|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70660 SIGSEGV due to null pointer dereference
Submitted: 2015-10-07 15:13 UTC Modified: 2015-10-07 15:42 UTC
From: john dot woods at greatplainsmfg dot com Assigned:
Status: Open Package: Apache2 related
PHP Version: 5.4.45 OS: Solaris x86
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: john dot woods at greatplainsmfg dot com
New email:
PHP Version: OS:


 [2015-10-07 15:13 UTC] john dot woods at greatplainsmfg dot com
- Compiled using Solaris Studio 12.3
- Compiled with httpd 2.4.16
- Crashes seem random/intermittent, so it's unknown how to reproduce or even test.
- Other enabled modules:
  - GeoIP 1.1.0
  - ibm_db2 1.9.6
  - oci8 2.0.8
  - spl_types 0.4.0
  - xcache 3.0.4

PHP Build steps:
export CC=cc
export CXX=CC
export CFLAGS="-m64 -I/usr/include/openldap -I/usr/local/include -I/usr/include"
export CPPFLAGS="-m64 -I/usr/include/openldap -I/usr/local/include -I/usr/include"
export LIBS="-lldap-2.4 -llber-2.4"
export LDFLAGS="-L/opt/mysql/mysql/lib -R/opt/mysql/mysql/lib -L/usr/local/lib -R/usr/local/lib"
export LD_PRELOAD_64=/usr/local/lib/
export LD_LIBRARY_PATH=/usr/local/lib
export IBM_DB2="/home/db2inst1/sqllib"

(Hacked up the configure script to change "-lldap" to "-lldap-2.4", and "-llber" to "-llber-2.4", to link in the proper OpenLDAP libraries that come with Solaris)
./configure --with-apxs2=/usr/local/apache2/bin/apxs --with-mysql --with-mysqli --with-pdo-mysql --with-iconv=/usr/local --with-openssl --with-curl --with-ldap
--with-mhash --with-mcrypt --with-gd --with-jpeg-dir --with-png-dir --with-xsl --enable-inline-optimization --enable-ftp --with-zlib-dir --enable-soap --enable-sockets --enable-mbstring --with-gettext --enable-intl --enable-zip --enable-gd-native-ttf --with-freetype-dir=/usr --with-xpm-dir=/usr --with-ibm-db2=$IBM_DB2 --with-pdo-odbc=ibm-db2,/opt/IBM/db2/V10.5

The php.ini options that differ from the out-of-the-box php.ini-production:
short_open_tag = On
output_buffering = Off
highlight.string  = #CC0000
highlight.comment = #FF9900
highlight.keyword = #006600      = #FFFFFF
highlight.default = #0000CC
highlight.html    = #000000
expose_php = Off
date.timezone = "America/Chicago"
max_execution_time = 300
memory_limit = 1024M
error_reporting  =  E_ALL & ~E_NOTICE
warn_plus_overloading = Off
variables_order = "EGPCS"
max_input_vars = 100000
register_argc_argv = On
post_max_size = 100M
gpc_order = "GPC"
enable_dl = On
upload_max_filesize = 100M
session.use_trans_sid = 1
(various xcache directives)

root# adb core.httpd.1444161809.13571
core file = core.httpd.1444161648.13571 -- program ``
/usr/local/apache2/bin/httpd'' on platform i86pc
SIGSEGV: Segmentation Fault`zend_hash_move_forward_ex+0x4e()`apply_config+0x12c()`php_handler+0x28a()
zend_hash_move_forward_ex ::dis`zend_hash_move_forward_ex:   pushq  %rbp`zend_hash_move_forward_ex+1: movq   %rsp,%rbp`zend_hash_move_forward_ex+4: subq   $0x30,%rsp`zend_hash_move_forward_ex+8: movq   %rdi,-0x8(%rbp)`zend_hash_move_forward_ex+0xc:       movq   %rsi,-0x10(%rbp)`zend_hash_move_forward_ex+0x10:      movq   -0x10(%rbp),%r8`zend_hash_move_forward_ex+0x14:      cmpq   $0x0,%r8`zend_hash_move_forward_ex+0x18:      je     +0xa     <`zend_hash_move_forward_ex+0x24>`zend_hash_move_forward_ex+0x1a:      movq   -0x10(%rbp),%r8`zend_hash_move_forward_ex+0x1e:      movq   %r8,-0x28(%rbp)`zend_hash_move_forward_ex+0x22:      jmp    +0xc     <`zend_hash_move_forward_ex+0x30>`zend_hash_move_forward_ex+0x24:      movq   -0x8(%rbp),%r8`zend_hash_move_forward_ex+0x28:      leaq   0x18(%r8),%r8`zend_hash_move_forward_ex+0x2c:      movq   %r8,-0x28(%rbp)`zend_hash_move_forward_ex+0x30:      movq   -0x28(%rbp),%r8`zend_hash_move_forward_ex+0x34:      movq   %r8,-0x20(%rbp)`zend_hash_move_forward_ex+0x38:      movq   -0x20(%rbp),%r8`zend_hash_move_forward_ex+0x3c:      movq   0x0(%r8),%r8`zend_hash_move_forward_ex+0x40:      cmpq   $0x0,%r8`zend_hash_move_forward_ex+0x44:      je     +0x1e    <`zend_hash_move_forward_ex+0x64>`zend_hash_move_forward_ex+0x46:      movq   -0x20(%rbp),%r8`zend_hash_move_forward_ex+0x4a:      movq   0x0(%r8),%r8`zend_hash_move_forward_ex+0x4e:      movq   0x20(%r8),%r9`zend_hash_move_forward_ex+0x52:      movq   -0x20(%rbp),%r8`zend_hash_move_forward_ex+0x56:      movq   %r9,0x0(%r8)`zend_hash_move_forward_ex+0x5a:      movl   $0x0,-0x14(%rbp)`zend_hash_move_forward_ex+0x61:      jmp    +0x8     <`zend_hash_move_forward_ex+0x6b>`zend_hash_move_forward_ex+0x63:      nop`zend_hash_move_forward_ex+0x64:      movl   $-0x1,-0x14(%rbp)        <0xffffffff>`zend_hash_move_forward_ex+0x6b:      movl   -0x14(%rbp),%eax`zend_hash_move_forward_ex+0x6e:      leave`zend_hash_move_forward_ex+0x6f:      ret
%rax = 0x0000000000000000       %r8  = 0x0000000000000000
%rbx = 0xffff80ffbea7aa40       %r9  = 0x00000000061339e0
%rcx = 0x0000000000000001       %r10 = 0xffff80fd756395f0
%rdx = 0x0000000000000001       %r11 = 0x000000000bae78d0
%rsi = 0x0000000000000000       %r12 = 0x0000000000511688
%rdi = 0x0000000000949680       %r13 = 0x0000000000000000
                                %r14 = 0x0000000000000000
                                %r15 = 0x0000000000000000

%cs = 0x0053    %fs = 0x0000    %gs = 0x0000
%ds = 0x004b    %es = 0x004b    %ss = 0x004b

%rip = 0xffff80fd75822f9e`zend_hash_move_forward_ex+0x4e
%rbp = 0xffff80ff9a4136d0
%rsp = 0xffff80ff9a4136a0

%rflags = 0x00000206
  id=0 vip=0 vif=0 ac=0 vm=0 rf=0 nt=0 iopl=0x0

%gsbase = 0x0000000000000000
%fsbase = 0xffff80ffbea7aa40
%trapno = 0xe
   %err = 0x4
0xffff80ff9a4136a0 ::dump -e -q -w 3
ffff80ff9a4136a0:  50828e00 00000000 98969400 00000000 98969400 00000000 f8679500 00000000 00000000 00000000 80969400 00000000

Initial Analysis:
Since register %r8 is 0x0 at the time of the crash, this a null pointer dereference issue. Based on the branching, I believe it is occurring near line 1126 of Zend/zend_hash.c.

Further Analysis:
The zend_hash_move_forward_ex function is used throughout PHP core, and if the problem were there, I would expect to see diversity of core dumps. However, we have only seen core dumps with the apply_config function in the stack trace. That's why I suspect this may be an apache2 handler/filter issue.

Test script:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-10-07 15:42 UTC] john dot woods at greatplainsmfg dot com
-Operating System: Solarix x86 +Operating System: Solaris x86
 [2015-10-07 15:42 UTC] john dot woods at greatplainsmfg dot com
(Corrected typo in O/S field.)
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Oct 28 06:01:23 2020 UTC