php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73939 Memory allocation in signal handler causes segfault
Submitted: 2017-01-15 02:45 UTC Modified: -
From: as@php.net Assigned:
Status: Closed Package: PCNTL related
PHP Version: 7.1.0 OS: Linux 4.4
Private report: No CVE-ID: None
 [2017-01-15 02:45 UTC] as@php.net
Description:
------------
Memory allocation in signal handler introduced by https://wiki.php.net/rfc/additional-context-in-pcntl-signal-handler causes a segfault when compiled with HAVE_STRUCT_SIGINFO_T.

To reproduce, run `php test.php` in one terminal, and run `while true; do pkill -n -SIGTERM php; done` in another terminal. PHP will eventually segfault.

Sample stack trace:

0x00000000008f7073 in zend_mm_alloc_small (heap=0x7ffff3600040, size=64, bin_num=7, __zend_filename=0x104da28 "/home/adam/php-src/Zend/zend_string.h", __zend_lineno=122, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /home/adam/php-src/Zend/zend_alloc.c:1261
1261			heap->free_slot[bin_num] = p->next_free_slot;
(gdb) bt
#0  0x00000000008f7073 in zend_mm_alloc_small (heap=0x7ffff3600040, size=64, bin_num=7, __zend_filename=0x104da28 "/home/adam/php-src/Zend/zend_string.h", __zend_lineno=122, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /home/adam/php-src/Zend/zend_alloc.c:1261
#1  0x00000000008f7316 in zend_mm_alloc_heap (heap=0x7ffff3600040, size=64, __zend_filename=0x104da28 "/home/adam/php-src/Zend/zend_string.h", __zend_lineno=122, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /home/adam/php-src/Zend/zend_alloc.c:1332
#2  0x00000000008f9e56 in _emalloc (size=32, __zend_filename=0x104da28 "/home/adam/php-src/Zend/zend_string.h", __zend_lineno=122, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/adam/php-src/Zend/zend_alloc.c:2417
#3  0x0000000000951557 in zend_string_alloc (len=4, persistent=0) at /home/adam/php-src/Zend/zend_string.h:122
#4  0x00000000009515c0 in zend_string_init (str=0xffe6fe "code", len=4, persistent=0) at /home/adam/php-src/Zend/zend_string.h:158
#5  0x0000000000954035 in _zend_hash_str_update (ht=0x7ffff365a600, str=0xffe6fe "code", len=4, pData=0x7fffffffafb0, __zend_filename=0x104c288 "/home/adam/php-src/Zend/zend_hash.h", __zend_lineno=446)
    at /home/adam/php-src/Zend/zend_hash.c:650
#6  0x000000000093eaf0 in zend_symtable_str_update (ht=0x7ffff365a600, str=0xffe6fe "code", len=4, pData=0x7fffffffafb0) at /home/adam/php-src/Zend/zend_hash.h:446
#7  0x0000000000945351 in add_assoc_long_ex (arg=0x7fffffffb040, key=0xffe6fe "code", key_len=4, n=0) at /home/adam/php-src/Zend/zend_API.c:1325
#8  0x00000000006bb9f6 in pcntl_siginfo_to_zval (signo=15, siginfo=0x7fffffffb370, user_siginfo=0x7fffffffb040) at /home/adam/php-src/ext/pcntl/pcntl.c:1221
#9  0x00000000006bc0fe in pcntl_signal_handler (signo=15, siginfo=0x7fffffffb370, context=0x7fffffffb240) at /home/adam/php-src/ext/pcntl/pcntl.c:1384
#10 0x00000000009806cf in zend_signal_handler (signo=15, siginfo=0x7fffffffb370, context=0x7fffffffb240) at /home/adam/php-src/Zend/zend_signal.c:207
#11 0x000000000097feac in zend_signal_handler_defer (signo=15, siginfo=0x7fffffffb370, context=0x7fffffffb240) at /home/adam/php-src/Zend/zend_signal.c:101
#12 <signal handler called>
#13 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:238
#14 0x000000000093344e in concat_function (result=0x7ffff36150e0, op1=0x7ffff36150d0, op2=0x7fffffffb950) at /home/adam/php-src/Zend/zend_operators.c:1764
#15 0x0000000000a3013f in ZEND_CONCAT_SPEC_TMPVAR_CV_HANDLER () at /home/adam/php-src/Zend/zend_vm_execute.h:51598
#16 0x00000000009ac2e6 in execute_ex (ex=0x7ffff3615030) at /home/adam/php-src/Zend/zend_vm_execute.h:429
#17 0x00000000009ac4e7 in zend_execute (op_array=0x7ffff3672400, return_value=0x0) at /home/adam/php-src/Zend/zend_vm_execute.h:474
#18 0x000000000093e36a in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/adam/php-src/Zend/zend.c:1546
#19 0x000000000087755c in php_execute_script (primary_file=0x7fffffffd0b0) at /home/adam/php-src/main/main.c:2535
#20 0x0000000000a3ccca in do_cli (argc=2, argv=0x13b4cd0) at /home/adam/php-src/sapi/cli/php_cli.c:997
#21 0x0000000000a3e15c in main (argc=2, argv=0x13b4cd0) at /home/adam/php-src/sapi/cli/php_cli.c:1390


Test script:
---------------
<?php

declare(ticks = 1);
pcntl_signal(SIGTERM, function() {
    echo "signal\n";
});

$c = 0;
while(1) {
    $c += 1;
    str_repeat('a', 8192) . $c;
}


Expected result:
----------------
no segfault

Actual result:
--------------
segfault

Patches

patch.diff (last revision 2017-01-15 02:45 UTC by as@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-15 02:45 UTC] as@php.net
The following patch has been added/updated:

Patch Name: patch.diff
Revision:   1484448342
URL:        https://bugs.php.net/patch-display.php?bug=73939&patch=patch.diff&revision=1484448342
 [2017-01-16 04:33 UTC] krakjoe@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bac4c97602d53b6f07737ce0b51f8a39857cbf76
Log: Fix bug #73939 memory allocation in signal handler when HAVE_STRUCT_SIGINFO_T
 [2017-01-16 04:33 UTC] krakjoe@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Aug 07 13:01:24 2020 UTC