The patch I think I added doesn't show for me. You can also find it at https://gist.github.com/anonymous/080bdb43fe9a0eb57609a93e9e4dd093

Not sure how it's security issue. If you can run code on this server, you have already crossed security border.

Agree with stas, not a sec issue.

The case I could think of (and the reason I did choose Security as type) was due to shared hosting providers; Running multiple users on the same server where a single user can, as far as I know, (almost) undetectable use this to cause high load leading to a Denial of Service which affects other users.

Unassigning from Jérôme, since his latest commit has been more
than 4 years ago. Hopefully, somebody else will tackle this issue
this way.

This bug with Centos 7.0 and php 7 can be reproduced too

This bug is causing issues on our server (Centos 7 / WHM / PHP 70) as well - high load which in turn cause extremely slow performance.  We use shell_exec to generate PDFs and it seems like this is causing the PHP-FPM service to get stuck in an endless loop of trying to start and then exiting.

https://serverfault.com/questions/839135/nginx-php-fpm-child-exited-with-code-0

[16-Jul-2017 12:49:45] NOTICE: [pool mysite_com] child 62666 exited with code 0 after 0.103145 seconds from start
[16-Jul-2017 12:49:45] NOTICE: [pool mysite_com] child 62675 started
[16-Jul-2017 12:49:45] NOTICE: [pool mysite_com] child 62665 exited with code 0 after 0.108670 seconds from start
[16-Jul-2017 12:49:45] NOTICE: [pool mysite_com] child 62676 started
[16-Jul-2017 12:49:45] NOTICE: [pool mysite_com] child 62667 exited with code 0 after 0.111453 seconds from start
[16-Jul-2017 12:49:45] NOTICE: [pool mysite_com] child 62677 started
[16-Jul-2017 12:49:45] NOTICE: [pool mysite_com] child 62668 exited with code 0 after 0.112478 seconds from start
[16-Jul-2017 12:49:45] NOTICE: [pool mysite_com] child 62678 started
[16-Jul-2017 12:49:45] NOTICE: [pool mysite_com] child 62669 exited with code 0 after 0.098957 seconds from start
[16-Jul-2017 12:49:45] NOTICE: [pool mysite_com] child 62679 started
[16-Jul-2017 12:49:45] NOTICE: [pool mysite_com] child 62671 exited with code 0 after 0.094954 seconds from start
[16-Jul-2017 12:49:45] NOTICE: [pool mysite_com] child 62680 started
[16-Jul-2017 12:49:45] NOTICE: [pool mysite_com] child 62670 exited with code 0 after 0.101192 seconds from start

I think the patch from the first comment only works around the problem ... the real question is this: Why does FPM care about STDIN at all?

After some looking around, this seems to be what happens:
 * wp->listening_socket is what we actually want to listen on.
 * fpm_globals.listening_socket is always 0 (effectively STDIN), because that's what the global is initialized to. It's never changed.
 * fpm_run() always returns fpm_globals.listening_socket and that's what fcgi listens on.
 * to make things line up fpm_stdio_init_child() does a dup2(wp->listening_socket, STDIN_FILENO).

So effectively we take the listening socket, dup2 it to STDIN and then listen on STDIN. The following patch removes the indirection through STDIN:

diff --git a/sapi/fpm/fpm/fpm_children.c b/sapi/fpm/fpm/fpm_children.c
index b48fa54..4ee316b 100644
--- a/sapi/fpm/fpm/fpm_children.c
+++ b/sapi/fpm/fpm/fpm_children.c
@@ -146,6 +146,7 @@ static struct fpm_child_s *fpm_child_find(pid_t pid) /* {{{ */
 static void fpm_child_init(struct fpm_worker_pool_s *wp) /* {{{ */
 {
 	fpm_globals.max_requests = wp->config->pm_max_requests;
+	fpm_globals.listening_socket = dup(wp->listening_socket);
 
 	if (0 > fpm_stdio_init_child(wp)  ||
 	    0 > fpm_log_init_child(wp)    ||
diff --git a/sapi/fpm/fpm/fpm_stdio.c b/sapi/fpm/fpm/fpm_stdio.c
index 4072017..76e8b32 100644
--- a/sapi/fpm/fpm/fpm_stdio.c
+++ b/sapi/fpm/fpm/fpm_stdio.c
@@ -103,12 +103,6 @@ int fpm_stdio_init_child(struct fpm_worker_pool_s *wp) /* {{{ */
 	fpm_globals.error_log_fd = -1;
 	zlog_set_fd(-1);
 
-	if (wp->listening_socket != STDIN_FILENO) {
-		if (0 > dup2(wp->listening_socket, STDIN_FILENO)) {
-			zlog(ZLOG_SYSERROR, "failed to init child stdio: dup2()");
-			return -1;
-		}
-	}
 	return 0;
 }
 /* }}} */

This also resolves the issue for me. However, I don't know if this has any side-effects, because something else relies on the STDIN mapping.

@nikic I think that the reason why FPM cares about STDIN is to conform FastCGI spec - namely section 2.2 ( http://www.mit.edu/~yandros/doc/specs/fcgi-spec.html#S2.2 ) that states "FCGI_LISTENSOCK_FILENO equals STDIN_FILENO".

I guess it's because maybe some FastCGI application could access the data directly from the record but not really sure why. I can't really see the reason for that in the PHP case. I don't see any side effects of the patch at the moment but it might need a bit more thinking and testing.

We've deployed the suggested patch removing the use of STDIN internally (currently in testing pending production deployment). I'll update this bug report if we see any problems caused by it.

Hello

   Is the patch working and fix the issue ? Can I apply this patch safely ?

Thanks
~S

I'm under some pressure to put together a production PHP 7.2 + FPM setup, but then I ran head first into this bug. I don't know what's worse... that a critical subset of PHP functionality is incompatible with PHP-FPM, or that this has been known for so long and nothing has been done.

Is anyone aware of a workaround (other than this patch being evaluated)? I've got more of a mod_php background so I'm only just developing an understanding of the options here, but I've had no luck making adjustments to neutralize the issue. I've tested an option, for a dev server, that uses a cron to check the php-fpm log every minute and restart the service whenever the issue arises, but I can't put that into production. Worried this setup is simply a non-starter.

@bukka: What's the ETA on getting this merged? I saw that you submitted the PR for the fpm test revamp, so I assume that we'll start landing outstanding fpm patches soon?

We've seen no problems yet with the proposed patch in our internal infrastructure and we've applied it against both 7.0 and 7.2.

@nikic Yep that's sort of the plan. I want to finish the fpm logging changes and then will try to look on this one and other stuff. Can't really give you an ETA but hopefully it won't take too long. Will see. ;)

@bukka: Thanks for the update. That sounds like things might still take a while, in which case I will go ahead and merge this patch now. We can't afford to delay this issue by an indeterminate amount of time, and given the production testing by kenny at kennynet dot co dot uk, I believe we can be sufficiently confident in the correctness of the change.

@nikic Please can you create a PR first. I will try to look at it this week and if I don't find a time, go ahead but I think I should have time. Also a test should be present - that should be quite easy to do in the new tests...

Btw. I would a bit careful as we are breaking FastCGI "spec" (it's not really a spec though and it doesn't seem to be a useful part anywya) so maybe we should just target 7.2 first and then possibly back port it. WDT?

I just merged the test revamp. Think that the test for this could be similar to the one for fastcgi_finish_request - https://git.io/vhrAj . Of course the PHP code will be different (as test script) and there should be probably two requests and possibly some other changes - not exactly sure atm. as I would have to try it but think you will get the idea ;)

@bukka: I can't remember writing it, but I have this test against the old infrastructure lying around: https://gist.github.com/nikic/5904446746a7f90f98e856e6dda592ee I'll port it and submit a PR.

@bukka: PR up at https://github.com/php/php-src/pull/3287.

Hi

Our current php5 version is 5.6.34.
Pls let me know, if we can apply the patch (described in below link) to php5 5.6.34 

https://bugs.php.net/bug.php?id=73342&thanks=3

Thanks,
D Pal

Reopening with security classification to track backports to PHP 5.6 and PHP 7.0.

I don't think this is a security issue. It can cause issue just for the same pool running under same user. Basically it can't leak any information from the different pool. That actually reminds me https://bugs.php.net/bug.php?id=76067&edit=1 that had similar discussion and should be also changed to just a bug.

The issue still exists (7.2.7-1+ubuntu16.04.1+deb.sury.org+1), and its very annoying. As a workaround append " &>/dev/null" to the executed command.

Sorry, that "&>/dev/null" did not worked out. Using the following method instead of exec, shell_exec, etc. prevents the crashing loop:

$command = 'command to execute...';
$pipes = array();
$process = proc_open(
  $command,
  array(
     0 => array('pipe', 'r'),
     1 => array('pipe', 'w'),
     2 => array('pipe', 'w'),
  ),
  $pipes
);

stream_set_blocking($pipes[1], true);
stream_set_blocking($pipes[2], true);

if (
  is_resource($process)
) {

  $output = stream_get_contents($pipes[1]);
  $error = stream_get_contents($pipes[2]);

  fclose($pipes[1]);
  fclose($pipes[2]);

  proc_close($process);

}

Hi!
I've been struggling my head from last week, seriosly, about a behavior that makes no sense. We have some servers with debian7 and a script that sends "kill -USR2 `cat pid_file`" and reloads the php-fpm configurations gracefully.

Well, I'm being implementing the same configuration with debian9 (drived by systemD) and ... it don't works, I must do 'systemctl kill -s USR2 php-fpm.service', if not, it won't work.

And how I have arribed here?

Well, I have been compiling revisions of 7.1 and 7.2 since I have found the revisions that have a shared point, this bugfix.

Well, I don't know if I must open a new bug to solve the fix of this bug, because no one has commented it anyway on the Internet (3 full days of researching).

Maybe there is a command to configure systemD to accept the kill sent to the childrens (I have not try it yet).

Well, anyway, I just want to make you know that this bugfix generated a new one.

How to test it:

On a Debian 9 machine, configure the service into systemD, then open a new terminal and watch the behavior:

'watch -n.1 "systemctl status php72.service"'

Then send 'kill -USR2 PID_MASTER_PROCESS' and see, nothing happends (if you wait till process_control_timeout passes it hard kills all the childrens).
Now send: 'systemctl kill -s USR2 php72.service' and watch how it reloads childrens.

Ok, now try with php-fpm revisions 7.1.19 or 7.2.7. It works without problem.

Closing this as the time for 5.6/7.0 backports has already long since passed, and this fix is in 7.1.