php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #73548 Abort on buffer overflow detected with stream_select
Submitted: 2016-11-16 21:44 UTC Modified: 2021-01-15 15:47 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: sroussey at gmail dot com Assigned:
Status: Verified Package: Scripting Engine problem
PHP Version: 7.0.13 OS: CentOS Linux release 7.2.1511
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: sroussey at gmail dot com
New email:
PHP Version: OS:

 

 [2016-11-16 21:44 UTC] sroussey at gmail dot com
Description:
------------
Using stream_select causes php to abort, but only when using mod_php in apache. On the cli it works fine. Also no issue in 5.6.x

Test script:
---------------
<?php echo stream_select($r=[fopen("/dev/null","r")], $w=[], $e=[], 0, 0); ?>

Expected result:
----------------
echo out a #

Actual result:
--------------
Nothing, the process aborts. (BTW: xdebug makes no difference, this report includes it, but running without still has the error) 

Apache error log:

[Wed Nov 16 21:29:32.229692 2016] [core:notice] [pid 2207699] AH00052: child pid 2207721 exit signal Aborted (6)
*** buffer overflow detected ***: /usr/sbin/httpd terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f5ec24c3597]
/lib64/libc.so.6(+0x10c750)[0x7f5ec24c1750]
/lib64/libc.so.6(+0x10e507)[0x7f5ec24c3507]
/etc/httpd/modules/libphp7.so(+0x1dd37d)[0x7f5eb71b137d]
/etc/httpd/modules/libphp7.so(+0x1df6ce)[0x7f5eb71b36ce]
/etc/httpd/modules/libphp7.so(dtrace_execute_internal+0x2b)[0x7f5eb7208c1b]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_internal+0x161)[0x7f5eb499ccc1]
/etc/httpd/modules/libphp7.so(+0x2c1ce4)[0x7f5eb7295ce4]
/etc/httpd/modules/libphp7.so(execute_ex+0x1b)[0x7f5eb725750b]
/etc/httpd/modules/libphp7.so(dtrace_execute_ex+0x79)[0x7f5eb7208af9]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x2df)[0x7f5eb499c34f]
/etc/httpd/modules/libphp7.so(zend_execute+0x1af)[0x7f5eb72a1b5f]
/etc/httpd/modules/libphp7.so(zend_execute_scripts+0xc3)[0x7f5eb7218793]
/etc/httpd/modules/libphp7.so(php_execute_script+0x2d8)[0x7f5eb71b9538]
/etc/httpd/modules/libphp7.so(+0x2cf52d)[0x7f5eb72a352d]
/usr/sbin/httpd(ap_run_handler+0x40)[0x7f5ec3ef7290]
/usr/sbin/httpd(ap_invoke_handler+0x69)[0x7f5ec3ef77d9]
/usr/sbin/httpd(ap_process_async_request+0x20a)[0x7f5ec3f0bbca]
/usr/sbin/httpd(ap_process_request+0x14)[0x7f5ec3f0bea4]
/usr/sbin/httpd(+0x507f2)[0x7f5ec3f087f2]
/usr/sbin/httpd(ap_run_process_connection+0x40)[0x7f5ec3f00890]
/etc/httpd/modules/mod_mpm_prefork.so(+0x380f)[0x7f5eba64980f]
/etc/httpd/modules/mod_mpm_prefork.so(+0x3a55)[0x7f5eba649a55]
/etc/httpd/modules/mod_mpm_prefork.so(+0x3ab6)[0x7f5eba649ab6]
/etc/httpd/modules/mod_mpm_prefork.so(+0x47c0)[0x7f5eba64a7c0]
/usr/sbin/httpd(ap_run_mpm+0x4e)[0x7f5ec3edd5be]
/usr/sbin/httpd(main+0xa86)[0x7f5ec3ed6b46]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f5ec23d6b15]
/usr/sbin/httpd(+0x1ec81)[0x7f5ec3ed6c81]


Rewritten php part from gdb:

#6  0x00007fffeb2f837d in stream_array_to_fd_set.part.6 () from /etc/httpd/modules/libphp7.so
#7  0x00007fffeb2fa6ce in zif_stream_select () from /etc/httpd/modules/libphp7.so
#8  0x00007fffeb34fc1b in dtrace_execute_internal () from /etc/httpd/modules/libphp7.so
#9  0x00007fffe2475cc1 in xdebug_execute_internal (current_execute_data=0x7fffe8e18120, return_value=0x7fffe8e18110) at /var/tmp/xdebug/xdebug.c:2048
#10 0x00007fffeb3dcce4 in ZEND_DO_FCALL_SPEC_HANDLER () from /etc/httpd/modules/libphp7.so
#11 0x00007fffeb39e50b in execute_ex () from /etc/httpd/modules/libphp7.so
#12 0x00007fffeb34faf9 in dtrace_execute_ex () from /etc/httpd/modules/libphp7.so
#13 0x00007fffe247534f in xdebug_execute_ex (execute_data=0x7fffe8e18030) at /var/tmp/xdebug/xdebug.c:1900
#14 0x00007fffeb3e8b5f in zend_execute () from /etc/httpd/modules/libphp7.so
#15 0x00007fffeb35f793 in zend_execute_scripts () from /etc/httpd/modules/libphp7.so
#16 0x00007fffeb300538 in php_execute_script () from /etc/httpd/modules/libphp7.so
#17 0x00007fffeb3ea52d in php_handler () from /etc/httpd/modules/libphp7.so




Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-17 23:17 UTC] sroussey at gmail dot com
ldd --version
ldd (GNU libc) 2.17
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
 [2016-11-17 23:20 UTC] sroussey at gmail dot com
The good news: there is no actual buffer overflow.

The bad news: libc believes there is one because it was compiled with an __FD_SETSIZE of 1024 and PHP was compiled with 65536. CentOS 7 libc actually checks the FD your using against the set size, where CentOS 6’s libc didn’t.

There are two ways to fix this. The first is to roll our own build of libc and CentOS 7 where we set __FD_SETSIZE to 65536 so it matches PHP. The second is to move away from anything that uses select(); poll() and epoll() are much better at handling large FD sets anyways.
 [2016-11-17 23:22 UTC] sroussey at gmail dot com
BTW: I have PHP with a higher limit as I ran into issues with mysqlnd and mysqli_poll:

PHP Warning:  mysqli_poll(): You MUST recompile PHP with a larger value of FD_SETSIZE.
It is set to 1024, but you have descriptors numbered at least as high as 2690.
 --enable-fd-setsize=3072 is recommended, but you may want to set it
to equal the maximum number of open files supported by your system,
 [2021-01-15 15:47 UTC] cmb@php.net
-Status: Open +Status: Verified -Type: Bug +Type: Documentation Problem -Package: Apache2 related +Package: Scripting Engine problem
 [2021-01-15 15:47 UTC] cmb@php.net
It appears that --enable-fd-setsize is not documented yet (only
PHP_FD_SETSIZE).  Changing to doc bug.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Oct 11 05:01:27 2024 UTC