php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70876 Segmentation fault when regenerating session id with strict mode
Submitted: 2015-11-07 11:52 UTC Modified: 2015-11-07 13:59 UTC
From: guilbaud dot johan at gmail dot com Assigned: laruence
Status: Closed Package: Session related
PHP Version: 7.0.0RC6 OS: OpenSuse leap 42.1 x86_64
Private report: No CVE-ID:
 [2015-11-07 11:52 UTC] guilbaud dot johan at gmail dot com
Description:
------------
Hello
I got segmentation fault when session.strict_mod is set to true and regenerate_session_id is called

I've compiled php with RC6 sources
I've got the problem with PHP7RC5 and PHPRC6 RPMs for opensuse too


Test script:
---------------
<?php
ini_set('session.use_strict_mode', true);
session_start();
session_regenerate_id();
echo "ok";

Expected result:
----------------
Ok

Actual result:
--------------
Segmentation fault / browser show connection was reset 

#0  ps_files_path_create (buf=buf@entry=0x7fffffffa370 "\340І\353\377\177", data=0x0, key=0x7fffeb864018 "3a81076e16d071a7f245db1db761e4bf", buflen=4096)
    at /home/johan/php7/php-7.0.0RC6/ext/session/mod_files.c:117
#1  0x00007ffff160d813 in ps_files_key_exists (data=<optimized out>, key=<optimized out>) at /home/johan/php7/php-7.0.0RC6/ext/session/mod_files.c:334
#2  0x00007ffff160bbbf in zif_session_regenerate_id (execute_data=<optimized out>, return_value=0x7fffeb812290) at /home/johan/php7/php-7.0.0RC6/ext/session/session.c:2081
#3  0x00007ffff176b5dd in ZEND_DO_ICALL_SPEC_HANDLER () at /home/johan/php7/php-7.0.0RC6/Zend/zend_vm_execute.h:586
#4  0x00007ffff175dd8b in execute_ex (ex=<optimized out>) at /home/johan/php7/php-7.0.0RC6/Zend/zend_vm_execute.h:414
#5  0x00007ffff17a6df7 in zend_execute (op_array=0x7fffeb874000, op_array@entry=0x7fffeb89a360, return_value=return_value@entry=0x7fffeb812030)
    at /home/johan/php7/php-7.0.0RC6/Zend/zend_vm_execute.h:458
#6  0x00007ffff1722d64 in zend_execute_scripts (type=type@entry=8, retval=0x7fffeb812030, retval@entry=0x0, file_count=file_count@entry=3)
    at /home/johan/php7/php-7.0.0RC6/Zend/zend.c:1428
#7  0x00007ffff16c7c80 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd720) at /home/johan/php7/php-7.0.0RC6/main/main.c:2471
#8  0x00007ffff17a86e2 in php_handler (r=<optimized out>) at /home/johan/php7/php-7.0.0RC6/sapi/apache2handler/sapi_apache2.c:678
#9  0x000055555559f180 in ap_run_handler ()
#10 0x000055555559f6c9 in ap_invoke_handler ()
#11 0x00005555555b39ac in ap_internal_redirect ()
#12 0x00007ffff226716c in ?? () from /usr/lib64/apache2-prefork/mod_rewrite.so
#13 0x000055555559f180 in ap_run_handler ()
#14 0x000055555559f6c9 in ap_invoke_handler ()
#15 0x00005555555b464a in ?? ()
#16 0x00005555555b4924 in ?? ()
#17 0x00005555555b0c7e in ?? ()
#18 0x00005555555a8d30 in ap_run_process_connection ()
#19 0x00005555555bba9e in ?? ()
#20 0x00005555555bbc98 in ?? ()
#21 0x00005555555bc9b3 in ?? ()
#22 0x0000555555584f9e in ap_run_mpm ()
---Type <return> to continue, or q <return> to quit---
#23 0x000055555557e616 in ?? ()
#24 0x00007ffff6f4cb05 in __libc_start_main () from /lib64/libc.so.6
#25 0x000055555557e74f in _start ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-11-07 13:20 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2015-11-07 13:49 UTC] reeze@php.net
Automatic comment on behalf of reeze
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0bf3ebb4ba77f38261d9cb21a205a7d31b7f85cf
Log: Fixed bug #70876 Segmentation fault when regenerating session id with strict mode
 [2015-11-07 13:49 UTC] reeze@php.net
-Status: Assigned +Status: Closed
 [2015-11-07 13:59 UTC] reeze@php.net
Hi laruence,

I found this easy one. It didn't get assigned before. after I commit the diff then I noticed the assignment. ;-).

As I mentioned in commit.   https://github.com/php/php-src/blob/master/ext/session/mod_files.c#L654 said it should be non-null,  but it did.   https://github.com/php/php-src/blob/master/ext/session/mod_files.c#L676 maybe   yohgaki may take care of it. either by fix comment or the *mod_data thing.
 [2015-11-07 14:19 UTC] reeze@php.net
Automatic comment on behalf of reeze
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0bf3ebb4ba77f38261d9cb21a205a7d31b7f85cf
Log: Fixed bug #70876 Segmentation fault when regenerating session id with strict mode
 [2015-11-07 15:30 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e9fd8ad4462a39f61e757ef89f417c413aa1df6f
Log: Fixed bug #70876 (Segmentation fault when regenerating session id with strict mode)
 [2015-11-07 15:30 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=148bb622faa71090a3f6d9721aeb28a4ac720496
Log: Revert &quot;Fixed bug #70876 Segmentation fault when regenerating session id with strict mode&quot;
 [2015-11-09 18:12 UTC] ab@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=22d3033ec689e5fc56dc165fff9bff9d6c13880c
Log: Fixed bug #70876 (Segmentation fault when regenerating session id with strict mode)
 [2016-07-20 11:35 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e9fd8ad4462a39f61e757ef89f417c413aa1df6f
Log: Fixed bug #70876 (Segmentation fault when regenerating session id with strict mode)
 [2016-07-20 11:35 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=148bb622faa71090a3f6d9721aeb28a4ac720496
Log: Revert &quot;Fixed bug #70876 Segmentation fault when regenerating session id with strict mode&quot;
 [2016-07-20 11:35 UTC] davey@php.net
Automatic comment on behalf of reeze
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0bf3ebb4ba77f38261d9cb21a205a7d31b7f85cf
Log: Fixed bug #70876 Segmentation fault when regenerating session id with strict mode
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC