php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70842 Persistent Stream Segmentation Fault
Submitted: 2015-11-02 21:56 UTC Modified: 2015-11-09 04:20 UTC
From: caleb dot champlin at gmail dot com Assigned: laruence
Status: Closed Package: Streams related
PHP Version: 7.0.0RC6 OS: Linux
Private report: No CVE-ID:
 [2015-11-02 21:56 UTC] caleb dot champlin at gmail dot com
Description:
------------
Using PHP-FPM and presumably the Apache module in certain situations accessing persistent streams will result in a segmentation fault.

Build Configuration: 
./configure --build=x86_64-alpine-linux-musl \
                --host=x86_64-alpine-linux-musl \
                --prefix=/usr \
                --sysconfdir=/etc/php \
                --localstatedir=/var \
                --with-layout=GNU \
                --with-config-file-path=/etc/php \
                --with-config-file-scan-dir=/etc/php/conf.d \
                --enable-inline-optimization \
                --enable-debug \
                --disable-rpath \
                --disable-static \
                --enable-shared \
                --mandir=/usr/share/man \
                --with-pic \
                --disable-cli \
                --enable-fpm \
                --without-db1 \
                --without-db2 \
                --without-db3 \
                --without-qdbm \
                --with-pcre-regex=/usr \

Test script:
---------------
I have not been able to produce a script that will consistently reproduce the segmentation fault.

General steps:

1) In php script call steam_socket_client with flags STREAM_CLIENT_CONNECT | STREAM_CLIENT_PERSISTENT
2) call fwrite with socket resource
3) Execute page multiple times through fpm and php will segfault. 

(With small test scripts I generally cannot reproduce, if I start including php files with non-executed code (class definitions) at the top of my test scripts then I can get crashes to occur consistently)

Actual result:
--------------
#0  0x00005634ca7c2c1e in php_sockop_write (stream=0x5634ccfb3700, buf=0x7f2d06159ec0 "*2\r\n$6\r\nselect\r\n$1\r\n0\r\n", count=23) at /home/test/php-src-php-7.0.0RC6/main/streams/xp_socket.c:111
111                     php_stream_notify_progress_increment(PHP_STREAM_CONTEXT(stream), didwrite, 0);
(gdb) bt
#0  0x00005634ca7c2c1e in php_sockop_write (stream=0x5634ccfb3700, buf=0x7f2d06159ec0 "*2\r\n$6\r\nselect\r\n$1\r\n0\r\n", count=23) at /home/test/php-src-php-7.0.0RC6/main/streams/xp_socket.c:111
#1  0x00005634ca7b163c in _php_stream_write_buffer (stream=0x5634ccfb3700, buf=0x7f2d06159ec0 "*2\r\n$6\r\nselect\r\n$1\r\n0\r\n", count=23) at /home/test/php-src-php-7.0.0RC6/main/streams/streams.c:1115
#2  0x00005634ca7b19f2 in _php_stream_write (stream=0x5634ccfb3700, buf=0x7f2d06159ec0 "*2\r\n$6\r\nselect\r\n$1\r\n0\r\n", count=23) at /home/test/php-src-php-7.0.0RC6/main/streams/streams.c:1230
#3  0x00005634ca70345a in zif_fwrite (execute_data=0x7f2d1be14160, return_value=0x7f2d1be14140) at /home/test/php-src-php-7.0.0RC6/ext/standard/file.c:1210
#4  0x00005634ca88b532 in ZEND_DO_ICALL_SPEC_HANDLER () at /home/test/php-src-php-7.0.0RC6/Zend/zend_vm_execute.h:586
#5  0x00005634ca88af38 in execute_ex (ex=0x7f2d1be14030) at /home/test/php-src-php-7.0.0RC6/Zend/zend_vm_execute.h:414
#6  0x00005634ca88b057 in zend_execute (op_array=0x7f2d1be6b000, return_value=0x0) at /home/test/php-src-php-7.0.0RC6/Zend/zend_vm_execute.h:458
#7  0x00005634ca8287af in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/test/php-src-php-7.0.0RC6/Zend/zend.c:1428
#8  0x00005634ca7920c2 in php_execute_script (primary_file=0x7fff22149f90) at /home/test/php-src-php-7.0.0RC6/main/main.c:2471
#9  0x00005634ca908200 in main (argc=1, argv=0x7fff2214a368) at /home/test/php-src-php-7.0.0RC6/sapi/fpm/fpm/fpm_main.c:1944

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-11-03 06:52 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2015-11-09 04:20 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2015-11-09 04:20 UTC] laruence@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC