|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70660 SIGSEGV due to null pointer dereference
Submitted: 2015-10-07 15:13 UTC Modified: 2021-07-15 17:01 UTC
From: john dot woods at greatplainsmfg dot com Assigned: cmb (profile)
Status: Closed Package: Apache2 related
PHP Version: 5.4.45 OS: Solaris x86
Private report: No CVE-ID: None
 [2015-10-07 15:13 UTC] john dot woods at greatplainsmfg dot com
- Compiled using Solaris Studio 12.3
- Compiled with httpd 2.4.16
- Crashes seem random/intermittent, so it's unknown how to reproduce or even test.
- Other enabled modules:
  - GeoIP 1.1.0
  - ibm_db2 1.9.6
  - oci8 2.0.8
  - spl_types 0.4.0
  - xcache 3.0.4

PHP Build steps:
export CC=cc
export CXX=CC
export CFLAGS="-m64 -I/usr/include/openldap -I/usr/local/include -I/usr/include"
export CPPFLAGS="-m64 -I/usr/include/openldap -I/usr/local/include -I/usr/include"
export LIBS="-lldap-2.4 -llber-2.4"
export LDFLAGS="-L/opt/mysql/mysql/lib -R/opt/mysql/mysql/lib -L/usr/local/lib -R/usr/local/lib"
export LD_PRELOAD_64=/usr/local/lib/
export LD_LIBRARY_PATH=/usr/local/lib
export IBM_DB2="/home/db2inst1/sqllib"

(Hacked up the configure script to change "-lldap" to "-lldap-2.4", and "-llber" to "-llber-2.4", to link in the proper OpenLDAP libraries that come with Solaris)
./configure --with-apxs2=/usr/local/apache2/bin/apxs --with-mysql --with-mysqli --with-pdo-mysql --with-iconv=/usr/local --with-openssl --with-curl --with-ldap
--with-mhash --with-mcrypt --with-gd --with-jpeg-dir --with-png-dir --with-xsl --enable-inline-optimization --enable-ftp --with-zlib-dir --enable-soap --enable-sockets --enable-mbstring --with-gettext --enable-intl --enable-zip --enable-gd-native-ttf --with-freetype-dir=/usr --with-xpm-dir=/usr --with-ibm-db2=$IBM_DB2 --with-pdo-odbc=ibm-db2,/opt/IBM/db2/V10.5

The php.ini options that differ from the out-of-the-box php.ini-production:
short_open_tag = On
output_buffering = Off
highlight.string  = #CC0000
highlight.comment = #FF9900
highlight.keyword = #006600      = #FFFFFF
highlight.default = #0000CC
highlight.html    = #000000
expose_php = Off
date.timezone = "America/Chicago"
max_execution_time = 300
memory_limit = 1024M
error_reporting  =  E_ALL & ~E_NOTICE
warn_plus_overloading = Off
variables_order = "EGPCS"
max_input_vars = 100000
register_argc_argv = On
post_max_size = 100M
gpc_order = "GPC"
enable_dl = On
upload_max_filesize = 100M
session.use_trans_sid = 1
(various xcache directives)

root# adb core.httpd.1444161809.13571
core file = core.httpd.1444161648.13571 -- program ``
/usr/local/apache2/bin/httpd'' on platform i86pc
SIGSEGV: Segmentation Fault`zend_hash_move_forward_ex+0x4e()`apply_config+0x12c()`php_handler+0x28a()
zend_hash_move_forward_ex ::dis`zend_hash_move_forward_ex:   pushq  %rbp`zend_hash_move_forward_ex+1: movq   %rsp,%rbp`zend_hash_move_forward_ex+4: subq   $0x30,%rsp`zend_hash_move_forward_ex+8: movq   %rdi,-0x8(%rbp)`zend_hash_move_forward_ex+0xc:       movq   %rsi,-0x10(%rbp)`zend_hash_move_forward_ex+0x10:      movq   -0x10(%rbp),%r8`zend_hash_move_forward_ex+0x14:      cmpq   $0x0,%r8`zend_hash_move_forward_ex+0x18:      je     +0xa     <`zend_hash_move_forward_ex+0x24>`zend_hash_move_forward_ex+0x1a:      movq   -0x10(%rbp),%r8`zend_hash_move_forward_ex+0x1e:      movq   %r8,-0x28(%rbp)`zend_hash_move_forward_ex+0x22:      jmp    +0xc     <`zend_hash_move_forward_ex+0x30>`zend_hash_move_forward_ex+0x24:      movq   -0x8(%rbp),%r8`zend_hash_move_forward_ex+0x28:      leaq   0x18(%r8),%r8`zend_hash_move_forward_ex+0x2c:      movq   %r8,-0x28(%rbp)`zend_hash_move_forward_ex+0x30:      movq   -0x28(%rbp),%r8`zend_hash_move_forward_ex+0x34:      movq   %r8,-0x20(%rbp)`zend_hash_move_forward_ex+0x38:      movq   -0x20(%rbp),%r8`zend_hash_move_forward_ex+0x3c:      movq   0x0(%r8),%r8`zend_hash_move_forward_ex+0x40:      cmpq   $0x0,%r8`zend_hash_move_forward_ex+0x44:      je     +0x1e    <`zend_hash_move_forward_ex+0x64>`zend_hash_move_forward_ex+0x46:      movq   -0x20(%rbp),%r8`zend_hash_move_forward_ex+0x4a:      movq   0x0(%r8),%r8`zend_hash_move_forward_ex+0x4e:      movq   0x20(%r8),%r9`zend_hash_move_forward_ex+0x52:      movq   -0x20(%rbp),%r8`zend_hash_move_forward_ex+0x56:      movq   %r9,0x0(%r8)`zend_hash_move_forward_ex+0x5a:      movl   $0x0,-0x14(%rbp)`zend_hash_move_forward_ex+0x61:      jmp    +0x8     <`zend_hash_move_forward_ex+0x6b>`zend_hash_move_forward_ex+0x63:      nop`zend_hash_move_forward_ex+0x64:      movl   $-0x1,-0x14(%rbp)        <0xffffffff>`zend_hash_move_forward_ex+0x6b:      movl   -0x14(%rbp),%eax`zend_hash_move_forward_ex+0x6e:      leave`zend_hash_move_forward_ex+0x6f:      ret
%rax = 0x0000000000000000       %r8  = 0x0000000000000000
%rbx = 0xffff80ffbea7aa40       %r9  = 0x00000000061339e0
%rcx = 0x0000000000000001       %r10 = 0xffff80fd756395f0
%rdx = 0x0000000000000001       %r11 = 0x000000000bae78d0
%rsi = 0x0000000000000000       %r12 = 0x0000000000511688
%rdi = 0x0000000000949680       %r13 = 0x0000000000000000
                                %r14 = 0x0000000000000000
                                %r15 = 0x0000000000000000

%cs = 0x0053    %fs = 0x0000    %gs = 0x0000
%ds = 0x004b    %es = 0x004b    %ss = 0x004b

%rip = 0xffff80fd75822f9e`zend_hash_move_forward_ex+0x4e
%rbp = 0xffff80ff9a4136d0
%rsp = 0xffff80ff9a4136a0

%rflags = 0x00000206
  id=0 vip=0 vif=0 ac=0 vm=0 rf=0 nt=0 iopl=0x0

%gsbase = 0x0000000000000000
%fsbase = 0xffff80ffbea7aa40
%trapno = 0xe
   %err = 0x4
0xffff80ff9a4136a0 ::dump -e -q -w 3
ffff80ff9a4136a0:  50828e00 00000000 98969400 00000000 98969400 00000000 f8679500 00000000 00000000 00000000 80969400 00000000

Initial Analysis:
Since register %r8 is 0x0 at the time of the crash, this a null pointer dereference issue. Based on the branching, I believe it is occurring near line 1126 of Zend/zend_hash.c.

Further Analysis:
The zend_hash_move_forward_ex function is used throughout PHP core, and if the problem were there, I would expect to see diversity of core dumps. However, we have only seen core dumps with the apply_config function in the stack trace. That's why I suspect this may be an apache2 handler/filter issue.

Test script:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-10-07 15:42 UTC] john dot woods at greatplainsmfg dot com
-Operating System: Solarix x86 +Operating System: Solaris x86
 [2015-10-07 15:42 UTC] john dot woods at greatplainsmfg dot com
(Corrected typo in O/S field.)
 [2021-07-14 10:32 UTC]
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-07-14 10:32 UTC]
Is this still an issue with any of the actively supported PHP

[1] <>
 [2021-07-15 17:01 UTC]
-Status: Feedback +Status: Closed
 [2021-07-15 17:01 UTC]
Forwarding John's reply via email:

    Ever since we upgraded to PHP 7.1, we have not had any problems with this crash, or any like it.

    Since it was not consistently repeatable, it's difficult to test compiling newer versions.

    It has been 6 years since this bug was reported. My opinion is that unless someone else reports crashes with a similar stack trace, I'd assume that this bug doesn't affect 7.1 or higher.

So I'm closing this ticket.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed Oct 27 20:03:34 2021 UTC