php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72724 PHP7: session-uploadprogress kills httpd
Submitted: 2016-08-01 09:02 UTC Modified: 2016-08-18 22:37 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: spam2 at rhsoft dot net Assigned: nikic
Status: Closed Package: Session related
PHP Version: 7.0.9 OS: Linux
Private report: No CVE-ID:
 [2016-08-01 09:02 UTC] spam2 at rhsoft dot net
Description:
------------
last week i ported our upload-progress from the pecl-exetnsion to the session support started with PHP 5.4, all fine on PHP 5.6

after upgrade to 7.0.9 (hardened build with stack-protector, PIE/PIC) the upload-progress itself works fine but at the moment the upload is finished httpd crashs

see "/usr/bin/strace -s 256 -q -y -f -v httpd" bottom output

\3138\207\304=\35\363\362\370\251\221\264\0270\254\2348.\27\322q\274\327\341Q\224\315\276U\302\354\10b\316\4(\0350\264\230<\214\364x9\364G\37\364\207\314\265\341"..., 3976) = 3976
[pid 15402] close(13</Volumes/dune/www-servers/uploadprogress/uploadtemp/phpv4MOhn>) = 0
[pid 15402] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x18} ---
[pid 15402] chdir("/etc/httpd")         = 0
[pid 15402] rt_sigaction(SIGSEGV, {SIG_DFL, [], SA_RESTORER|SA_INTERRUPT, 0x7fd3d7d9ec30}, {SIG_DFL, [], SA_RESTORER|SA_RESETHAND, 0x7fd3d7d9ec30}, 8) = 0
[pid 15402] kill(15402, SIGSEGV)        = 0
[pid 15402] rt_sigreturn({mask=[]})     = 24
[pid 15402] --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_USER, si_pid=15402, si_uid=48} ---
[pid 15402] +++ killed by SIGSEGV +++
[pid 15395] <... select resumed> )      = ? ERESTARTNOHAND (To be restarted if no handler)
[pid 15395] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=15402, si_uid=48, si_status=SIGSEGV, si_utime=4, si_stime=31} ---
[pid 15395] select(0, NULL, NULL, NULL, {0, 349972}) = 0 (Timeout)
[pid 15395] wait4(-1, [{WIFSIGNALED(s) && WTERMSIG(s) == SIGSEGV}], WNOHANG|WSTOPPED, NULL) = 15402
[pid 15395] write(2</Volumes/dune/www-servers/_logs/apache_error.log>, "[Mon Aug 01 10:58:23.271421 2016] [core:notice] [pid 15395] AH00052: child pid 15402 exit signal Segmentation fault (11)\n", 121) = 121
[pid 15395] wait4(-1, 0x7ffe54af4184, WNOHANG|WSTOPPED, NULL) = 0


Test script:
---------------
well, it would be fine when this bugtracker would support other attachments than patches, the whole testcase lives in it's own folder including the javascript ajax part


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-01 12:15 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2016-08-01 12:15 UTC] laruence@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.


 [2016-08-02 11:15 UTC] spam2 at rhsoft dot net
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6b631d6 in strlen () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff6b631d6 in strlen () from /lib64/libc.so.6
#1  0x00007ffff3be2322 in add_assoc_string_ex (arg=0x7fffef265078, key=0x7ffff3f8f22d "tmp_name", key_len=8, str=0x18 <error: Cannot access memory at address 0x18>)
    at /home/builduser/rpmbuild/BUILD/php-7.0.9/Zend/zend_API.c:1390
#2  0x00007ffff3d84f39 in php_session_rfc1867_callback (event=4, event_data=0x7fffffffc4b0, extra=0x7fffffffc308) at /home/builduser/rpmbuild/BUILD/php-7.0.9/ext/session/session.c:3068
#3  0x00007ffff3bc733b in rfc1867_post_handler (content_type_dup=0x7fffef25c000 "multipart/form-data; boundary=", '-' <repeats 27 times>, "187609725357453047733494121", arg=0x7fffffffdaa0)
    at /home/builduser/rpmbuild/BUILD/php-7.0.9/main/rfc1867.c:1104
#4  0x00007ffff3ba4eaf in sapi_handle_post (arg=0x7fffffffdaa0) at /home/builduser/rpmbuild/BUILD/php-7.0.9/main/SAPI.c:174
#5  0x00007ffff3bbe501 in php_default_treat_data (arg=0, str=0x0, destArray=0x0) at /home/builduser/rpmbuild/BUILD/php-7.0.9/main/php_variables.c:397
#6  0x00007ffff3bbcadd in php_auto_globals_create_post (name=0x7fffed568f90) at /home/builduser/rpmbuild/BUILD/php-7.0.9/main/php_variables.c:694
#7  0x00007ffff3f149cc in zend_activate_auto_globals () at /home/builduser/rpmbuild/BUILD/php-7.0.9/Zend/zend_compile.c:1567
#8  0x00007ffff3bbcfbd in php_hash_environment () at /home/builduser/rpmbuild/BUILD/php-7.0.9/main/php_variables.c:664
#9  0x00007ffff3c06963 in php_request_startup () at /home/builduser/rpmbuild/BUILD/php-7.0.9/main/main.c:1628
#10 0x00007ffff3b25a86 in php_apache_request_ctor (r=0x7fffef4070a0, ctx=0x7fffef1d1028) at /home/builduser/rpmbuild/BUILD/php-7.0.9/sapi/apache2handler/sapi_apache2.c:513
#11 0x00007ffff3b25ead in php_handler (r=0x7fffef4070a0) at /home/builduser/rpmbuild/BUILD/php-7.0.9/sapi/apache2handler/sapi_apache2.c:629
#12 0x0000555555599eb8 in ap_run_handler ()
#13 0x000055555559ae87 in ap_invoke_handler ()
#14 0x00005555555f0a3a in ap_process_async_request ()
#15 0x00005555555f0d30 in ap_process_request ()
#16 0x00005555555d9c55 in ?? ()
#17 0x0000555555584ab8 in ap_run_process_connection ()
#18 0x00005555555cca3f in ?? ()
#19 0x00005555555cccdb in ?? ()
#20 0x00005555555ce281 in ?? ()
#21 0x00005555555d196e in ap_run_mpm ()
#22 0x000055555557e2c2 in main ()
(gdb)
 [2016-08-02 22:35 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1bcd439cad5eefeef1fecbc9076b72ef76fb80b6
Log: Fix bug #72724
 [2016-08-02 22:35 UTC] nikic@php.net
-Status: Feedback +Status: Closed
 [2016-08-02 22:37 UTC] nikic@php.net
-Assigned To: +Assigned To: nikic
 [2016-08-02 22:37 UTC] nikic@php.net
As this is a "blind" fix, I'd appreciate it if you can confirm that this indeed resolves the issue.
 [2016-08-03 09:01 UTC] spam2 at rhsoft dot net
the crash bug is gone, but in case of you have more than one upload fields (in my case 5) all of them where no file was choosed it poduces a error message "Unknown(0) : Notice - No file uploaded" which breaks output buffering is not helpful

and well, there are memory leaks, see also https://bugs.php.net/bug.php?id=72734 - may i suggest that the php-developers compile a debug build at their own and call some real time code instead force users to find and debug such obvious bugs listed in the error_log?

Unknown(0) : Notice - No file uploaded
Unknown(0) : Notice - No file uploaded
Unknown(0) : Notice - No file uploaded
Unknown(0) : Notice - No file uploaded

/Volumes/dune/www-servers/uploadprogress/demo/index.php(2) : Warning - session_start() [<a href='http://at.php.net/manual/de/function.session-start.php'>function.session-start.php</a>]: Cannot send session cache limiter - headers already sent
[Wed Aug  3 10:35:46 2016]  Script:  '/Volumes/dune/www-servers/uploadprogress/demo/index.php'
/home/builduser/rpmbuild/BUILD/php-7.0.9/ext/date/php_date.c(922) :  Freeing 0x7F257EE01720 (56 bytes), script=/Volumes/dune/www-servers/uploadprogress/demo/index.php
[Wed Aug  3 10:35:46 2016]  Script:  '/Volumes/dune/www-servers/uploadprogress/demo/index.php'
/home/builduser/rpmbuild/BUILD/php-7.0.9/Zend/zend_hash.c(140) :  Freeing 0x7F257EE032C0 (288 bytes), script=/Volumes/dune/www-servers/uploadprogress/demo/index.php
[Wed Aug  3 10:35:46 2016]  Script:  '/Volumes/dune/www-servers/uploadprogress/demo/index.php'
/home/builduser/rpmbuild/BUILD/php-7.0.9/ext/date/lib/timelib.c(132) :  Freeing 0x7F257EE650C0 (160 bytes), script=/Volumes/dune/www-servers/uploadprogress/demo/index.php
/home/builduser/rpmbuild/BUILD/php-7.0.9/Zend/zend_alloc.c(2518) : Actual location (location was relayed)
[Wed Aug  3 10:35:46 2016]  Script:  '/Volumes/dune/www-servers/uploadprogress/demo/index.php'
/home/builduser/rpmbuild/BUILD/php-7.0.9/ext/date/lib/parse_tz.c(120) :  Freeing 0x7F257EE65180 (141 bytes), script=/Volumes/dune/www-servers/uploadprogress/demo/index.php
[Wed Aug  3 10:35:46 2016]  Script:  '/Volumes/dune/www-servers/uploadprogress/demo/index.php'
/home/builduser/rpmbuild/BUILD/php-7.0.9/ext/date/lib/parse_tz.c(161) :  Freeing 0x7F257EE65240 (140 bytes), script=/Volumes/dune/www-servers/uploadprogress/demo/index.php
[Wed Aug  3 10:35:46 2016]  Script:  '/Volumes/dune/www-servers/uploadprogress/demo/index.php'
/home/builduser/rpmbuild/BUILD/php-7.0.9/Zend/zend_string.h(121) :  Freeing 0x7F257EE67460 (40 bytes), script=/Volumes/dune/www-servers/uploadprogress/demo/index.php
[Wed Aug  3 10:35:46 2016]  Script:  '/Volumes/dune/www-servers/uploadprogress/demo/index.php'
/home/builduser/rpmbuild/BUILD/php-7.0.9/ext/date/lib/timelib.c(133) :  Freeing 0x7F257EE68030 (14 bytes), script=/Volumes/dune/www-servers/uploadprogress/demo/index.php
[Wed Aug  3 10:35:46 2016]  Script:  '/Volumes/dune/www-servers/uploadprogress/demo/index.php'
/home/builduser/rpmbuild/BUILD/php-7.0.9/ext/date/lib/parse_tz.c(175) :  Freeing 0x7F257EE68060 (13 bytes), script=/Volumes/dune/www-servers/uploadprogress/demo/index.php
[Wed Aug  3 10:35:46 2016]  Script:  '/Volumes/dune/www-servers/uploadprogress/demo/index.php'
/home/builduser/rpmbuild/BUILD/php-7.0.9/ext/date/lib/parse_tz.c(256) :  Freeing 0x7F257EE69050 (1 bytes), script=/Volumes/dune/www-servers/uploadprogress/demo/index.php
[Wed Aug  3 10:35:46 2016]  Script:  '/Volumes/dune/www-servers/uploadprogress/demo/index.php'
/home/builduser/rpmbuild/BUILD/php-7.0.9/ext/date/lib/parse_tz.c(110) :  Freeing 0x7F257EE6D000 (564 bytes), script=/Volumes/dune/www-servers/uploadprogress/demo/index.php
=== Total 10 memory leaks detected ===
 [2016-08-09 11:23 UTC] spam2 at rhsoft dot net
can we PLEASE get rid of "Unknown(0) : Notice - No file uploaded" warnings with debug modes since that *breaks* sessions and output buffering without any benefit so that people can use a php-debug-build on development machines to track down all that existing memory leaks (see previous comment about one in this context)
 [2016-08-09 11:31 UTC] yohgaki@php.net
-Status: Closed +Status: Re-Opened
 [2016-08-09 11:36 UTC] yohgaki@php.net
Comment out this line to disable E_NOTICE

./main/rfc1867.c:1002:				sapi_module.sapi_error(E_NOTICE, "No file uploaded");
 [2016-08-09 11:39 UTC] spam2 at rhsoft dot net
while that's a nice workaround that line should not exist because serious testsers are building their PHP with rpmbuild and have a global flag there to build php and all pecl extension-packages with or without debug
 [2016-08-18 21:26 UTC] spam2 at rhsoft dot net
congratulations - PHP 7.0.10 was released and this is still not fixed while it's an obvious bug for anybody trying PHP7 longer than 10 minutes - why in the world did pecl-uploadprogress working for many years not just made it into core instead of this session-hack so things would still work proper?
 [2016-08-18 21:59 UTC] nikic@php.net
The patch for this bug did not make the cut for 7.0.10, as can be discerned from the changelog: https://github.com/php/php-src/blob/PHP-7.0/NEWS
 [2016-08-18 22:37 UTC] nikic@php.net
-Status: Re-Opened +Status: Closed
 [2016-08-18 22:37 UTC] nikic@php.net
Coupling between DEBUG_FILE_UPLOAD and ZEND_DEBUG removed by https://github.com/php/php-src/commit/37b0dcc8e01085e5a93b0dfcf79f8e87bcb9c3fe in 7.1+.
 [2016-10-17 10:10 UTC] bwoebi@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1bcd439cad5eefeef1fecbc9076b72ef76fb80b6
Log: Fix bug #72724
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Apr 28 14:01:35 2017 UTC