Submitted: 2015-06-13 21:36 UTC Modified: 2015-06-14 04:27 UTC
From: andy at webtatic dot com Assigned: laruence
Status: Closed Package: Reproducible crash
PHP Version: 7.0.0alpha1 OS: CentOS 7
Private report: No CVE-ID:
 [2015-06-13 21:36 UTC] andy at webtatic dot com
Description:
------------
When 33 extensions would be loaded (either dynamic or static), PHP 7.0.0alpha1 segmentation faults.

This doesn't appear to be any combination of 33 extensions.

gdb gives the following error:
Program received signal SIGSEGV, Segmentation fault.
zend_startup_module_ex (module=0xa) at /home/vagrant/rpmbuild/BUILD/test/Zend/zend_API.c:1818
1818		if (module->module_started)

and backtrace:
(gdb) backtrace
#0  zend_startup_module_ex (module=0xa) at /home/vagrant/rpmbuild/BUILD/test/Zend/zend_API.c:1818
#1  0x00000000005eb499 in zend_hash_apply (ht=ht@entry=0xa7ede0 <module_registry>, apply_func=apply_func@entry=0x5de100 <zend_startup_module_zval>)
    at /home/vagrant/rpmbuild/BUILD/test/Zend/zend_hash.c:1434
#2  0x00000000005de3aa in zend_startup_modules () at /home/vagrant/rpmbuild/BUILD/test/Zend/zend_API.c:1986
#3  0x000000000057d34e in php_module_startup (sf=<optimized out>, additional_modules=additional_modules@entry=0x0, num_additional_modules=num_additional_modules@entry=0)
    at /home/vagrant/rpmbuild/BUILD/test/main/main.c:2198
#4  0x0000000000661b9d in php_cli_startup (sapi_module=<optimized out>) at /home/vagrant/rpmbuild/BUILD/test/sapi/cli/php_cli.c:419
#5  0x0000000000428260 in main (argc=1, argv=0xa824f0) at /home/vagrant/rpmbuild/BUILD/test/sapi/cli/php_cli.c:1314

Test script:
---------------
./configure --disable-phpdbg --libdir=/usr/lib64/php --without-readline --with-libedit --cache-file=../config.cache \
    --with-libdir=lib64 \
    --with-config-file-path=/etc \
    --with-config-file-scan-dir=/etc/php.d \
    --disable-debug \
    --with-pic \
    --disable-rpath \
    --without-pear \
    --with-freetype-dir=/usr \
    --with-png-dir=/usr \
    --with-xpm-dir=/usr \
    --enable-gd-native-ttf \
    --without-gdbm \
    --with-jpeg-dir=/usr \
    --with-openssl \
    --with-pcre-regex \
    --with-zlib \
    --with-layout=GNU \
    --with-kerberos \
    --with-libxml-dir=/usr \
    --with-mhash \
    --enable-dtrace \
    --with-imap=shared --with-imap-ssl \
      --enable-mbstring=shared \
      --enable-mbregex \
      --with-gd=shared \
      --with-gmp=shared \
      --enable-calendar=shared \
      --enable-bcmath=shared \
      --with-bz2=shared \
      --enable-ctype=shared \
      --enable-dba=shared --with-db4=/usr \
      --enable-exif=shared \
      --enable-ftp=shared \
      --with-gettext=shared \
      --with-iconv=shared \
      --enable-sockets=shared \
      --enable-tokenizer=shared \
      --with-xmlrpc=shared \
      --with-ldap=shared --with-ldap-sasl \
      --enable-mysqlnd=shared \
      --with-mysqli=shared,mysqlnd \
      --with-interbase=shared,/usr/lib64/firebird \
      --with-pdo-firebird=shared,/usr/lib64/firebird \
      --enable-dom=shared \
      --with-pgsql=shared \
      --enable-simplexml=shared \
      --enable-xml=shared \
      --enable-wddx=shared \
      --with-snmp=shared,/usr \
      --enable-soap=shared \
      --with-xsl=shared,/usr \
      --enable-xmlreader=shared --enable-xmlwriter=shared \
      --with-curl=shared,/usr \
      --enable-pdo=shared \
      --with-pdo-odbc=shared,unixODBC,/usr \
      --with-pdo-mysql=shared,mysqlnd \
      --with-pdo-pgsql=shared,/usr \
      --with-pdo-sqlite=shared,/usr \
      --with-pdo-dblib=shared,/usr \
      --with-sqlite3=shared,/usr \
      --enable-json=shared \
      --enable-zip=shared \
      --with-pspell=shared \
      --enable-phar=shared \
      --with-mcrypt=shared,/usr \
      --with-tidy=shared,/usr \
      --enable-sysvmsg=shared --enable-sysvshm=shared --enable-sysvsem=shared \
      --enable-shmop=shared \
      --enable-posix=shared \
      --with-unixODBC=shared,/usr \
      --enable-fileinfo=shared \
      --enable-intl=shared \
      --with-icu-dir=/usr \
      --with-enchant=shared,/usr \
      --enable-opcache
make
sudo make install

cp php.ini-production /etc/php.ini
mkdir /etc/php.d

for mod in bz2 calendar ctype curl exif file info get text gap iconv son phar shmop simplexml sockets tokenizer xml zip; do
  cat > /etc/php.d/${mod} <<EOF
extension=${mod}.so
EOF
done

php -m


Expected result:
----------------
[PHP Modules]
bz2
calendar
Core
ctype
curl
date
exif
fileinfo
filter
ftp
gettext
gmp
hash
iconv
json
libxml
mbstring
mhash
openssl
pcre
Phar
readline
Reflection
session
shmop
SimpleXML
sockets
SPL
standard
tokenizer
xml
zip
zlib

[Zend Modules]


Actual result:
--------------
Segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-13 21:38 UTC] andy at webtatic dot com
"This doesn't appear to be any combination of 33 extensions."

I mean, this isn't caused by the extensions themselves whichever ones are loaded, only that the total is 33
 [2015-06-13 22:09 UTC] andy at webtatic dot com
module_registry is initialized with a size of 32. 

https://github.com/php/php-src/blob/master/Zend/zend.c#L704

I wonder if this is causing further bugs in all zend hashes with data added +1 above their initialized size.
 [2015-06-14 04:24 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2015-06-14 04:26 UTC] yohgaki@php.net
-Status: Assigned +Status: Open -Assigned To: laruence +Assigned To:
 [2015-06-14 04:26 UTC] yohgaki@php.net
functions: OK
constants: OK by define()
constants: OK by const
classes: OK

It seems only module registry is affected.

By the way, default function hash seems too small. It's way over 1024 functions even with relatively few modules.
 [2015-06-14 04:27 UTC] yohgaki@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: laruence
 [2015-06-14 04:27 UTC] yohgaki@php.net
Back to assigned.
 [2015-06-14 04:32 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=dc37d3e8c2248f4f4437547bc7225276e22ea41d
Log: Fixed Bug #69823 (PHP 7.0.0alpha1 segmentation fault when exactly 33 extensions are loaded)
 [2015-06-14 04:32 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2015-06-23 18:04 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=dc37d3e8c2248f4f4437547bc7225276e22ea41d
Log: Fixed Bug #69823 (PHP 7.0.0alpha1 segmentation fault when exactly 33 extensions are loaded)
 [2016-07-20 11:38 UTC] davey@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=dc37d3e8c2248f4f4437547bc7225276e22ea41d
Log: Fixed Bug #69823 (PHP 7.0.0alpha1 segmentation fault when exactly 33 extensions are loaded)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Apr 30 22:01:36 2017 UTC