php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74770 open_basedir causes segfault (11)
Submitted: 2017-06-17 08:46 UTC Modified: 2021-06-20 04:22 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: jerry at jmweb dot net Assigned: cmb (profile)
Status: No Feedback Package: Reproducible crash
PHP Version: 7.1.6 OS: CentOS Linux release 7.1.1503
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-06-17 08:46 UTC] jerry at jmweb dot net
Description:
------------
PHP causes Apache to randomly exit with Segmentation fault (11) when serving a PHP file residing in an open_basedir directory. This issue was not present in PHP 5.6.30. I also confirmed the bug in PHP 7.0.19 and 7.2.0 Alpha1.

This bug is similar to https://bugs.php.net/bug.php?id=48744 BUT produces a different backtrace. Hence, why I created a new bug report.


PHP Build Summary
-----------------
Configure:
'./configure --enable-debug --prefix=/WAMP/php --with-apxs2=/WAMP/apache/bin/apxs'

Server API: Apache 2.0 Handler (mod_php)
Loaded Configuration file: none
Thread Safety: enabled

Apache Summary
--------------
Server Version: Apache/2.4.25 (Unix) PHP/7.1.6 OpenSSL/1.0.2l
Compiled with APR Version: 1.5.2
Compiled with APU Version: 1.5.4
MPM Name: event

httpd.conf (relevant settings)
------------------------------
CoreDumpDirectory /tmp/core-dumps
DocumentRoot "/JunkServer/website"

<VirtualHost *:80>

	<Directory "/JunkServer/website">
		php_admin_value open_basedir "/JunkServer/website"
	</Directory>

</VirtualHost>

Test script:
---------------
1. In the DocumentRoot directory, create an empty test.php file.
2. Since the segfault is not consistent, I used apache bench to reproduce the crash consistently:
	ab -n 10000 -c 5 http://localhost/test.php
3. Observe Apache error log and core dump

4. In httpd.conf, remove/comment php_admin_value open_basedir "/JunkServer/website"
5. Restart apache
6. Repeat step #2
7. Observe no segfaults in log and no core dumps.

Actual result:
--------------
Apache error log
----------------
[core:notice] AH00051: child pid 18214 exit signal Segmentation fault (11), possible coredump in /tmp/core-dumps

Backtrace
---------
#0  0x00007f68c9baf325 in zend_mm_free_heap (heap=0x7f6899200040, ptr=0x1b0de20, __zend_filename=0x7f68ca141ea8 "/install/php-7.1.6/Zend/zend_string.h", __zend_lineno=272, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /install/php-7.1.6/Zend/zend_alloc.c:1372
#1  0x00007f68c9bb1dac in _efree (ptr=0x1b0de20, __zend_filename=0x7f68ca141ea8 "/install/php-7.1.6/Zend/zend_string.h", __zend_lineno=272, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /install/php-7.1.6/Zend/zend_alloc.c:2433
#2  0x00007f68c9c06ad7 in zend_string_release (s=0x1b0de20) at /install/php-7.1.6/Zend/zend_string.h:272
#3  0x00007f68c9c0b13a in zend_hash_destroy (ht=0x7f687c004558) at /install/php-7.1.6/Zend/zend_hash.c:1249
#4  0x00007f68c9ce95d9 in destroy_php_config (data=0x7f687c004558) at /install/php-7.1.6/sapi/apache2handler/apache_config.c:201
#5  0x00007f68cb2c03fe in run_cleanups (cref=<optimized out>) at memory/unix/apr_pools.c:2352
#6  apr_pool_destroy (pool=0x7f687c0028f8) at memory/unix/apr_pools.c:814
#7  0x000000000044a1e6 in remove_empty_buckets (bb=bb@entry=0x7f68a4039b18) at core_filters.c:720
#8  0x000000000044a526 in send_brigade_nonblocking (s=0x7f68a4039290, bb=bb@entry=0x7f68a4039b18, bytes_written=bytes_written@entry=0x7f68a4039ad0, c=c@entry=0x7f68a4039528)
    at core_filters.c:710
#9  0x000000000044b42a in ap_core_output_filter (f=0x7f68a4039970, new_bb=0x0) at core_filters.c:468
#10 0x000000000046ce17 in process_socket (my_thread_num=6, my_child_num=1, cs=0x7f68a4039498, sock=<optimized out>, p=<optimized out>, thd=<optimized out>) at event.c:1116
#11 worker_thread (thd=<optimized out>, dummy=<optimized out>) at event.c:2001
#12 0x00007f68cac50df5 in start_thread (arg=0x7f68a3fff700) at pthread_create.c:308
#13 0x00007f68ca77a1ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-09-10 06:55 UTC] jerry at jmweb dot net
I am still getting these crashes. Here is the latest core dump:

#0  zend_mm_free_heap (ptr=0x138e6f0, heap=0x7f5a36e00040) at /install/php-7.1.9/Zend/zend_alloc.c:1374
        chunk = 0x1200000
        page_num = 398
        info = <optimized out>
        page_offset = 1631984
#1  _efree (ptr=0x138e6f0) at /install/php-7.1.9/Zend/zend_alloc.c:2433
No locals.
#2  0x00007f5a836be217 in zend_string_release (s=<optimized out>) at /install/php-7.1.9/Zend/zend_string.h:272
No locals.
#3  zend_hash_destroy (ht=0x18fa570) at /install/php-7.1.9/Zend/zend_hash.c:1248
        p = 0x7f5a141800c0
        end = 0x7f5a141800e0
#4  0x00007f5a83755c39 in destroy_php_config (data=<optimized out>)
    at /install/php-7.1.9/sapi/apache2handler/apache_config.c:201
        d = <optimized out>
#5  0x00007f5a84b623fe in run_cleanups (cref=<optimized out>) at memory/unix/apr_pools.c:2352
        c = <optimized out>
#6  apr_pool_destroy (pool=0x18f8678) at memory/unix/apr_pools.c:814
        active = <optimized out>
        allocator = <optimized out>
#7  0x000000000044a436 in remove_empty_buckets (bb=bb@entry=0x7f5a5005ceb0) at core_filters.c:720
        bucket = 0x18f0548
#8  0x000000000044aae8 in setaside_remaining_output (f=f@entry=0x7f5a5005ccc8, ctx=ctx@entry=0x7f5a5005ce10, 
    bb=bb@entry=0x7f5a5005ceb0, c=<optimized out>, c=<optimized out>) at core_filters.c:584
No locals.
#9  0x000000000044b52e in ap_core_output_filter (f=0x7f5a5005ccc8, new_bb=0x7f5a5005ceb0) at core_filters.c:568
        c = <optimized out>
        net = 0x7f5a5005cc80
        ctx = 0x7f5a5005ce10
        bb = 0x7f5a5005ceb0
        bucket = <optimized out>
        next = <optimized out>
        flush_upto = <optimized out>
        bytes_in_brigade = 0
        non_file_bytes_in_brigade = <optimized out>
        eor_buckets_in_brigade = <optimized out>
        morphing_bucket_in_brigade = 0
        rv = <optimized out>
#10 0x0000000000463bc3 in ap_process_request_after_handler (r=0x18f86f0) at http_request.c:358
        bb = 0x7f5a5005ceb0
        b = <optimized out>
        c = 0x7f5a5005c878
        rv = <optimized out>
#11 0x0000000000461251 in ap_process_http_async_connection (c=0x7f5a5005c878) at http_core.c:154
        r = 0x18f86f0
        cs = 0x7f5a5005c850
#12 ap_process_http_connection (c=0x7f5a5005c878) at http_core.c:248
No locals.
#13 0x0000000000459390 in ap_run_process_connection (c=0x7f5a5005c878) at connection.c:42
        pHook = 0x1507588
        n = 4
        rv = 920649792
#14 0x000000000046cfee in process_socket (my_thread_num=2, my_child_num=1, cs=0x7f5a5005c7e8, sock=<optimized out>, 
    p=<optimized out>, thd=<optimized out>) at event.c:945
        c = 0x7f5a5005c878
        sbh = 0x7f5a5005c7d0
        conn_id = <optimized out>
        rc = <optimized out>
#15 worker_thread (thd=<optimized out>, dummy=<optimized out>) at event.c:1849
        ti = <optimized out>
        process_slot = 1
        thread_slot = 2
        csd = 0x7f5a5005c5e0
        cs = 0x0
        ptrans = 0x7f5a5005c558
        rv = <optimized out>
        is_idle = 0
        te = 0x0
#16 0x00007f5a844f2df5 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#17 0x00007f5a8401c1ad in clone () from /lib64/libc.so.6
No symbol table info available.
 [2017-10-11 10:03 UTC] jerry at jmweb dot net
Please know that I no longer see segfaults since switching to PHP-FPM. My previous configuration included mod_php (w/ ZTS) with Apache event mpm. Although this Wiki (https://wiki.apache.org/httpd/php) states that they are compatible, I read a few blogs stating that PHP thread safety is NOT AT ALL stable.
 [2021-06-09 15:01 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-06-09 15:01 UTC] cmb@php.net
Is this still an issue with any of the actively supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions.php>
 [2021-06-20 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 09:01:30 2024 UTC