php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #74770 open_basedir causes segfault (11)
Submitted: 2017-06-17 08:46 UTC Modified: -
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: jerry at jmweb dot net Assigned:
Status: Open Package: Reproducible crash
PHP Version: 7.1.6 OS: CentOS Linux release 7.1.1503
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-06-17 08:46 UTC] jerry at jmweb dot net 
Description:
------------
PHP causes Apache to randomly exit with Segmentation fault (11) when serving a PHP file residing in an open_basedir directory. This issue was not present in PHP 5.6.30. I also confirmed the bug in PHP 7.0.19 and 7.2.0 Alpha1.

This bug is similar to https://bugs.php.net/bug.php?id=48744 BUT produces a different backtrace. Hence, why I created a new bug report.


PHP Build Summary
-----------------
Configure:
'./configure --enable-debug --prefix=/WAMP/php --with-apxs2=/WAMP/apache/bin/apxs'

Server API: Apache 2.0 Handler (mod_php)
Loaded Configuration file: none
Thread Safety: enabled

Apache Summary
--------------
Server Version: Apache/2.4.25 (Unix) PHP/7.1.6 OpenSSL/1.0.2l
Compiled with APR Version: 1.5.2
Compiled with APU Version: 1.5.4
MPM Name: event

httpd.conf (relevant settings)
------------------------------
CoreDumpDirectory /tmp/core-dumps
DocumentRoot "/JunkServer/website"

<VirtualHost *:80>

	<Directory "/JunkServer/website">
		php_admin_value open_basedir "/JunkServer/website"
	</Directory>

</VirtualHost>

Test script:
---------------
1. In the DocumentRoot directory, create an empty test.php file.
2. Since the segfault is not consistent, I used apache bench to reproduce the crash consistently:
	ab -n 10000 -c 5 http://localhost/test.php
3. Observe Apache error log and core dump

4. In httpd.conf, remove/comment php_admin_value open_basedir "/JunkServer/website"
5. Restart apache
6. Repeat step #2
7. Observe no segfaults in log and no core dumps.

Actual result:
--------------
Apache error log
----------------
[core:notice] AH00051: child pid 18214 exit signal Segmentation fault (11), possible coredump in /tmp/core-dumps

Backtrace
---------
#0  0x00007f68c9baf325 in zend_mm_free_heap (heap=0x7f6899200040, ptr=0x1b0de20, __zend_filename=0x7f68ca141ea8 "/install/php-7.1.6/Zend/zend_string.h", __zend_lineno=272, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /install/php-7.1.6/Zend/zend_alloc.c:1372
#1  0x00007f68c9bb1dac in _efree (ptr=0x1b0de20, __zend_filename=0x7f68ca141ea8 "/install/php-7.1.6/Zend/zend_string.h", __zend_lineno=272, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /install/php-7.1.6/Zend/zend_alloc.c:2433
#2  0x00007f68c9c06ad7 in zend_string_release (s=0x1b0de20) at /install/php-7.1.6/Zend/zend_string.h:272
#3  0x00007f68c9c0b13a in zend_hash_destroy (ht=0x7f687c004558) at /install/php-7.1.6/Zend/zend_hash.c:1249
#4  0x00007f68c9ce95d9 in destroy_php_config (data=0x7f687c004558) at /install/php-7.1.6/sapi/apache2handler/apache_config.c:201
#5  0x00007f68cb2c03fe in run_cleanups (cref=<optimized out>) at memory/unix/apr_pools.c:2352
#6  apr_pool_destroy (pool=0x7f687c0028f8) at memory/unix/apr_pools.c:814
#7  0x000000000044a1e6 in remove_empty_buckets (bb=bb@entry=0x7f68a4039b18) at core_filters.c:720
#8  0x000000000044a526 in send_brigade_nonblocking (s=0x7f68a4039290, bb=bb@entry=0x7f68a4039b18, bytes_written=bytes_written@entry=0x7f68a4039ad0, c=c@entry=0x7f68a4039528)
    at core_filters.c:710
#9  0x000000000044b42a in ap_core_output_filter (f=0x7f68a4039970, new_bb=0x0) at core_filters.c:468
#10 0x000000000046ce17 in process_socket (my_thread_num=6, my_child_num=1, cs=0x7f68a4039498, sock=<optimized out>, p=<optimized out>, thd=<optimized out>) at event.c:1116
#11 worker_thread (thd=<optimized out>, dummy=<optimized out>) at event.c:2001
#12 0x00007f68cac50df5 in start_thread (arg=0x7f68a3fff700) at pthread_create.c:308
#13 0x00007f68ca77a1ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-09-10 06:55 UTC] jerry at jmweb dot net 
I am still getting these crashes. Here is the latest core dump:

#0  zend_mm_free_heap (ptr=0x138e6f0, heap=0x7f5a36e00040) at /install/php-7.1.9/Zend/zend_alloc.c:1374
        chunk = 0x1200000
        page_num = 398
        info = <optimized out>
        page_offset = 1631984
#1  _efree (ptr=0x138e6f0) at /install/php-7.1.9/Zend/zend_alloc.c:2433
No locals.
#2  0x00007f5a836be217 in zend_string_release (s=<optimized out>) at /install/php-7.1.9/Zend/zend_string.h:272
No locals.
#3  zend_hash_destroy (ht=0x18fa570) at /install/php-7.1.9/Zend/zend_hash.c:1248
        p = 0x7f5a141800c0
        end = 0x7f5a141800e0
#4  0x00007f5a83755c39 in destroy_php_config (data=<optimized out>)
    at /install/php-7.1.9/sapi/apache2handler/apache_config.c:201
        d = <optimized out>
#5  0x00007f5a84b623fe in run_cleanups (cref=<optimized out>) at memory/unix/apr_pools.c:2352
        c = <optimized out>
#6  apr_pool_destroy (pool=0x18f8678) at memory/unix/apr_pools.c:814
        active = <optimized out>
        allocator = <optimized out>
#7  0x000000000044a436 in remove_empty_buckets (bb=bb@entry=0x7f5a5005ceb0) at core_filters.c:720
        bucket = 0x18f0548
#8  0x000000000044aae8 in setaside_remaining_output (f=f@entry=0x7f5a5005ccc8, ctx=ctx@entry=0x7f5a5005ce10, 
    bb=bb@entry=0x7f5a5005ceb0, c=<optimized out>, c=<optimized out>) at core_filters.c:584
No locals.
#9  0x000000000044b52e in ap_core_output_filter (f=0x7f5a5005ccc8, new_bb=0x7f5a5005ceb0) at core_filters.c:568
        c = <optimized out>
        net = 0x7f5a5005cc80
        ctx = 0x7f5a5005ce10
        bb = 0x7f5a5005ceb0
        bucket = <optimized out>
        next = <optimized out>
        flush_upto = <optimized out>
        bytes_in_brigade = 0
        non_file_bytes_in_brigade = <optimized out>
        eor_buckets_in_brigade = <optimized out>
        morphing_bucket_in_brigade = 0
        rv = <optimized out>
#10 0x0000000000463bc3 in ap_process_request_after_handler (r=0x18f86f0) at http_request.c:358
        bb = 0x7f5a5005ceb0
        b = <optimized out>
        c = 0x7f5a5005c878
        rv = <optimized out>
#11 0x0000000000461251 in ap_process_http_async_connection (c=0x7f5a5005c878) at http_core.c:154
        r = 0x18f86f0
        cs = 0x7f5a5005c850
#12 ap_process_http_connection (c=0x7f5a5005c878) at http_core.c:248
No locals.
#13 0x0000000000459390 in ap_run_process_connection (c=0x7f5a5005c878) at connection.c:42
        pHook = 0x1507588
        n = 4
        rv = 920649792
#14 0x000000000046cfee in process_socket (my_thread_num=2, my_child_num=1, cs=0x7f5a5005c7e8, sock=<optimized out>, 
    p=<optimized out>, thd=<optimized out>) at event.c:945
        c = 0x7f5a5005c878
        sbh = 0x7f5a5005c7d0
        conn_id = <optimized out>
        rc = <optimized out>
#15 worker_thread (thd=<optimized out>, dummy=<optimized out>) at event.c:1849
        ti = <optimized out>
        process_slot = 1
        thread_slot = 2
        csd = 0x7f5a5005c5e0
        cs = 0x0
        ptrans = 0x7f5a5005c558
        rv = <optimized out>
        is_idle = 0
        te = 0x0
#16 0x00007f5a844f2df5 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#17 0x00007f5a8401c1ad in clone () from /lib64/libc.so.6
No symbol table info available.
 [2017-10-11 10:03 UTC] jerry at jmweb dot net 
Please know that I no longer see segfaults since switching to PHP-FPM. My previous configuration included mod_php (w/ ZTS) with Apache event mpm. Although this Wiki (https://wiki.apache.org/httpd/php) states that they are compatible, I read a few blogs stating that PHP thread safety is NOT AT ALL stable.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved. 		Last updated: Tue Aug 20 13:01:27 2019 UTC