|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69964 SessionHandler::read AV's if the PS(default_mod)->s_open fails
Submitted: 2015-06-29 21:36 UTC Modified: 2016-01-14 04:24 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: Assigned: yohgaki (profile)
Status: Closed Package: Session related
PHP Version: 5.6.10 OS:
Private report: No CVE-ID: None
 [2015-06-29 21:36 UTC]
If a session handler is misconfigured (e.g. bad path in session.save_path) and fails to start, the SessionHandler::read(string id) method will call into handler whose PS_OPEN_FUNC() previously returned FAILURE.
The expectation is that if a handler's PS_OPEN_FUNC() returns FAILURE, it will not receive any subsequent PS_READ_FUNC()/PS_WRITE_FUNC()/PS_CLOSE_FUNC()/PS_DESTROY_FUNC() calls.

Looks like coming through the SessionHandler::read(string id) method is continuing to call PS(default_mod)->s_read even though ->s_open failed.  I believe this is because the PS(mod_user_is_open) is being set to 1, despite the fact that the ->s_open failed.

Test script:
Assuming session.handler = wincache and session.save_path = "C:\doesNotExist\banana":


class WincacheSessionHandler extends SessionHandler {
  public function read($session_id) {
    $data = parent::read($session_id);

// Initialize the storage
$handler = new WincacheSessionHandler();
session_set_save_handler($handler, true);


print "<html><body>WORKS</body></html>";

Expected result:
php-cgi.exe should not AV.  It especially should not AV in wincache's PS_READ_FUNC() implementation.

Actual result:
Faulting application name: php-cgi.exe, version:, time stamp: 0x5578a6fc
 Faulting module name: php_wincache.dll, version:, time stamp: 0x556cd721
 Exception code: 0xc0000005
 Fault offset: 0x000163bf
 Faulting process id: 0x588
 Faulting application start time: 0x01d0ad4649943c17
 Faulting application path: C:\Program Files (x86)\PHP\php5.5\php-cgi.exe
 Faulting module path: C:\Program Files (x86)\PHP\php5.5\ext\php_wincache.dll
 Report Id: 88887401-1939-11e5-83b0-8019346bbdc6
 Faulting package full name: 
 Faulting package-relative application ID: 

WinDBG call stack:
eax=00a8e3c0 ebx=00000000 ecx=0000000b edx=0158ca90 esi=00000000 edi=0158c950
eip=6876680f esp=00a8e388 ebp=00000001 iopl=0         nv up ei ng nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210287
6876680f 8b6b1c          mov     ebp,dword ptr [ebx+1Ch] ds:002b:0000001c=????????
0:000> k
  *** Stack trace for last set context - .thread/.cxr resets it
 # ChildEBP RetAddr  
00 00a8e39c 687648b8 php_wincache!zvcache_get+0x1f [c:\php-sdk\php56dev\vc11\x86\pecl\wincache\wincache_zvcache.c @ 1758]
01 00a8e3c0 5835b9de php_wincache!ps_read_wincache+0x58 [c:\php-sdk\php56dev\vc11\x86\pecl\wincache\wincache_session.c @ 301]
02 00a8e3d4 58235bde php5!zim_SessionHandler_read+0x7e [c:\php-sdk\php56\vc11\x86\php-5.6.0\ext\session\mod_user_class.c @ 83]
03 00a8e46c 5826ecb6 php5!zend_std_get_static_method+0x4e [c:\php-sdk\php56\vc11\x86\php-5.6.0\zend\zend_object_handlers.c @ 1204]
04 01572218 02762ac8 php5!zend_call_function+0x6d6 [c:\php-sdk\php56\vc11\x86\php-5.6.0\zend\zend_execute_api.c @ 832]
WARNING: Frame IP not in any known module. Following frames may be wrong.
05 0158e7a4 5826f0df 0x2762ac8
06 0158e81c 69a5dcff php5!ZEND_RETURN_SPEC_TMP_HANDLER+0x5f
07 (Inline) -------- msvcr110!_heap_alloc+0x21 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 56]
08 0158e8bc 69a5dcff msvcr110!malloc+0x49 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 91]
09 (Inline) -------- msvcr110!_heap_alloc+0x21 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 56]
0a 0158e95c 69a5dcff msvcr110!malloc+0x49 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 91]
0b (Inline) -------- msvcr110!_heap_alloc+0x21 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 56]
0c 0158ea2c 69a5dcff msvcr110!malloc+0x49 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 91]
0d (Inline) -------- msvcr110!_heap_alloc+0x21 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 56]
0e 0158ea38 5824e3a5 msvcr110!malloc+0x49 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 91]
0f 0158ea40 00000000 php5!zend_initialize_class_data+0x75 [c:\php-sdk\php56\vc11\x86\php-5.6.0\zend\zend_compile.c @ 6897]


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-29 21:38 UTC]
-Assigned To: +Assigned To: yohgaki
 [2015-06-29 21:38 UTC]
Per e-mail, assigning to YOhgaki.
 [2016-01-14 04:24 UTC]
-Status: Assigned +Status: Closed
 [2016-01-14 04:24 UTC]
This is related to Bug #71038 and fixed partially for PHP 5.6, fully for PHP 7.0
Thank you for reporting.
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Mon Dec 05 22:05:54 2022 UTC