php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71754 Regression in PHP7.0: trivial script segfaults php-cgi
Submitted: 2016-03-09 13:33 UTC Modified: -
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:0 of 0 (0.0%)
From: phpbug at wisl dot de Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.0.4 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: phpbug at wisl dot de
New email:
PHP Version: OS:

 

 [2016-03-09 13:33 UTC] phpbug at wisl dot de
Description:
------------
The included trivial 2-line-script crashed php-cgi with the following backtrace:

(gdb) run bugtest2.php
Starting program: /usr/bin/php-cgi7.0 bugtest2.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
zend_hash_str_find (ht=0x0, str=str@entry=0xd33ece "REQUEST_URI", len=len@entry=11)
    at /var/tmp/portage/dev-lang/php-7.0.4/work/sapis-build/cgi/Zend/zend_hash.c:1959
1959    /var/tmp/portage/dev-lang/php-7.0.4/work/sapis-build/cgi/Zend/zend_hash.c: No such file or directory.
(gdb) bt
#0  zend_hash_str_find (ht=0x0, str=str@entry=0xd33ece "REQUEST_URI", len=len@entry=11)
    at /var/tmp/portage/dev-lang/php-7.0.4/work/sapis-build/cgi/Zend/zend_hash.c:1959
#1  0x0000000000640aeb in php_session_start ()
    at /var/tmp/portage/dev-lang/php-7.0.4/work/sapis-build/cgi/ext/session/session.c:1613
#2  0x0000000000641cd5 in zif_session_start (execute_data=<optimized out>,
    return_value=0x7ffff0612090)
    at /var/tmp/portage/dev-lang/php-7.0.4/work/sapis-build/cgi/ext/session/session.c:2312
#3  0x000000000083c39e in ZEND_DO_ICALL_SPEC_HANDLER ()
    at /var/tmp/portage/dev-lang/php-7.0.4/work/sapis-build/cgi/Zend/zend_vm_execute.h:586
#4  0x000000000082c83b in execute_ex (ex=<optimized out>)
    at /var/tmp/portage/dev-lang/php-7.0.4/work/sapis-build/cgi/Zend/zend_vm_execute.h:414
#5  0x0000000000888689 in zend_execute (op_array=<optimized out>,
    return_value=<optimized out>)
    at /var/tmp/portage/dev-lang/php-7.0.4/work/sapis-build/cgi/Zend/zend_vm_execute.h:458
#6  0x00000000007e9537 in zend_execute_scripts (type=type@entry=8,
    retval=retval@entry=0x0, file_count=file_count@entry=3)
    at /var/tmp/portage/dev-lang/php-7.0.4/work/sapis-build/cgi/Zend/zend.c:1427
#7  0x000000000077c0a8 in php_execute_script (
    primary_file=primary_file@entry=0x7fffffffd390)
    at /var/tmp/portage/dev-lang/php-7.0.4/work/sapis-build/cgi/main/main.c:2484
#8  0x000000000048d5f7 in main (argc=2, argv=0x7fffffffd818)
    at /var/tmp/portage/dev-lang/php-7.0.4/work/sapis-build/cgi/sapi/cgi/cgi_main.c:2453


Test script:
---------------
<?php
ini_set("session.use_only_cookies","0");
session_start();
?>

Expected result:
----------------
Just an empty page, because while the script does start a session it does nothing else. Instead I get an 500 internal server error, because the cgi process was aborted with a segfault.

I'm fileing this seperate bug in addition zu #71599, because nobody seems to care that the transparend session id feature is broken. I hope this trivial triggereble segfault gets some attention.

The cause seems to be the following commit:
https://github.com/php/php-src/commit/f248df900300c5b2201d4cf634d58d413399e2eb

Please revert this commit because of the following reasons:
* Its description ("Behavior is unchanged.") is plain wrong: The change causes PHPSESSID parameters added to all URLs even if the user has cookies enabled. That is a behavior change.
* Its contains bugs, because on multiple occasions I have seen it adding multiple PHPSESSID parameters.
* It removes a validation check (Z_ISUNDEF(PG(http_globals)[TRACK_VARS_SERVER])) and because of that the option session.use_only_cookie=0 now triggers a segfault when calling session_start(). (At least when using the cgi variant of php.)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-03-10 07:03 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=98c625a31cc329aa45c48d9c376c6197e278a3a5
Log: Fixed bug #71754 (Regression in PHP7.0: trivial script segfaults php-cgi)
 [2016-03-10 07:03 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-03-11 23:43 UTC] yohgaki@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ca61f5954bf9e64072bfa31b4a7431e211a109e7
Log: Fixed Bug #71754 Regression in PHP7.0: trivial script segfaults php-cgi Fixed Bug #71683 Null pointer dereference in zend_hash_str_find_bucket Fixed Bug #71599 trans sid handling rework broke interaction with cookies
 [2016-03-14 14:59 UTC] ab@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ca61f5954bf9e64072bfa31b4a7431e211a109e7
Log: Fixed Bug #71754 Regression in PHP7.0: trivial script segfaults php-cgi Fixed Bug #71683 Null pointer dereference in zend_hash_str_find_bucket Fixed Bug #71599 trans sid handling rework broke interaction with cookies
 [2016-07-20 11:33 UTC] davey@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ca61f5954bf9e64072bfa31b4a7431e211a109e7
Log: Fixed Bug #71754 Regression in PHP7.0: trivial script segfaults php-cgi Fixed Bug #71683 Null pointer dereference in zend_hash_str_find_bucket Fixed Bug #71599 trans sid handling rework broke interaction with cookies
 [2016-07-20 11:33 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=98c625a31cc329aa45c48d9c376c6197e278a3a5
Log: Fixed bug #71754 (Regression in PHP7.0: trivial script segfaults php-cgi)
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Feb 22 18:01:27 2020 UTC