php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72030 socket/stream_select() causes buffer overflow when over 1024 handles are passed
Submitted: 2016-04-15 11:00 UTC Modified: 2016-07-02 15:20 UTC
Votes:4
Avg. Score:4.8 ± 0.4
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: paul at spooktech dot org Assigned:
Status: Open Package: Sockets related
PHP Version: 5.6.20 OS: CentOS release 7.1.1503 (Core)
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-04-15 11:00 UTC] paul at spooktech dot org
Description:
------------
I've recompiled PHP in order to bypass the 1024 socket limit (FD_SETSIZE).
The only change I've made is setting FD_SETSIZE to a higher value in:-
/usr/include/linux/posix_types.h
/usr/include/bits/typesizes.h

When calling either socket_select() or stream_select() with more than 1024 handles in the read array, the script terminates with a buffer overflow error.

Test script:
---------------
$handles = array();
for($x = 0; $x < 1030; $x++){
	
	$handle = socket_create(AF_INET, SOCK_STREAM, SOL_TCP) or die('Failed to create socket');
	socket_connect($handle, '127.0.0.1', 80) or die('Failed to connect');
	socket_set_nonblock($handle) or die('Failed to set non-block on socket');
	$handles[] = $handle;
}

socket_select($handles, $w = null, $e = null, null, null);
die('Done');

Expected result:
----------------
The test script should return "Done"

Actual result:
--------------
The script opens more than 1024 sockets successfully but when socket_select() is called it terminates with the following output:-

*** buffer overflow detected ***: php terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f08bf489b37]
/lib64/libc.so.6(+0x10bcf0)[0x7f08bf487cf0]
/lib64/libc.so.6(+0x10daa7)[0x7f08bf489aa7]
/usr/lib64/php/modules/sockets.so(+0x586e)[0x7f08b0a1086e]
/usr/lib64/php/modules/sockets.so(+0x5e45)[0x7f08b0a10e45]
php(dtrace_execute_internal+0x2b)[0x7f08c282135b]
php(+0x330844)[0x7f08c28da844]
php(execute_ex+0x38)[0x7f08c286f138]
php(dtrace_execute_ex+0x79)[0x7f08c2821239]
php(zend_execute_scripts+0x18b)[0x7f08c2833f5b]
php(php_execute_script+0x282)[0x7f08c27cf452]
php(+0x332748)[0x7f08c28dc748]
php(+0xbca2a)[0x7f08c2666a2a]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f08bf39db15]
php(+0xbcac5)[0x7f08c2666ac5]
======= Memory map: ========
7f08a8000000-7f08a8021000 rw-p 00000000 00:00 0
7f08a8021000-7f08ac000000 ---p 00000000 00:00 0
7f08af16f000-7f08af1b0000 rw-p 00000000 00:00 0
7f08af1b0000-7f08af1bc000 r-xp 00000000 fd:00 134350849                  /usr/lib64/libnss_files-2.17.so
7f08af1bc000-7f08af3bb000 ---p 0000c000 fd:00 134350849                  /usr/lib64/libnss_files-2.17.so
7f08af3bb000-7f08af3bc000 r--p 0000b000 fd:00 134350849                  /usr/lib64/libnss_files-2.17.so
7f08af3bc000-7f08af3bd000 rw-p 0000c000 fd:00 134350849                  /usr/lib64/libnss_files-2.17.so
7f08af3bd000-7f08af3c3000 rw-p 00000000 00:00 0
7f08af3c3000-7f08af3c4000 ---p 00000000 00:00 0
7f08af3c4000-7f08afbc4000 rw-p 00000000 00:00 0
7f08afbc4000-7f08afbdf000 r-xp 00000000 fd:00 204981416                  /usr/lib64/php/modules/zip.so
7f08afbdf000-7f08afdde000 ---p 0001b000 fd:00 204981416                  /usr/lib64/php/modules/zip.so
7f08afdde000-7f08afde0000 r--p 0001a000 fd:00 204981416                  /usr/lib64/php/modules/zip.so
7f08afde0000-7f08afde1000 rw-p 0001c000 fd:00 204981416                  /usr/lib64/php/modules/zip.so
7f08afde1000-7f08afdec000 r-xp 00000000 fd:00 204981415                  /usr/lib64/php/modules/xml.so
7f08afdec000-7f08affeb000 ---p 0000b000 fd:00 204981415                  /usr/lib64/php/modules/xml.so
7f08affeb000-7f08affed000 r--p 0000a000 fd:00 204981415                  /usr/lib64/php/modules/xml.so
7f08affed000-7f08affee000 rw-p 0000c000 fd:00 204981415                  /usr/lib64/php/modules/xml.so
7f08affee000-7f08afff2000 r-xp 00000000 fd:00 204682692                  /usr/lib64/php/modules/tokenizer.so
7f08afff2000-7f08b01f1000 ---p 00004000 fd:00 204682692                  /usr/lib64/php/modules/tokenizer.so
7f08b01f1000-7f08b01f2000 r--p 00003000 fd:00 204682692                  /usr/lib64/php/modules/tokenizer.so
7f08b01f2000-7f08b01f3000 rw-p 00004000 fd:00 204682692                  /usr/lib64/php/modules/tokenizer.so
7f08b01f3000-7f08b01f6000 r-xp 00000000 fd:00 204981426                  /usr/lib64/php/modules/sysvshm.so
7f08b01f6000-7f08b03f5000 ---p 00003000 fd:00 204981426                  /usr/lib64/php/modules/sysvshm.so
7f08b03f5000-7f08b03f6000 r--p 00002000 fd:00 204981426                  /usr/lib64/php/modules/sysvshm.so
7f08b03f6000-7f08b03f7000 rw-p 00003000 fd:00 204981426                  /usr/lib64/php/modules/sysvshm.so
7f08b03f7000-7f08b03f9000 r-xp 00000000 fd:00 204981424                  /usr/lib64/php/modules/sysvsem.so
7f08b03f9000-7f08b05f8000 ---p 00002000 fd:00 204981424                  /usr/lib64/php/modules/sysvsem.so
7f08b05f8000-7f08b05f9000 r--p 00001000 fd:00 204981424                  /usr/lib64/php/modules/sysvsem.so
7f08b05f9000-7f08b05fa000 rw-p 00002000 fd:00 204981424                  /usr/lib64/php/modules/sysvsem.so
7f08b05fa000-7f08b05fd000 r-xp 00000000 fd:00 204981423                  /usr/lib64/php/modules/sysvmsg.so
7f08b05fd000-7f08b07fd000 ---p 00003000 fd:00 204981423                  /usr/lib64/php/modules/sysvmsg.so
7f08b07fd000-7f08b07fe000 r--p 00003000 fd:00 204981423                  /usr/lib64/php/modules/sysvmsg.so
7f08b07fe000-7f08b07ff000 rw-p 00004000 fd:00 204981423                  /usr/lib64/php/modules/sysvmsg.so
7f08b07ff000-7f08b080a000 r-xp 00000000 fd:00 204981442                  /usr/lib64/php/modules/sqlite3.so
7f08b080a000-7f08b0a09000 ---p 0000b000 fd:00 204981442                  /usr/lib64/php/modules/sqlite3.so
7f08b0a09000-7f08b0a0a000 r--p 0000a000 fd:00 204981442                  /usr/lib64/php/modules/sqlite3.so
7f08b0a0a000-7f08b0a0b000 rw-p 0000b000 fd:00 204981442                  /usr/lib64/php/modules/sqlite3.so
7f08b0a0b000-7f08b0a1e000 r-xp 00000000 fd:00 204142194                  /usr/lib64/php/modules/sockets.so
7f08b0a1e000-7f08b0c1e000 ---p 00013000 fd:00 204142194                  /usr/lib64/php/modules/sockets.so
7f08b0c1e000-7f08b0c20000 r--p 00013000 fd:00 204142194                  /usr/lib64/php/modules/sockets.so
7f08b0c20000-7f08b0c21000 rw-p 00015000 fd:00 204142194                  /usr/lib64/php/modules/sockets.so
7f08b0c21000-7f08b0c2c000 r-xp 00000000 fd:00 202964585                  /usr/lib64/php/modules/simplexml.so
7f08b0c2c000-7f08b0e2c000 ---p 0000b000 fd:00 202964585                  /usr/lib64/php/modules/simplexml.so
7f08b0e2c000-7f08b0e2d000 r--p 0000b000 fd:00 202964585                  /usr/lib64/php/modules/simplexml.so
7f08b0e2d000-7f08b0e2e000 rw-p 0000c000 fd:00 202964585                  /usr/lib64/php/modules/simplexml.so
7f08b0e2e000-7f08b0e30000 r-xp 00000000 fd:00 202780726                  /usr/lib64/php/modules/shmop.so
7f08b0e30000-7f08b1030000 ---p 00002000 fd:00 202780726                  /usr/lib64/php/modules/shmop.so
7f08b1030000-7f08b1031000 r--p 00002000 fd:00 202780726                  /usr/lib64/php/modules/shmop.so
7f08b1031000-7f08b1032000 rw-p 00003000 fd:00 202780726                  /usr/lib64/php/modules/shmop.so
7f08b1032000-7f08b1038000 r-xp 00000000 fd:00 204981422                  /usr/lib64/php/modules/posix.so
7f08b1038000-7f08b1238000 ---p 00006000 fd:00 204981422                  /usr/lib64/php/modules/posix.so
7f08b1238000-7f08b1239000 r--p 00006000 fd:00 204981422                  /usr/lib64/php/modules/posix.so
7f08b1239000-7f08b123a000 rw-p 00007000 fd:00 204981422                  /usr/lib64/php/modules/posix.so
7f08b123a000-7f08b1279000 r-xp 00000000 fd:00 202780725                  /usr/lib64/php/modules/phar.so
7f08b1279000-7f08b1478000 ---p 0003f000 fd:00 202780725                  /usr/lib64/php/modules/phar.so
7f08b1478000-7f08b147a000 r--p 0003e000 fd:00 202780725                  /usr/lib64/php/modules/phar.so
7f08b147a000-7f08b147c000 rw-p 00040000 fd:00 202780725                  /usr/lib64/php/modules/phar.so
7f08b147c000-7f08b152d000 r-xp 00000000 fd:00 135344360                  /usr/lib64/libsqlite3.so.0.8.6
7f08b152d000-7f08b172c000 ---p 000b1000 fd:00 135344360                  /usr/lib64/libsqlite3.so.0.8.6Aborted (core dumped)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-02 15:20 UTC] cmb@php.net
Related to bug #69637.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Apr 19 22:01:25 2019 UTC