php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73600 SEGFAULT in php_ssh2_channel_stream_read
Submitted: 2016-11-24 14:01 UTC Modified: 2017-10-24 14:15 UTC
Votes:5
Avg. Score:4.8 ± 0.4
Reproduced:5 of 5 (100.0%)
Same Version:1 (20.0%)
Same OS:2 (40.0%)
From: elie+php at bouttier dot eu Assigned: langemeijer (profile)
Status: Assigned Package: ssh2 (PECL)
PHP Version: 7.0.13 OS: ArchLinux x86_64
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-11-24 14:01 UTC] elie+php at bouttier dot eu
Description:
------------
I have a segfault in php_ssh2_channel_stream_read.
php-ssh version: 756e2f1369f2d5ff006222d978806f4fd91659e1 (Thu Nov 10 09:33:25 2016 +0100)

I encounter this error with Pydio version 7.0.1 using the SFTP adaptator.
PHP (v7.0.13) is launched by suPHP Apache module.

The php_ssh2_channel_stream_read function call zend_fetch_resource(Z_RES_P(zresource), ...).
Z_RES_P(zresource) mean Z_RES(*zresource) but accordingly to gdb, zresource is NULL, leading to NULL pointer dereference :
(gdb) print zresource
$14 = (zval *) 0x0

The zresource is initialized by:
zresource = php_ssh2_zval_from_resource_handle(abstract->session_rsrc);

(gdb) print abstract->session_rsrc
$15 = -1473489792
This does not look like a valid resource handle.

Some may be useful values:
(gdb) print abstract->streamid
$17 = 0

Full backtrace:
(gdb) bt
#0  0x00007f75abb28758 in php_ssh2_channel_stream_read (stream=0x7f75a95e9700, buf=0x7f75a82a4000 "`\222*\250u\177", count=8192) at /home/elie/pkgbuild/php-ssh-unstable/src/php-ssh-unstable/ssh2_fopen_wrappers.c:98
#1  0x00000000006445ed in _php_stream_fill_read_buffer ()
#2  0x0000000000644717 in _php_stream_read ()
#3  0x0000000000645ab9 in _php_stream_copy_to_mem ()
#4  0x00000000005f7a41 in ?? ()
#5  0x0000000000712d3f in ?? ()
#6  0x00000000006cf7db in execute_ex ()
#7  0x000000000067f3ad in zend_call_function ()
#8  0x000000000059bd75 in ?? ()
#9  0x0000000000712d3f in ?? ()
#10 0x00000000006cf7db in execute_ex ()
#11 0x000000000067f3ad in zend_call_function ()
#12 0x000000000067f6f9 in call_user_function_ex ()
#13 0x000000000064e5ac in ?? ()
#14 0x000000000064688e in _php_stream_stat_path ()
#15 0x00000000005aca45 in ?? ()
#16 0x00000000005af49b in ?? ()
#17 0x0000000000521236 in ?? ()
#18 0x0000000000712d3f in ?? ()
#19 0x00000000006cf7db in execute_ex ()
#20 0x000000000067f3ad in zend_call_function ()
#21 0x000000000067f6f9 in call_user_function_ex ()
#22 0x000000000064e5ac in ?? ()
#23 0x000000000064688e in _php_stream_stat_path ()
#24 0x00000000005aca45 in ?? ()
#25 0x00000000005af49b in ?? ()
#26 0x0000000000521236 in ?? ()
#27 0x0000000000712d3f in ?? ()
#28 0x00000000006cf7db in execute_ex ()
#29 0x000000000067f3ad in zend_call_function ()
#30 0x000000000067f6f9 in call_user_function_ex ()
#31 0x000000000064e5ac in ?? ()
#32 0x000000000064688e in _php_stream_stat_path ()
#33 0x00000000005aca45 in ?? ()
#34 0x00000000005af49b in ?? ()
#35 0x0000000000521236 in ?? ()
#36 0x0000000000712d3f in ?? ()
#37 0x00000000006cf7db in execute_ex ()
#38 0x000000000067f3ad in zend_call_function ()
#39 0x000000000059bf4f in ?? ()
#40 0x0000000000712d3f in ?? ()
#41 0x00000000006cf7db in execute_ex ()
#42 0x000000000067f3ad in zend_call_function ()
#43 0x000000000059bf4f in ?? ()
#44 0x0000000000712d3f in ?? ()
#45 0x00000000006cf7db in execute_ex ()
#46 0x000000000067f3ad in zend_call_function ()
#47 0x000000000059bf4f in ?? ()
#48 0x0000000000712d3f in ?? ()
#49 0x00000000006cf7db in execute_ex ()
#50 0x000000000067f3ad in zend_call_function ()
#51 0x000000000059bf4f in ?? ()
#52 0x0000000000712d3f in ?? ()
#53 0x00000000006cf7db in execute_ex ()
#54 0x000000000067f3ad in zend_call_function ()
#55 0x000000000059bf4f in ?? ()
#56 0x0000000000712d3f in ?? ()
#57 0x00000000006cf7db in execute_ex ()
#58 0x000000000067f3ad in zend_call_function ()
#59 0x000000000059bf4f in ?? ()
#60 0x0000000000712d3f in ?? ()
#61 0x00000000006cf7db in execute_ex ()
#62 0x000000000067f3ad in zend_call_function ()
#63 0x000000000059bf4f in ?? ()
#64 0x0000000000712d3f in ?? ()
#65 0x00000000006cf7db in execute_ex ()
#66 0x000000000067f3ad in zend_call_function ()
#67 0x000000000059bf4f in ?? ()
#68 0x0000000000712d3f in ?? ()
#69 0x00000000006cf7db in execute_ex ()
#70 0x000000000067f3ad in zend_call_function ()
#71 0x000000000059bf4f in ?? ()
#72 0x0000000000712d3f in ?? ()
#73 0x00000000006cf7db in execute_ex ()
#74 0x000000000067f3ad in zend_call_function ()
#75 0x000000000059bf4f in ?? ()
#76 0x0000000000712d3f in ?? ()
#77 0x00000000006cf7db in execute_ex ()
#78 0x000000000067f3ad in zend_call_function ()
#79 0x000000000059bf4f in ?? ()
#80 0x0000000000712d3f in ?? ()
#81 0x00000000006cf7db in execute_ex ()
#82 0x000000000067f3ad in zend_call_function ()
#83 0x000000000059bd75 in ?? ()
#84 0x0000000000712d3f in ?? ()
#85 0x00000000006cf7db in execute_ex ()
#86 0x00000000007228b7 in zend_execute ()
#87 0x000000000068d863 in zend_execute_scripts ()
#88 0x000000000062d490 in php_execute_script ()
#89 0x000000000043453d in ?? ()
#90 0x00007f75b66de291 in __libc_start_main () from /usr/lib/libc.so.6
#91 0x0000000000434daa in _start ()

Test script:
---------------
Sorry, I am not a PHP developper, even less a specialist of Pydio code :-/


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-09 23:14 UTC] oldbucsfan at hotmail dot com
May be related to this bug on Windows Server 2012?
https://bugs.php.net/bug.php?id=72451
 [2016-12-15 12:41 UTC] hranicka at outlook dot com
A have a same problem.

PHP 7.0.14, SSH2 extension compiled from latest sources (https://github.com/php/pecl-networking-ssh2/commit/756e2f1369f2d5ff006222d978806f4fd91659e1) because PECL extension v 1.0 stopped working correctly since PHP 7.0.13.


Here is my backtrace:

GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/local/php7/bin/php...done.

warning: core file may not match specified executable file.
[New LWP 16057]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php7 www/index.php deployment:staging -f'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f9f314af134 in php_ssh2_channel_stream_read (stream=0x7f9f3026e900, 
    buf=0x7f9f2f946000 "\034\276\272\212j^~\354\022]\266\342r\347\261]\351\336L\352\070e\031\266\f?\272\065N=\254\356e\347\315|N\314[\360\275d&X\213\n\374*t\300\061\357\360?f\223q\353{\332'\300<\355\bDΨ\250B\211\265@\n\002\324\065\vx\002\001\260vsi\353;Zß\357\266О?|x\376\370-[\232\063\332@\277\344\004\376J\367\226\344\270ߌ\266\003\302\312l\361\376\rk\272\217P8\235i)\335Q\321\062\376\327\061~ȋx\255\225\355\301\203\276\337\324E?>\342=\316\v\345UHC\267\071\345\022\030j\fb\232\261\271\352\360LЯn\nɼ\352\f\263G\201\342V\027j\023\272q2\377\241\351", <incomplete sequence \351>..., count=8192) at /tmp/php-7-debian/extensions/pecl-networking-ssh2/ssh2_fopen_wrappers.c:98
98		session = (LIBSSH2_SESSION *)zend_fetch_resource(Z_RES_P(zresource), PHP_SSH2_SESSION_RES_NAME, le_ssh2_session);
(gdb) bt
#0  0x00007f9f314af134 in php_ssh2_channel_stream_read (stream=0x7f9f3026e900, 
    buf=0x7f9f2f946000 "\034\276\272\212j^~\354\022]\266\342r\347\261]\351\336L\352\070e\031\266\f?\272\065N=\254\356e\347\315|N\314[\360\275d&X\213\n\374*t\300\061\357\360?f\223q\353{\332'\300<\355\bDΨ\250B\211\265@\n\002\324\065\vx\002\001\260vsi\353;Zß\357\266О?|x\376\370-[\232\063\332@\277\344\004\376J\367\226\344\270ߌ\266\003\302\312l\361\376\rk\272\217P8\235i)\335Q\321\062\376\327\061~ȋx\255\225\355\301\203\276\337\324E?>\342=\316\v\345UHC\267\071\345\022\030j\fb\232\261\271\352\360LЯn\nɼ\352\f\263G\201\342V\027j\023\272q2\377\241\351", <incomplete sequence \351>..., count=8192) at /tmp/php-7-debian/extensions/pecl-networking-ssh2/ssh2_fopen_wrappers.c:98
#1  0x000000000084609e in _php_stream_fill_read_buffer (stream=stream@entry=0x7f9f3026e900, size=size@entry=8192)
    at /tmp/php-7-debian/php-src/main/streams/streams.c:675
#2  0x00000000008461c7 in _php_stream_read (stream=stream@entry=0x7f9f3026e900, 
    buf=buf@entry=0x7f9f2f943018 "\367\022\201\333Z\025\036\070\062\261\230gj,\360Fh\301;\231\005.\275ɉ\340a\313$F'", 
    size=size@entry=8192) at /tmp/php-7-debian/php-src/main/streams/streams.c:722
#3  0x0000000000847579 in _php_stream_copy_to_mem (src=src@entry=0x7f9f3026e900, maxlen=0, persistent=persistent@entry=0)
    at /tmp/php-7-debian/php-src/main/streams/streams.c:1473
#4  0x00000000007e1c30 in zif_stream_get_contents (execute_data=<optimized out>, return_value=0x7f9f32016550)
    at /tmp/php-7-debian/php-src/ext/standard/streamsfuncs.c:438
#5  0x0000000000913986 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER () at /tmp/php-7-debian/php-src/Zend/zend_vm_execute.h:714
#6  0x00000000008cf4bb in execute_ex (ex=<optimized out>) at /tmp/php-7-debian/php-src/Zend/zend_vm_execute.h:414
#7  0x0000000000880b4e in zend_call_function (fci=fci@entry=0x7ffe3f2a7800, fci_cache=0x7f9f2fdcdac0, fci_cache@entry=0x7ffe3f2a77d0)
    at /tmp/php-7-debian/php-src/Zend/zend_execute_API.c:858
#8  0x00000000006f30d2 in zim_reflection_method_invokeArgs (execute_data=<optimized out>, return_value=0x7f9f32013da0)
    at /tmp/php-7-debian/php-src/ext/reflection/php_reflection.c:3346
#9  0x0000000000914402 in ZEND_DO_FCALL_SPEC_HANDLER () at /tmp/php-7-debian/php-src/Zend/zend_vm_execute.h:842
#10 0x00000000008cf4bb in execute_ex (ex=<optimized out>) at /tmp/php-7-debian/php-src/Zend/zend_vm_execute.h:414
#11 0x00000000009235c7 in zend_execute (op_array=0x7f9f3207e000, op_array@entry=0x7f9f3206e280, 
    return_value=return_value@entry=0x7f9f32013c20) at /tmp/php-7-debian/php-src/Zend/zend_vm_execute.h:458
#12 0x000000000088f073 in zend_execute_scripts (type=type@entry=8, retval=0x7f9f32013c20, retval@entry=0x0, file_count=file_count@entry=3)
    at /tmp/php-7-debian/php-src/Zend/zend.c:1437
#13 0x000000000082ed60 in php_execute_script (primary_file=primary_file@entry=0x7ffe3f2a9ec0)
    at /tmp/php-7-debian/php-src/main/main.c:2494
#14 0x00000000009252a6 in do_cli (argc=4, argv=0x2c6d3e0) at /tmp/php-7-debian/php-src/sapi/cli/php_cli.c:974
#15 0x0000000000447844 in main (argc=4, argv=0x2c6d3e0) at /tmp/php-7-debian/php-src/sapi/cli/php_cli.c:1344
(gdb)
 [2017-01-25 13:36 UTC] ludek at ludek dot biz
I can reproduce it on PHP 7.1.1 with the newset SSH2 master (756e2f1) on Arch Linux  4.8.13-1-ARCH #1 SMP PREEMPT Fri Dec 9 07:24:34 CET 2016 x86_64 GNU/Linux. It's completely same segfault at the same place (but my gdb and C skills are not that greateto give you stack trace - plus I've already downgraded the PHP version).

Downgrading to PHP 7.0.12 fixes the problem.

Simple test case:
-----------------

<?php

$ssh = ssh2_connect('host', 22);
ssh2_auth_agent($ssh, 'user');
$stream = ssh2_exec($ssh, 'ls -l /');
$out = stream_get_contents($stream);
 [2017-10-24 14:15 UTC] yunosh@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: langemeijer
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Aug 20 22:01:30 2019 UTC