PHP :: Bug #69964 :: SessionHandler::read AV's if the PS(default_mod)->s

Bug #69964

SessionHandler::read AV's if the PS(default_mod)->s_open fails

Submitted:

2015-06-29 21:36 UTC

Modified:

2016-01-14 04:24 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

ericsten@php.net

Assigned:

yohgaki (profile)

Status:

Closed

Package:

Session related

PHP Version:

5.6.10

OS:

Private report:

CVE-ID:

None

View Developer Edit

[2015-06-29 21:36 UTC] ericsten@php.net

Description:
------------
If a session handler is misconfigured (e.g. bad path in session.save_path) and fails to start, the SessionHandler::read(string id) method will call into handler whose PS_OPEN_FUNC() previously returned FAILURE.
The expectation is that if a handler's PS_OPEN_FUNC() returns FAILURE, it will not receive any subsequent PS_READ_FUNC()/PS_WRITE_FUNC()/PS_CLOSE_FUNC()/PS_DESTROY_FUNC() calls.

Looks like coming through the SessionHandler::read(string id) method is continuing to call PS(default_mod)->s_read even though ->s_open failed.  I believe this is because the PS(mod_user_is_open) is being set to 1, despite the fact that the ->s_open failed.

http://lxr.php.net/xref/PHP_TRUNK/ext/session/mod_user_class.c#50


Test script:
---------------
Assuming session.handler = wincache and session.save_path = "C:\doesNotExist\banana":

<?php

class WincacheSessionHandler extends SessionHandler {
  public function read($session_id) {
    $data = parent::read($session_id);
  }
}

// Initialize the storage
$handler = new WincacheSessionHandler();
session_set_save_handler($handler, true);

session_start();

print "<html><body>WORKS</body></html>";

Expected result:
----------------
php-cgi.exe should not AV.  It especially should not AV in wincache's PS_READ_FUNC() implementation.

Actual result:
--------------
Faulting application name: php-cgi.exe, version: 5.5.26.0, time stamp: 0x5578a6fc
 Faulting module name: php_wincache.dll, version: 1.3.7.6, time stamp: 0x556cd721
 Exception code: 0xc0000005
 Fault offset: 0x000163bf
 Faulting process id: 0x588
 Faulting application start time: 0x01d0ad4649943c17
 Faulting application path: C:\Program Files (x86)\PHP\php5.5\php-cgi.exe
 Faulting module path: C:\Program Files (x86)\PHP\php5.5\ext\php_wincache.dll
 Report Id: 88887401-1939-11e5-83b0-8019346bbdc6
 Faulting package full name: 
 Faulting package-relative application ID: 
...snip!...

WinDBG call stack:
eax=00a8e3c0 ebx=00000000 ecx=0000000b edx=0158ca90 esi=00000000 edi=0158c950
eip=6876680f esp=00a8e388 ebp=00000001 iopl=0         nv up ei ng nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210287
php_wincache!zvcache_get+0x1f:
6876680f 8b6b1c          mov     ebp,dword ptr [ebx+1Ch] ds:002b:0000001c=????????
0:000> k
  *** Stack trace for last set context - .thread/.cxr resets it
 # ChildEBP RetAddr  
00 00a8e39c 687648b8 php_wincache!zvcache_get+0x1f [c:\php-sdk\php56dev\vc11\x86\pecl\wincache\wincache_zvcache.c @ 1758]
01 00a8e3c0 5835b9de php_wincache!ps_read_wincache+0x58 [c:\php-sdk\php56dev\vc11\x86\pecl\wincache\wincache_session.c @ 301]
02 00a8e3d4 58235bde php5!zim_SessionHandler_read+0x7e [c:\php-sdk\php56\vc11\x86\php-5.6.0\ext\session\mod_user_class.c @ 83]
03 00a8e46c 5826ecb6 php5!zend_std_get_static_method+0x4e [c:\php-sdk\php56\vc11\x86\php-5.6.0\zend\zend_object_handlers.c @ 1204]
04 01572218 02762ac8 php5!zend_call_function+0x6d6 [c:\php-sdk\php56\vc11\x86\php-5.6.0\zend\zend_execute_api.c @ 832]
WARNING: Frame IP not in any known module. Following frames may be wrong.
05 0158e7a4 5826f0df 0x2762ac8
06 0158e81c 69a5dcff php5!ZEND_RETURN_SPEC_TMP_HANDLER+0x5f
07 (Inline) -------- msvcr110!_heap_alloc+0x21 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 56]
08 0158e8bc 69a5dcff msvcr110!malloc+0x49 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 91]
09 (Inline) -------- msvcr110!_heap_alloc+0x21 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 56]
0a 0158e95c 69a5dcff msvcr110!malloc+0x49 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 91]
0b (Inline) -------- msvcr110!_heap_alloc+0x21 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 56]
0c 0158ea2c 69a5dcff msvcr110!malloc+0x49 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 91]
0d (Inline) -------- msvcr110!_heap_alloc+0x21 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 56]
0e 0158ea38 5824e3a5 msvcr110!malloc+0x49 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 91]
0f 0158ea40 00000000 php5!zend_initialize_class_data+0x75 [c:\php-sdk\php56\vc11\x86\php-5.6.0\zend\zend_compile.c @ 6897]

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-06-29 21:38 UTC] ericsten@php.net

-Assigned To: +Assigned To: yohgaki

[2015-06-29 21:38 UTC] ericsten@php.net

Per e-mail, assigning to YOhgaki.

[2016-01-14 04:24 UTC] yohgaki@php.net

-Status: Assigned +Status: Closed

[2016-01-14 04:24 UTC] yohgaki@php.net

This is related to Bug #71038 and fixed partially for PHP 5.6, fully for PHP 7.0
Thank you for reporting.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 16:01:33 2024 UTC