php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70885 session_regenerate_id segfaults
Submitted: 2015-11-10 04:39 UTC Modified: 2015-11-12 19:53 UTC
From: JosiahBradley at gmail dot com Assigned: yohgaki (profile)
Status: Closed Package: Session related
PHP Version: 7.0.0RC6 OS: Amazon Linux
Private report: No CVE-ID: None
 [2015-11-10 04:39 UTC] JosiahBradley at gmail dot com
Description:
------------
Whenever session_regenerate_id() is called PHP segfaults. The session file is created in the save path. I am using php-fpm and my configure line is 

./configure --enable-debug --prefix=/usr/local --enable-fpm --with-fpm-acl --with-fpm-user=php --with-fpm-group=php --with-config-file-path\
=/usr/local/php5/conf --disable-cgi --disable-short-tags --with-openssl --with-zlib --enable-zip --with-curl=/usr/local/lib --disable-flatf\
ile --enable-opcache --with-gd --with-jpeg-dir=/usr --without-ldap --enable-mbstring --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd --disab\
le-phar --with-readline --enable-sockets --enable-pcntl --without-pear --with-gnu-ld --with-libdir=lib64 --libdir=/usr/lib64/

php.ini related to session changed from defaults:

session.hash_function = 1
session.hash_bits_per_character = 6

Test script:
---------------
session_start();
echo session_save_path();
session_regenerate_id();


Expected result:
----------------
The location of the session save path.

Actual result:
--------------
#0  ps_files_path_create (buf=0x7ffc75268dc0 "", data=0x0, key=0x7fb976803068 "DKMeRn,GkcwqPerBP6zex4FaSg3", buflen=4096)
    at /usr/local/src/php/php-src/ext/session/mod_files.c:117
#1  0x0000000000649533 in ps_files_key_exists (data=0x7fb976803068, key=0x0) at /usr/local/src/php/php-src/ext/session/mod_files.c:334
#2  0x00000000006478df in zif_session_regenerate_id (execute_data=<optimized out>, return_value=0x7fb9768150b0)
    at /usr/local/src/php/php-src/ext/session/session.c:2081
#3  0x00000000007ce52d in ZEND_DO_ICALL_SPEC_HANDLER () at /usr/local/src/php/php-src/Zend/zend_vm_execute.h:586
#4  0x00000000007c0cdb in execute_ex (ex=<optimized out>) at /usr/local/src/php/php-src/Zend/zend_vm_execute.h:414
#5  0x0000000000809d47 in zend_execute (op_array=0x7fb976874000, op_array@entry=0x7fb9768692c0,
    return_value=return_value@entry=0x7fb976815030) at /usr/local/src/php/php-src/Zend/zend_vm_execute.h:458
#6  0x0000000000785cd4 in zend_execute_scripts (type=type@entry=8, retval=0x7fb976815030, retval@entry=0x0, file_count=file_count@entry=3)
    at /usr/local/src/php/php-src/Zend/zend.c:1428
#7  0x000000000072ac40 in php_execute_script (primary_file=primary_file@entry=0x7ffc7526c290)
    at /usr/local/src/php/php-src/main/main.c:2471
#8  0x000000000043f30c in main (argc=<optimized out>, argv=<optimized out>) at /usr/local/src/php/php-src/sapi/fpm/fpm/fpm_main.c:1944

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-11-10 05:43 UTC] reeze@php.net
-Status: Open +Status: Feedback
 [2015-11-10 05:43 UTC] reeze@php.net
Please try using this snapshot:

  http://snaps.php.net/php-trunk-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

it should been fixed in master. try master branch please.
 [2015-11-10 16:37 UTC] JosiahBradley at gmail dot com
Unfortunately there was a change, SHA3, to ext/hash that is preventing compilation on either the master or PHP-7.0 branches. Should I file another bug about the SHA3 compilation error or wait until the 12th for the final PHP 7.0 release?

Also the link to the snapshot is dead so I continued to use the git source.
 [2015-11-12 01:51 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 [2015-11-12 01:51 UTC] yohgaki@php.net
According to backtrace, it seems empty save_path is causing the segfault.

#0  ps_files_path_create (buf=0x7ffc75268dc0 "", data=0x0, key=0x7fb976803068 "DKMeRn,GkcwqPerBP6zex4FaSg3", buflen=4096)
    at /usr/local/src/php/php-src/ext/session/mod_files.c:117

However, I don't get segfault on my Fedora22.

[yohgaki@dev PHP-7.0]$ ./php-bin 
<?php
ini_set('session.hash_function',1);
ini_set('session.hash_bits_per_character',6);
ob_start();
session_start();
var_dump(session_save_path(),session_id());
session_regenerate_id();
var_dump(session_save_path(),session_id());
var_dump(ini_get('session.hash_function'),ini_get('session.hash_bits_per_character'));
?>

string(0) ""
string(27) "vwUp0sl8ZjlJL0kE-7WjVi6WXFb"
string(0) ""
string(27) "wq1vwpb9mH6,M,aLjurTV3TWQz1"
string(1) "1"
string(1) "6"

Empty save_path should use the default tmp directory, usually "/tmp" on Linux. If you use invalid save_path like "/", you should get something like

[yohgaki@dev PHP-7.0]$ ./php-bin 
<?php
ini_set('session.save_path','/');
ini_set('session.hash_function',1);
ini_set('session.hash_bits_per_character',6);
ob_start();
session_start();
var_dump(session_save_path(),session_id());
session_regenerate_id();
var_dump(session_save_path(),session_id());
var_dump(ini_get('session.hash_function'),ini_get('session.hash_bits_per_character'));
?>


Warning: session_start(): open(//sess_jxSkw0LA19QJ59sPJz3PR8dyyN2, O_RDWR) failed: Permission denied (13) in - on line 6
string(1) "/"
string(27) "jxSkw0LA19QJ59sPJz3PR8dyyN2"

Warning: session_regenerate_id(): open(//sess_jxSkw0LA19QJ59sPJz3PR8dyyN2, O_RDWR) failed: Permission denied (13) in - on line 8

Warning: session_regenerate_id(): Session write failed. ID: files (path: /) in - on line 8
string(1) "/"
string(27) "jxSkw0LA19QJ59sPJz3PR8dyyN2"
string(1) "1"
string(1) "6"


What is your "session.save_path" setting? Do you see any difference if you set it to "/tmp" explicitly?
 [2015-11-12 02:48 UTC] JosiahBradley at gmail dot com
session.save_path => /usr/local/php5/sessions

When running your code:

sudo -u php php
<?php
ini_set('session.save_path','/');
ini_set('session.hash_function',1);
ini_set('session.hash_bits_per_character',6);
ob_start();
session_start();
var_dump(session_save_path(),session_id());
session_regenerate_id();
var_dump(session_save_path(),session_id());
var_dump(ini_get('session.hash_function'),ini_get('session.hash_bits_per_character'));
?>
PHP Warning:  session_start(): open(//sess_ZXiPpBRkQ80MdKYrhWszKREGL83, O_RDWR) failed: Permission denied (13) in - on line 6
PHP Warning:  session_regenerate_id(): open(//sess_ZXiPpBRkQ80MdKYrhWszKREGL83, O_RDWR) failed: Permission denied (13) in - on line 8
PHP Warning:  session_regenerate_id(): Session write failed. ID: files (path: /) in - on line 8
string(1) "/"
string(27) "ZXiPpBRkQ80MdKYrhWszKREGL83"
string(1) "/"
string(27) "ZXiPpBRkQ80MdKYrhWszKREGL83"
string(1) "1"
string(1) "6"

When changing the directory to /tmp where user php can write to the CLI segfaults and there is no output.

Here is the output of strace:

"<?php\n", 1024)                = 6
session_regenerate_id();
var_dump(session_save_path(),session_id());
var_dump(ini_get('session.hash_function'),ini_get('session.hash_bits_per_character'));
read(0, "ini_set('session.save_path','/tm"..., 1024) = 37
?>read(0, "ini_set('session.hash_function',"..., 1024) = 36
read(0, "ini_set('session.hash_bits_per_c"..., 1024) = 46
read(0, "ob_start();\n", 1024)          = 12
read(0, "session_start();\n", 1024)     = 17
read(0, "var_dump(session_save_path(),ses"..., 1024) = 44
read(0, "session_regenerate_id();\n", 1024) = 25
read(0, "var_dump(session_save_path(),ses"..., 1024) = 44
read(0, "var_dump(ini_get('session.hash_f"..., 1024) = 87
read(0,
"?>\n", 1024)                   = 3
read(0, "", 1024)                       = 0
gettimeofday({1447295001, 211980}, NULL) = 0
gettimeofday({1447295001, 212072}, NULL) = 0
gettimeofday({1447295001, 212158}, NULL) = 0
open("/dev/urandom", O_RDONLY)          = 3
read(3, "_\21A\31\325\376p\251\241+\246\235*n\336\351\305\275\22\307\374'S\206\230\352\325>\334\31\7\350", 32) = 32
close(3)                                = 0
stat("/tmp/sess_ei0-lWyGDQzU2Ad0xzgOvv5S04e", 0x7ffc18c18240) = -1 ENOENT (No such file or directory)
open("/tmp/sess_ei0-lWyGDQzU2Ad0xzgOvv5S04e", O_RDWR|O_CREAT|O_NOFOLLOW, 0600) = 3
fstat(3, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
getuid()                                = 501
flock(3, LOCK_EX)                       = 0
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
fstat(3, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
pwrite(3, "", 0, 0)                     = 0
close(3)                                = 0
gettimeofday({1447295001, 219125}, NULL) = 0
open("/dev/urandom", O_RDONLY)          = 3
read(3, "2\352\22\17q\201\33\17VaS\17\203Y\350\212}d\276}\0F\323\24\236\31\303\32/\331m\320", 32) = 32
close(3)                                = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x18} ---
+++ killed by SIGSEGV +++
Segmentation fault


Notice that the file /tmp/sess_ei0-lWyGDQzU2Ad0xzgOvv5S04e is created.

My latest build is from commit fdb14346dce221842310f237a7fa8029bda5d5cc on master. I can't update past that commit because of hash.c not wanting to compile because of missing SHA3 references.
 [2015-11-12 19:53 UTC] JosiahBradley at gmail dot com
-Status: Feedback +Status: Closed
 [2015-11-12 19:53 UTC] JosiahBradley at gmail dot com
Latest build of master fixes the issue.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu Apr 02 23:01:23 2020 UTC