php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72030 socket/stream_select() causes buffer overflow when over 1024 handles are passed
Submitted: 2016-04-15 11:00 UTC Modified: 2021-08-29 04:22 UTC
Votes:5
Avg. Score:4.8 ± 0.4
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:1 (33.3%)
From: paul at spooktech dot org Assigned: cmb (profile)
Status: No Feedback Package: Sockets related
PHP Version: 5.6.20 OS: CentOS release 7.1.1503 (Core)
Private report: No CVE-ID: None
 [2016-04-15 11:00 UTC] paul at spooktech dot org
Description:
------------
I've recompiled PHP in order to bypass the 1024 socket limit (FD_SETSIZE).
The only change I've made is setting FD_SETSIZE to a higher value in:-
/usr/include/linux/posix_types.h
/usr/include/bits/typesizes.h

When calling either socket_select() or stream_select() with more than 1024 handles in the read array, the script terminates with a buffer overflow error.

Test script:
---------------
$handles = array();
for($x = 0; $x < 1030; $x++){
	
	$handle = socket_create(AF_INET, SOCK_STREAM, SOL_TCP) or die('Failed to create socket');
	socket_connect($handle, '127.0.0.1', 80) or die('Failed to connect');
	socket_set_nonblock($handle) or die('Failed to set non-block on socket');
	$handles[] = $handle;
}

socket_select($handles, $w = null, $e = null, null, null);
die('Done');

Expected result:
----------------
The test script should return "Done"

Actual result:
--------------
The script opens more than 1024 sockets successfully but when socket_select() is called it terminates with the following output:-

*** buffer overflow detected ***: php terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f08bf489b37]
/lib64/libc.so.6(+0x10bcf0)[0x7f08bf487cf0]
/lib64/libc.so.6(+0x10daa7)[0x7f08bf489aa7]
/usr/lib64/php/modules/sockets.so(+0x586e)[0x7f08b0a1086e]
/usr/lib64/php/modules/sockets.so(+0x5e45)[0x7f08b0a10e45]
php(dtrace_execute_internal+0x2b)[0x7f08c282135b]
php(+0x330844)[0x7f08c28da844]
php(execute_ex+0x38)[0x7f08c286f138]
php(dtrace_execute_ex+0x79)[0x7f08c2821239]
php(zend_execute_scripts+0x18b)[0x7f08c2833f5b]
php(php_execute_script+0x282)[0x7f08c27cf452]
php(+0x332748)[0x7f08c28dc748]
php(+0xbca2a)[0x7f08c2666a2a]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f08bf39db15]
php(+0xbcac5)[0x7f08c2666ac5]
======= Memory map: ========
7f08a8000000-7f08a8021000 rw-p 00000000 00:00 0
7f08a8021000-7f08ac000000 ---p 00000000 00:00 0
7f08af16f000-7f08af1b0000 rw-p 00000000 00:00 0
7f08af1b0000-7f08af1bc000 r-xp 00000000 fd:00 134350849                  /usr/lib64/libnss_files-2.17.so
7f08af1bc000-7f08af3bb000 ---p 0000c000 fd:00 134350849                  /usr/lib64/libnss_files-2.17.so
7f08af3bb000-7f08af3bc000 r--p 0000b000 fd:00 134350849                  /usr/lib64/libnss_files-2.17.so
7f08af3bc000-7f08af3bd000 rw-p 0000c000 fd:00 134350849                  /usr/lib64/libnss_files-2.17.so
7f08af3bd000-7f08af3c3000 rw-p 00000000 00:00 0
7f08af3c3000-7f08af3c4000 ---p 00000000 00:00 0
7f08af3c4000-7f08afbc4000 rw-p 00000000 00:00 0
7f08afbc4000-7f08afbdf000 r-xp 00000000 fd:00 204981416                  /usr/lib64/php/modules/zip.so
7f08afbdf000-7f08afdde000 ---p 0001b000 fd:00 204981416                  /usr/lib64/php/modules/zip.so
7f08afdde000-7f08afde0000 r--p 0001a000 fd:00 204981416                  /usr/lib64/php/modules/zip.so
7f08afde0000-7f08afde1000 rw-p 0001c000 fd:00 204981416                  /usr/lib64/php/modules/zip.so
7f08afde1000-7f08afdec000 r-xp 00000000 fd:00 204981415                  /usr/lib64/php/modules/xml.so
7f08afdec000-7f08affeb000 ---p 0000b000 fd:00 204981415                  /usr/lib64/php/modules/xml.so
7f08affeb000-7f08affed000 r--p 0000a000 fd:00 204981415                  /usr/lib64/php/modules/xml.so
7f08affed000-7f08affee000 rw-p 0000c000 fd:00 204981415                  /usr/lib64/php/modules/xml.so
7f08affee000-7f08afff2000 r-xp 00000000 fd:00 204682692                  /usr/lib64/php/modules/tokenizer.so
7f08afff2000-7f08b01f1000 ---p 00004000 fd:00 204682692                  /usr/lib64/php/modules/tokenizer.so
7f08b01f1000-7f08b01f2000 r--p 00003000 fd:00 204682692                  /usr/lib64/php/modules/tokenizer.so
7f08b01f2000-7f08b01f3000 rw-p 00004000 fd:00 204682692                  /usr/lib64/php/modules/tokenizer.so
7f08b01f3000-7f08b01f6000 r-xp 00000000 fd:00 204981426                  /usr/lib64/php/modules/sysvshm.so
7f08b01f6000-7f08b03f5000 ---p 00003000 fd:00 204981426                  /usr/lib64/php/modules/sysvshm.so
7f08b03f5000-7f08b03f6000 r--p 00002000 fd:00 204981426                  /usr/lib64/php/modules/sysvshm.so
7f08b03f6000-7f08b03f7000 rw-p 00003000 fd:00 204981426                  /usr/lib64/php/modules/sysvshm.so
7f08b03f7000-7f08b03f9000 r-xp 00000000 fd:00 204981424                  /usr/lib64/php/modules/sysvsem.so
7f08b03f9000-7f08b05f8000 ---p 00002000 fd:00 204981424                  /usr/lib64/php/modules/sysvsem.so
7f08b05f8000-7f08b05f9000 r--p 00001000 fd:00 204981424                  /usr/lib64/php/modules/sysvsem.so
7f08b05f9000-7f08b05fa000 rw-p 00002000 fd:00 204981424                  /usr/lib64/php/modules/sysvsem.so
7f08b05fa000-7f08b05fd000 r-xp 00000000 fd:00 204981423                  /usr/lib64/php/modules/sysvmsg.so
7f08b05fd000-7f08b07fd000 ---p 00003000 fd:00 204981423                  /usr/lib64/php/modules/sysvmsg.so
7f08b07fd000-7f08b07fe000 r--p 00003000 fd:00 204981423                  /usr/lib64/php/modules/sysvmsg.so
7f08b07fe000-7f08b07ff000 rw-p 00004000 fd:00 204981423                  /usr/lib64/php/modules/sysvmsg.so
7f08b07ff000-7f08b080a000 r-xp 00000000 fd:00 204981442                  /usr/lib64/php/modules/sqlite3.so
7f08b080a000-7f08b0a09000 ---p 0000b000 fd:00 204981442                  /usr/lib64/php/modules/sqlite3.so
7f08b0a09000-7f08b0a0a000 r--p 0000a000 fd:00 204981442                  /usr/lib64/php/modules/sqlite3.so
7f08b0a0a000-7f08b0a0b000 rw-p 0000b000 fd:00 204981442                  /usr/lib64/php/modules/sqlite3.so
7f08b0a0b000-7f08b0a1e000 r-xp 00000000 fd:00 204142194                  /usr/lib64/php/modules/sockets.so
7f08b0a1e000-7f08b0c1e000 ---p 00013000 fd:00 204142194                  /usr/lib64/php/modules/sockets.so
7f08b0c1e000-7f08b0c20000 r--p 00013000 fd:00 204142194                  /usr/lib64/php/modules/sockets.so
7f08b0c20000-7f08b0c21000 rw-p 00015000 fd:00 204142194                  /usr/lib64/php/modules/sockets.so
7f08b0c21000-7f08b0c2c000 r-xp 00000000 fd:00 202964585                  /usr/lib64/php/modules/simplexml.so
7f08b0c2c000-7f08b0e2c000 ---p 0000b000 fd:00 202964585                  /usr/lib64/php/modules/simplexml.so
7f08b0e2c000-7f08b0e2d000 r--p 0000b000 fd:00 202964585                  /usr/lib64/php/modules/simplexml.so
7f08b0e2d000-7f08b0e2e000 rw-p 0000c000 fd:00 202964585                  /usr/lib64/php/modules/simplexml.so
7f08b0e2e000-7f08b0e30000 r-xp 00000000 fd:00 202780726                  /usr/lib64/php/modules/shmop.so
7f08b0e30000-7f08b1030000 ---p 00002000 fd:00 202780726                  /usr/lib64/php/modules/shmop.so
7f08b1030000-7f08b1031000 r--p 00002000 fd:00 202780726                  /usr/lib64/php/modules/shmop.so
7f08b1031000-7f08b1032000 rw-p 00003000 fd:00 202780726                  /usr/lib64/php/modules/shmop.so
7f08b1032000-7f08b1038000 r-xp 00000000 fd:00 204981422                  /usr/lib64/php/modules/posix.so
7f08b1038000-7f08b1238000 ---p 00006000 fd:00 204981422                  /usr/lib64/php/modules/posix.so
7f08b1238000-7f08b1239000 r--p 00006000 fd:00 204981422                  /usr/lib64/php/modules/posix.so
7f08b1239000-7f08b123a000 rw-p 00007000 fd:00 204981422                  /usr/lib64/php/modules/posix.so
7f08b123a000-7f08b1279000 r-xp 00000000 fd:00 202780725                  /usr/lib64/php/modules/phar.so
7f08b1279000-7f08b1478000 ---p 0003f000 fd:00 202780725                  /usr/lib64/php/modules/phar.so
7f08b1478000-7f08b147a000 r--p 0003e000 fd:00 202780725                  /usr/lib64/php/modules/phar.so
7f08b147a000-7f08b147c000 rw-p 00040000 fd:00 202780725                  /usr/lib64/php/modules/phar.so
7f08b147c000-7f08b152d000 r-xp 00000000 fd:00 135344360                  /usr/lib64/libsqlite3.so.0.8.6
7f08b152d000-7f08b172c000 ---p 000b1000 fd:00 135344360                  /usr/lib64/libsqlite3.so.0.8.6Aborted (core dumped)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-02 15:20 UTC] cmb@php.net
Related to bug #69637.
 [2021-08-16 14:37 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-08-16 14:37 UTC] cmb@php.net
Does this still happen to you with any of the actively supported
PHP versions[1]?

[1] <https://www.php.net/supported-versions.php>
 [2021-08-29 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 08:01:28 2024 UTC