php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73461 Segfault when always regenerating session id from read handler [PHP 7 only]
Submitted: 2016-11-04 17:17 UTC Modified: 2016-11-07 23:17 UTC
From: love at sickpeople dot se Assigned: yohgaki (profile)
Status: Closed Package: Documentation problem
PHP Version: 7.1.0RC5 OS:
Private report: No CVE-ID: None
 [2016-11-04 17:17 UTC] love at sickpeople dot se
Description:
------------
The code below segfaults in PHP 7.x including PHP 7.1 RC5.

Basically this is a segfault due to infinite recursion and I know there has been reports about that before. I created this bug for one main reason: this crash does NOT occur in PHP 5.x, including 5.6.27. It "appeared" in PHP 7.0.

Please see demo here: https://3v4l.org/Lc1cX

Test script:
---------------
session_set_save_handler ('sess', 'sess', 'sess_read', 'sess', 'sess', 'sess');

session_start ();

Function sess ($foo = 'foo') { return true; }

Function sess_read ($id)
  {
    session_regenerate_id (false);
  }




Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-05 08:30 UTC] laruence@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: yohgaki
 [2016-11-05 08:30 UTC] laruence@php.net
stack overflow
 [2016-11-05 17:30 UTC] yohgaki@php.net
-Package: Reproducible crash +Package: Documentation problem
 [2016-11-05 17:30 UTC] yohgaki@php.net
This kind of save handler abuse is trivial. 
e.g.
function sess($foo) {
  sess($foo);
}

Another example is
https://3v4l.org/Cj76q

I don't think abusive code protection worths to implement, at least by session module. Making this a documentation problem. (BTW, session_regenerate_id() calls all handlers to do the job correctly. So it does not limited to read() handler, but all handlers.)

Possible solution by core is to excessive recursive call detection like Python, or stack limit reach detection like Ruby.

Possible solution by session module is to limit number of handler calls. Does any of us feel this is preferred?
 [2016-11-05 21:26 UTC] yohgaki@php.net
> Possible solution by session module is to limit number of handler calls. Does any of us feel this is preferred?

I'll add documentation, but I'll also add new state "session is in save handler" to prevent infinite calls because I realized that this is required so that session_create_id() to be usable in create_sid() save handler. (I was expecting user to generate new session ID by their own while session is active, but using session_create_id() is handy)

I think this should be in PHP7.1 (not 7.0), so I'll prepare the patch soon.
 [2016-11-07 20:31 UTC] love at sickpeople dot se
@Yohgaki: is it known why this does *not* crash in 5.6? I'm asking since there are no protection against this in 5.6 but yet no crash occures.
 [2016-11-07 23:17 UTC] yohgaki@php.net
5.6 does not crash because it does not what it should do.
 [2016-11-16 05:14 UTC] krakjoe@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7b29c3fba6678ea84285aa60b2494cc79f388bbb
Log: Revert "Fix Bug #73461"
 [2016-11-16 05:14 UTC] krakjoe@php.net
-Status: Assigned +Status: Closed
 [2016-11-16 05:14 UTC] krakjoe@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6230c2bad089bfbf518b64ef0868bf9d55a2145c
Log: Fix Bug #73461
 [2016-11-16 05:15 UTC] krakjoe@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7b29c3fba6678ea84285aa60b2494cc79f388bbb
Log: Revert "Fix Bug #73461"
 [2016-11-16 05:15 UTC] krakjoe@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6230c2bad089bfbf518b64ef0868bf9d55a2145c
Log: Fix Bug #73461
 [2016-11-22 13:14 UTC] krakjoe@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7b29c3fba6678ea84285aa60b2494cc79f388bbb
Log: Revert "Fix Bug #73461"
 [2016-11-22 13:14 UTC] krakjoe@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6230c2bad089bfbf518b64ef0868bf9d55a2145c
Log: Fix Bug #73461
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC