PHP :: Bug #73193 :: Invalid pointer in heap freelist, related to mysqlnd

Bug #73193

Invalid pointer in heap freelist, related to mysqlnd

Submitted:

2016-09-28 09:01 UTC

Modified:

2016-10-07 09:45 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

marlies dot heijkoop at belsimpel dot nl

Assigned:

Status:

Closed

Package:

MySQLi related

PHP Version:

7.0.11

OS:

Linux

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	marlies dot heijkoop at belsimpel dot nl
New email:
PHP Version:		OS:

New/Additional Comment:

[2016-09-28 09:01 UTC] marlies dot heijkoop at belsimpel dot nl

Description:
------------
Apologies in advance for the wall of text, but since I'm unable to reproduce the issue in an isolated test script, I figured I'd provide all the information I've got on this so someone else might be able to.

I am seeing consistent segfaults in our code base on PHP 7.0.11-1+deb.sury.org~trusty+1. I've managed to trace it to a method which does a couple of queries through mysqli prepared statements, does some calls to other code and does a recursive call to itself (but only one level deep).

Issue occurs running in php-fpm as well as using the built-in development server.

I've spent a couple of hours trying to reproduce the issue in a simple script, but unfortunately was unable to.

The exact line of code where PHP crashes doesn't seem to be the cause, it's crashing because it ends up using an invalid pointer in `zend_mm_alloc_small`.

By taking a look at the heap, I see

```
(gdb) inspect heap->free_slot
$2 = {0x7fffe5df15e8, 0x7fffe5d4bdd0, 0x7fffe4b524b0, 0x7fffe4ae6720, 0x7fffe4ae52a8, 0x7fffe4a9a780, 0xc2777fffe4a450df, 0x7fffe4a39c00, 0x7ffff5f4a4b0, 0x7fffe4a47de0, 
  0x7fffe4a2cee0, 0x7fffe4aaf480, 0x7fffe4aad000, 0x7fffe4a32e40, 0x7fffe4aba2a0, 0x7fffe4b05400, 0x7fffe4a3f7c0, 0x7fffe4abfd00, 0x7fffe4ae31c0, 0x7fffe4abb800, 0x7fffe4b02e80, 
  0x7fffe4a57800, 0x7fffe4ac7380, 0x7fffe4b07c00, 0x7fffe4a9f200, 0x7fffe4ad1200, 0x7fffe4b3d300, 0x7fffe5c06800, 0x7fffe4a52400, 0x7fffe4a4e400}
(gdb)
```

The sixth element does indeed seem to be shifted by 2 bytes.


Interestingly though, I've compiled the Ubuntu package with --enable-debug and hit a failed assertion in `_zval_dtor_func`:

php7.0: /php7.0-7.0.11/Zend/zend_variables.c:43: _zval_dtor_func: Assertion `(arr)->gc.refcount <= 1' failed.

This traces to `mysqli_stmt::fetch` (mysqlnd_ps.c:1215) where the comment reads "mysqlnd_stmt_store_result() has been called, free the bind variables to prevent leaking of their previous content."


Test script:
---------------
I think it's a combination of re-using bound result variables in multiple queries, recursion, using some of those (strings!) as array indices and not always calling `mysqli_stmt::store_result()`, calling it *before* `mysqli_stmt::bind_result()` on some occasions and *after* on others.


Expected result:
----------------
No crash, same code works as expected on PHP 5.3 (using mysqlnd as well).

Actual result:
--------------
Backtrace without debugging (segfault):

#0  zend_mm_alloc_small (size=56, bin_num=6, heap=0x7ffff5e00040) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_alloc.c:1295
#1  _emalloc_56 () at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_alloc.c:2369
#2  0x0000555555815df2 in ZEND_ASSIGN_DIM_SPEC_VAR_CONST_HANDLER () at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_vm_execute.h:17513
#3  0x00005555557e64fb in execute_ex (ex=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_vm_execute.h:414
#4  0x000055555579a969 in dtrace_execute_ex (execute_data=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_dtrace.c:83
#5  0x0000555555823d90 in ZEND_DO_FCALL_SPEC_HANDLER () at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_vm_execute.h:800
#6  0x00005555557e64fb in execute_ex (ex=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_vm_execute.h:414
#7  0x000055555579a969 in dtrace_execute_ex (execute_data=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_dtrace.c:83
#8  0x0000555555823d90 in ZEND_DO_FCALL_SPEC_HANDLER () at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_vm_execute.h:800
#9  0x00005555557e64fb in execute_ex (ex=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_vm_execute.h:414
#10 0x000055555579a969 in dtrace_execute_ex (execute_data=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_dtrace.c:83
#11 0x0000555555823d90 in ZEND_DO_FCALL_SPEC_HANDLER () at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_vm_execute.h:800
#12 0x00005555557e64fb in execute_ex (ex=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_vm_execute.h:414
#13 0x000055555579a969 in dtrace_execute_ex (execute_data=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_dtrace.c:83
#14 0x0000555555823d90 in ZEND_DO_FCALL_SPEC_HANDLER () at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_vm_execute.h:800
#15 0x00005555557e64fb in execute_ex (ex=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_vm_execute.h:414
#16 0x000055555579a969 in dtrace_execute_ex (execute_data=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_dtrace.c:83
#17 0x0000555555823d90 in ZEND_DO_FCALL_SPEC_HANDLER () at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_vm_execute.h:800
#18 0x00005555557e64fb in execute_ex (ex=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_vm_execute.h:414
#19 0x000055555579a969 in dtrace_execute_ex (execute_data=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_dtrace.c:83
#20 0x0000555555823d90 in ZEND_DO_FCALL_SPEC_HANDLER () at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_vm_execute.h:800
#21 0x00005555557e64fb in execute_ex (ex=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_vm_execute.h:414
#22 0x000055555579a969 in dtrace_execute_ex (execute_data=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_dtrace.c:83
#23 0x0000555555823d90 in ZEND_DO_FCALL_SPEC_HANDLER () at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_vm_execute.h:800
#24 0x00005555557e64fb in execute_ex (ex=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_vm_execute.h:414
#25 0x000055555579a969 in dtrace_execute_ex (execute_data=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_dtrace.c:83
#26 0x0000555555823d90 in ZEND_DO_FCALL_SPEC_HANDLER () at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_vm_execute.h:800
#27 0x00005555557e64fb in execute_ex (ex=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_vm_execute.h:414
#28 0x000055555579a969 in dtrace_execute_ex (execute_data=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_dtrace.c:83
#29 0x0000555555823d90 in ZEND_DO_FCALL_SPEC_HANDLER () at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_vm_execute.h:800
#30 0x00005555557e64fb in execute_ex (ex=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_vm_execute.h:414
#31 0x000055555579a969 in dtrace_execute_ex (execute_data=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_dtrace.c:83
#32 0x000055555582facf in zend_execute (op_array=op_array@entry=0x7ffff5e76000, return_value=return_value@entry=0x7fffffffc5f0)
    at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_vm_execute.h:458
#33 0x00005555557a9fa4 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x7fffffffc5f0, file_count=file_count@entry=1)
    at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend.c:1427
#34 0x0000555555836edc in php_cli_server_dispatch_router (client=<optimized out>, server=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/sapi/cli/php_cli_server.c:2065
#35 0x0000555555837827 in php_cli_server_dispatch (client=0x555555d8dac0, server=0x555555b82f40 <server>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/sapi/cli/php_cli_server.c:2104
#36 php_cli_server_recv_event_read_request (server=0x555555b82f40 <server>, client=0x555555d8dac0) at /build/php7.0-j_qgKJ/php7.0-7.0.11/sapi/cli/php_cli_server.c:2321
#37 0x0000555555838049 in php_cli_server_do_event_for_each_fd_callback (_params=_params@entry=0x7fffffffc8d0, fd=fd@entry=4, event=event@entry=1)
    at /build/php7.0-j_qgKJ/php7.0-7.0.11/sapi/cli/php_cli_server.c:2406
#38 0x0000555555838ff7 in php_cli_server_poller_iter_on_active (poller=0x555555b82f48 <server+8>, callback=0x555555837f70 <php_cli_server_do_event_for_each_fd_callback>, 
    opaque=0x7fffffffc8d0) at /build/php7.0-j_qgKJ/php7.0-7.0.11/sapi/cli/php_cli_server.c:831
#39 php_cli_server_do_event_for_each_fd (whandler=0x555555836010 <php_cli_server_send_event>, rhandler=0x555555837670 <php_cli_server_recv_event_read_request>, 
    server=0x555555b82f40 <server>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/sapi/cli/php_cli_server.c:2424
#40 php_cli_server_do_event_loop (server=0x555555b82f40 <server>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/sapi/cli/php_cli_server.c:2434
#41 do_cli_server (argc=<optimized out>, argv=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/sapi/cli/php_cli_server.c:2535
#42 0x000055555563c95f in main (argc=4, argv=0x555555b8b980) at /build/php7.0-j_qgKJ/php7.0-7.0.11/sapi/cli/php_cli.c:1347


Backtrace for the failed assertion on PHP compiled with --enable-debug:

#0  0x00007ffff6486c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff648a028 in __GI_abort () at abort.c:89
#2  0x00007ffff647fbf6 in __assert_fail_base (fmt=0x7ffff65d03b8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55555598f1dd "(arr)->gc.refcount <= 1", 
    file=file@entry=0x55555598f1b8 "/php7.0-7.0.11/Zend/zend_variables.c", line=line@entry=43, function=function@entry=0x55555598f2c0 <__PRETTY_FUNCTION__.8749> "_zval_dtor_func") at assert.c:92
#3  0x00007ffff647fca2 in __GI___assert_fail (assertion=0x55555598f1dd "(arr)->gc.refcount <= 1", file=0x55555598f1b8 "/php7.0-7.0.11/Zend/zend_variables.c", line=43, 
    function=0x55555598f2c0 <__PRETTY_FUNCTION__.8749> "_zval_dtor_func") at assert.c:101
#4  0x0000555555865d2c in _zval_dtor_func (p=0x7ffff5f54a20, __zend_filename=0x7ffff555d798 "/php7.0-7.0.11/ext/mysqlnd/mysqlnd_ps.c", __zend_lineno=1215) at /php7.0-7.0.11/Zend/zend_variables.c:43
#5  0x00007ffff553aa63 in _zval_dtor (zvalue=0x7ffff5e017e8, __zend_filename=0x7ffff555d798 "/php7.0-7.0.11/ext/mysqlnd/mysqlnd_ps.c", __zend_lineno=1215) at /php7.0-7.0.11/Zend/zend_variables.h:44
#6  0x00007ffff5546416 in php_mysqlnd_stmt_fetch_pub (s=0x7ffff5fe09a0, fetched_anything=0x7fffffffb427 "") at /php7.0-7.0.11/ext/mysqlnd/mysqlnd_ps.c:1215
#7  0x00007fffe6b12f5d in mysqli_stmt_fetch_mysqlnd (execute_data=0x7ffff5e17fa0, return_value=0x7ffff5e17f50) at /php7.0-7.0.11/ext/mysqli/mysqli_api.c:1129
#8  0x00007fffe6b12fb5 in zif_mysqli_stmt_fetch (execute_data=0x7ffff5e17fa0, return_value=0x7ffff5e17f50) at /php7.0-7.0.11/ext/mysqli/mysqli_api.c:1147
#9  0x00005555558c4093 in execute_internal (execute_data=0x7ffff5e17fa0, return_value=0x7ffff5e17f50) at /php7.0-7.0.11/Zend/zend_execute.c:2045
#10 0x000055555584eddf in dtrace_execute_internal (execute_data=0x7ffff5e17fa0, return_value=0x7ffff5e17f50) at /php7.0-7.0.11/Zend/zend_dtrace.c:107
#11 0x00005555558c691f in ZEND_DO_FCALL_SPEC_HANDLER () at /php7.0-7.0.11/Zend/zend_vm_execute.h:844
#12 0x00005555558c5785 in execute_ex (ex=0x7ffff5e17bc0) at /php7.0-7.0.11/Zend/zend_vm_execute.h:414
#13 0x000055555584ed41 in dtrace_execute_ex (execute_data=0x7ffff5e17bc0) at /php7.0-7.0.11/Zend/zend_dtrace.c:83
#14 0x00005555558c6768 in ZEND_DO_FCALL_SPEC_HANDLER () at /php7.0-7.0.11/Zend/zend_vm_execute.h:800
#15 0x00005555558c5785 in execute_ex (ex=0x7ffff5e177e0) at /php7.0-7.0.11/Zend/zend_vm_execute.h:414
#16 0x000055555584ed41 in dtrace_execute_ex (execute_data=0x7ffff5e177e0) at /php7.0-7.0.11/Zend/zend_dtrace.c:83
#17 0x00005555558c6768 in ZEND_DO_FCALL_SPEC_HANDLER () at /php7.0-7.0.11/Zend/zend_vm_execute.h:800
#18 0x00005555558c5785 in execute_ex (ex=0x7ffff5e176c0) at /php7.0-7.0.11/Zend/zend_vm_execute.h:414
#19 0x000055555584ed41 in dtrace_execute_ex (execute_data=0x7ffff5e176c0) at /php7.0-7.0.11/Zend/zend_dtrace.c:83
#20 0x00005555558c6768 in ZEND_DO_FCALL_SPEC_HANDLER () at /php7.0-7.0.11/Zend/zend_vm_execute.h:800
#21 0x00005555558c5785 in execute_ex (ex=0x7ffff5e17600) at /php7.0-7.0.11/Zend/zend_vm_execute.h:414
#22 0x000055555584ed41 in dtrace_execute_ex (execute_data=0x7ffff5e17600) at /php7.0-7.0.11/Zend/zend_dtrace.c:83
#23 0x00005555558c6768 in ZEND_DO_FCALL_SPEC_HANDLER () at /php7.0-7.0.11/Zend/zend_vm_execute.h:800
#24 0x00005555558c5785 in execute_ex (ex=0x7ffff5e174b0) at /php7.0-7.0.11/Zend/zend_vm_execute.h:414
#25 0x000055555584ed41 in dtrace_execute_ex (execute_data=0x7ffff5e174b0) at /php7.0-7.0.11/Zend/zend_dtrace.c:83
#26 0x00005555558c6768 in ZEND_DO_FCALL_SPEC_HANDLER () at /php7.0-7.0.11/Zend/zend_vm_execute.h:800
#27 0x00005555558c5785 in execute_ex (ex=0x7ffff5e173e0) at /php7.0-7.0.11/Zend/zend_vm_execute.h:414
#28 0x000055555584ed41 in dtrace_execute_ex (execute_data=0x7ffff5e173e0) at /php7.0-7.0.11/Zend/zend_dtrace.c:83
#29 0x00005555558c6768 in ZEND_DO_FCALL_SPEC_HANDLER () at /php7.0-7.0.11/Zend/zend_vm_execute.h:800
#30 0x00005555558c5785 in execute_ex (ex=0x7ffff5e17280) at /php7.0-7.0.11/Zend/zend_vm_execute.h:414
#31 0x000055555584ed41 in dtrace_execute_ex (execute_data=0x7ffff5e17280) at /php7.0-7.0.11/Zend/zend_dtrace.c:83
#32 0x00005555558c6768 in ZEND_DO_FCALL_SPEC_HANDLER () at /php7.0-7.0.11/Zend/zend_vm_execute.h:800
#33 0x00005555558c5785 in execute_ex (ex=0x7ffff5e171e0) at /php7.0-7.0.11/Zend/zend_vm_execute.h:414
#34 0x000055555584ed41 in dtrace_execute_ex (execute_data=0x7ffff5e171e0) at /php7.0-7.0.11/Zend/zend_dtrace.c:83
#35 0x00005555558c6768 in ZEND_DO_FCALL_SPEC_HANDLER () at /php7.0-7.0.11/Zend/zend_vm_execute.h:800
#36 0x00005555558c5785 in execute_ex (ex=0x7ffff5e17140) at /php7.0-7.0.11/Zend/zend_vm_execute.h:414
#37 0x000055555584ed41 in dtrace_execute_ex (execute_data=0x7ffff5e17140) at /php7.0-7.0.11/Zend/zend_dtrace.c:83
#38 0x00005555558c6768 in ZEND_DO_FCALL_SPEC_HANDLER () at /php7.0-7.0.11/Zend/zend_vm_execute.h:800
#39 0x00005555558c5785 in execute_ex (ex=0x7ffff5e17030) at /php7.0-7.0.11/Zend/zend_vm_execute.h:414
#40 0x000055555584ed41 in dtrace_execute_ex (execute_data=0x7ffff5e17030) at /php7.0-7.0.11/Zend/zend_dtrace.c:83
#41 0x00005555558c5897 in zend_execute (op_array=0x7ffff5e03000, return_value=0x7fffffffce80) at /php7.0-7.0.11/Zend/zend_vm_execute.h:458
#42 0x0000555555869aa8 in zend_execute_scripts (type=8, retval=0x7fffffffce80, file_count=1) at /php7.0-7.0.11/Zend/zend.c:1427
#43 0x0000555555933bc5 in php_cli_server_dispatch_router (server=0x555555c8d5e0 <server>, client=0x555555f43890) at /php7.0-7.0.11/sapi/cli/php_cli_server.c:2065
#44 0x0000555555933d98 in php_cli_server_dispatch (server=0x555555c8d5e0 <server>, client=0x555555f43890) at /php7.0-7.0.11/sapi/cli/php_cli_server.c:2104
#45 0x0000555555934616 in php_cli_server_recv_event_read_request (server=0x555555c8d5e0 <server>, client=0x555555f43890) at /php7.0-7.0.11/sapi/cli/php_cli_server.c:2321
#46 0x0000555555934988 in php_cli_server_do_event_for_each_fd_callback (_params=0x7fffffffd110, fd=5, event=1) at /php7.0-7.0.11/sapi/cli/php_cli_server.c:2406
#47 0x0000555555930b6c in php_cli_server_poller_iter_on_active (poller=0x555555c8d5e8 <server+8>, opaque=0x7fffffffd110, callback=0x55555593476e <php_cli_server_do_event_for_each_fd_callback>)
    at /php7.0-7.0.11/sapi/cli/php_cli_server.c:831
#48 0x00005555559349fb in php_cli_server_do_event_for_each_fd (server=0x555555c8d5e0 <server>, rhandler=0x55555593451f <php_cli_server_recv_event_read_request>, whandler=0x55555593463d <php_cli_server_send_event>)
    at /php7.0-7.0.11/sapi/cli/php_cli_server.c:2424
#49 0x0000555555934a5f in php_cli_server_do_event_loop (server=0x555555c8d5e0 <server>) at /php7.0-7.0.11/sapi/cli/php_cli_server.c:2434
#50 0x0000555555934e0c in do_cli_server (argc=4, argv=0x555555c95c80) at /php7.0-7.0.11/sapi/cli/php_cli_server.c:2535
#51 0x000055555592bac3 in main (argc=4, argv=0x555555c95c80) at /php7.0-7.0.11/sapi/cli/php_cli.c:1347

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-09-28 09:35 UTC] nikic@php.net

-Status: Open +Status: Feedback

[2016-09-28 09:35 UTC] nikic@php.net

This is very likely a duplicate of bug #72489. Could you please check if 7.0.12RC1 resolves your issue?

[2016-09-28 13:43 UTC] marlies dot heijkoop at belsimpel dot nl

I can't believe I didn't find that bug!

Upgraded to 7.0.12RC1 and it does indeed resolve this issue, thanks!

[2016-10-07 09:45 UTC] marlies dot heijkoop at belsimpel dot nl

-Status: Feedback +Status: Closed

[2016-10-07 09:45 UTC] marlies dot heijkoop at belsimpel dot nl

I did some more testing on 7.0.12RC1 and haven't seen a single segfault, so I'll close this report. Thanks again :)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 16 12:01:29 2024 UTC