PHP :: Bug #75068 :: Segfault when using non-existant capath in PDO MySQL on OS X

Bug #75068

Segfault when using non-existant capath in PDO MySQL on OS X

Submitted:

2017-08-13 02:41 UTC

Modified:

2021-07-08 15:37 UTC

Votes:	4
Avg. Score:	3.0 ± 0.7
Reproduced:	3 of 3 (100.0%)
Same Version:	0 (0.0%)
Same OS:	3 (100.0%)

From:

magnus at nordlander dot se

Assigned:

Status:

Verified

Package:

MySQLi related

PHP Version:

7.4

OS:

Mac OS X 10.12.5

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	magnus at nordlander dot se
New email:
PHP Version:		OS:

New/Additional Comment:

[2017-08-13 02:41 UTC] magnus at nordlander dot se

Description:
------------
When attempting to connect to a MySQL server using SSL, if one passes a non-existent CA path (using the PDO::MYSQL_ATTR_SSL_CAPATH parameter), PHP segfaults.

Some debugging determined the cause of the crash to be that strlcpy gets called with src and dst being the same addresses, which according to the BSD manfile for strlcpy(3) is undefined behavior.

This reliably happens in the err label of mysqlnd_conn_data::connect, when conn->error_info->error is not a null pointer.

I have submitted a PR on Github to check that we're not copying a string into itself, PR #2682.

Test script:
---------------
<?php
$pdo = new PDO("mysql:host=127.0.0.1;port=3306;dbname=db;", "foo", "bar", [PDO::MYSQL_ATTR_SSL_CAPATH => "nonexistant.pem"]);

Expected result:
----------------
An exception, preferably one with a descriptive error message.

Actual result:
--------------
Process:               php [87317]
Path:                  /Users/USER/*/php
Identifier:            php
Version:               0
Code Type:             X86-64 (Native)
Parent Process:        fish [66965]
Responsible:           php [87317]
User ID:               501

Date/Time:             2017-08-11 15:11:27.123 -0300
OS Version:            Mac OS X 10.12.5 (16F73)
Report Version:        12
Anonymous UUID:        74CFCBBC-0614-8396-9039-45B68BFF4E8A

Sleep/Wake UUID:       BD8913B7-3620-486A-8FA9-811E62511028

Time Awake Since Boot: 46000 seconds
Time Since Wake:       7700 seconds

System Integrity Protection: enabled

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_CRASH (SIGABRT)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Application Specific Information:
detected source and destination buffer overlap

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib        	0x00007fff9684ed42 __pthread_kill + 10
1   libsystem_pthread.dylib       	0x00007fff9693c457 pthread_kill + 90
2   libsystem_c.dylib             	0x00007fff967b4420 abort + 129
3   libsystem_c.dylib             	0x00007fff967b4592 abort_report_np + 181
4   libsystem_c.dylib             	0x00007fff967daf28 __chk_fail + 48
5   libsystem_c.dylib             	0x00007fff967daf38 __chk_fail_overlap + 16
6   libsystem_c.dylib             	0x00007fff967daf69 __chk_overlap + 49
7   libsystem_c.dylib             	0x00007fff967db132 __strcpy_chk + 64
8   php                           	0x000000010a8db545 mysqlnd_mysqlnd_error_info_set_client_error_pub + 645 (mysqlnd_connection.c:127)
9   php                           	0x000000010a8e1382 mysqlnd_mysqlnd_conn_data_connect_pub + 10690 (mysqlnd_connection.c:801)
10  php                           	0x000000010a8f60d3 mysqlnd_mysqlnd_conn_connect_pub + 915 (mysqlnd_connection.c:835)
11  php                           	0x000000010a8f9ac2 mysqlnd_connection_connect + 2210 (mysqlnd_connection.c:2721)
12  php                           	0x000000010a6b8cd4 pdo_mysql_handle_factory + 3892 (mysql_driver.c:789)
13  php                           	0x000000010a6a1962 zim_PDO_dbh_constructor + 4914 (pdo_dbh.c:358)
14  php                           	0x000000010ab2a5b1 ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER + 1169 (zend_vm_execute.h:908)
15  php                           	0x000000010aafab06 execute_ex + 134 (zend_vm_execute.h:59725)
16  php                           	0x000000010aafae3e zend_execute + 414 (zend_vm_execute.h:63763)
17  php                           	0x000000010aa89e8a zend_execute_scripts + 634 (zend.c:1491)
18  php                           	0x000000010a9b7c6d php_execute_script + 1901 (main.c:2552)
19  php                           	0x000000010abbfad6 do_cli + 3862 (php_cli.c:1012)
20  php                           	0x000000010abbe8ad main + 1901 (php_cli.c:1404)
21  libdyld.dylib                 	0x00007fff96720235 start + 1

Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0x0000000000000000  rbx: 0x0000000000000006  rcx: 0x00007fff5589caa8  rdx: 0x0000000000000000
  rdi: 0x0000000000000307  rsi: 0x0000000000000006  rbp: 0x00007fff5589cad0  rsp: 0x00007fff5589caa8
   r8: 0x0000000000000000   r9: 0x0000000000000177  r10: 0x0000000008000000  r11: 0x0000000000000206
  r12: 0x0000000000000021  r13: 0x0000000000000000  r14: 0x00007fff9f62d3c0  r15: 0x0000000000000201
  rip: 0x00007fff9684ed42  rfl: 0x0000000000000206  cr2: 0x00007fff9693a31b
  
Logical CPU:     0
Error Code:      0x02000148
Trap Number:     133


Binary Images:
       0x10a360000 -        0x10b1d4ff7 +php (0) <6D973D4A-3F0A-339A-BDDB-18FE87D55AF2> /Users/USER/*/php
       0x10b4ed000 -        0x10b65d727 +libcrypto.1.0.0.dylib (0) <11B495A9-782C-3FB0-9729-ACFCD9F4F53E> /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib
       0x10b6dd000 -        0x10b71eff7 +libssl.1.0.0.dylib (0) <35C152E0-7168-3B99-94AB-ECA04D3B3DB5> /usr/local/opt/openssl/lib/libssl.1.0.0.dylib
       0x11af55000 -        0x11af92dc7  dyld (433.5) <322C06B7-8878-311D-888C-C8FD2CA96FF3> /usr/lib/dyld
    0x7fff95178000 -     0x7fff95179ffb  libSystem.B.dylib (1238.60.2) <FC9E9F13-3B18-305C-BE0A-97C7843652B0> /usr/lib/libSystem.B.dylib
    0x7fff952b2000 -     0x7fff95308ff7  libc++.1.dylib (307.5) <0B43BB5D-E6EB-3464-8DE9-B41AC8ED9D1C> /usr/lib/libc++.1.dylib
    0x7fff95309000 -     0x7fff95333fff  libc++abi.dylib (307.3) <30199352-88BF-30BD-8CFF-2A4FBE247523> /usr/lib/libc++abi.dylib
    0x7fff9577f000 -     0x7fff95871ff7  libiconv.2.dylib (50) <42125B35-81D7-3FC4-9475-A26DBE10884D> /usr/lib/libiconv.2.dylib
    0x7fff95872000 -     0x7fff95a97ffb  libicucore.A.dylib (57165.0.1) <2931B842-2946-3576-AD1D-1CDA22FA1388> /usr/lib/libicucore.A.dylib
    0x7fff95a9f000 -     0x7fff95ab8ffb  liblzma.5.dylib (10) <44BD0279-99DD-36B5-8A6E-C11432E2098D> /usr/lib/liblzma.5.dylib
    0x7fff95e26000 -     0x7fff961f8047  libobjc.A.dylib (709) <DC77AA6E-A4E4-326D-8D7F-82D63AA88F99> /usr/lib/libobjc.A.dylib
    0x7fff9624e000 -     0x7fff9626affb  libresolv.9.dylib (64) <A244AE4C-00B0-396C-98FF-97FE4DB3DA30> /usr/lib/libresolv.9.dylib
    0x7fff9650a000 -     0x7fff965f9ffb  libxml2.2.dylib (30.16) <D2A6861B-D9FA-3BFC-B664-830C3FCE6065> /usr/lib/libxml2.2.dylib
    0x7fff96624000 -     0x7fff96635ff3  libz.1.dylib (67) <46E3FFA2-4328-327A-8D34-A03E20BFFB8E> /usr/lib/libz.1.dylib
    0x7fff96644000 -     0x7fff96648ff7  libcache.dylib (79) <093A4DAB-8385-3D47-A350-E20CB7CCF7BF> /usr/lib/system/libcache.dylib
    0x7fff96649000 -     0x7fff96653fff  libcommonCrypto.dylib (60092.50.5) <8A64D1B0-C70E-385C-92F0-E669079FDA90> /usr/lib/system/libcommonCrypto.dylib
    0x7fff96654000 -     0x7fff9665bfff  libcompiler_rt.dylib (62) <55D47421-772A-32AB-B529-1A46C2F43B4D> /usr/lib/system/libcompiler_rt.dylib
    0x7fff9665c000 -     0x7fff96664fff  libcopyfile.dylib (138) <819BEA3C-DF11-3E3D-A1A1-5A51C5BF1961> /usr/lib/system/libcopyfile.dylib
    0x7fff96665000 -     0x7fff966e8fdf  libcorecrypto.dylib (442.50.19) <65D7165E-2E71-335D-A2D6-33F78E2DF0C1> /usr/lib/system/libcorecrypto.dylib
    0x7fff966e9000 -     0x7fff9671afff  libdispatch.dylib (703.50.37) <6582BAD6-ED27-3B30-B620-90B1C5A4AE3C> /usr/lib/system/libdispatch.dylib
    0x7fff9671b000 -     0x7fff96720ffb  libdyld.dylib (433.5) <EC3D88D2-3D40-3274-8E26-362C2D7352C8> /usr/lib/system/libdyld.dylib
    0x7fff96721000 -     0x7fff96721ffb  libkeymgr.dylib (28) <7AA011A9-DC21-3488-BF73-3B5B14D1FDD6> /usr/lib/system/libkeymgr.dylib
    0x7fff9672f000 -     0x7fff9672ffff  liblaunch.dylib (972.60.2) <D3306CFF-58AA-3C90-B06C-B70E80E60C5B> /usr/lib/system/liblaunch.dylib
    0x7fff96730000 -     0x7fff96735ff3  libmacho.dylib (898) <17D5D855-F6C3-3B04-B680-E9BF02EF8AED> /usr/lib/system/libmacho.dylib
    0x7fff96736000 -     0x7fff96738ff3  libquarantine.dylib (85.50.1) <12448CC2-378E-35F3-BE33-9DC395A5B970> /usr/lib/system/libquarantine.dylib
    0x7fff96739000 -     0x7fff9673affb  libremovefile.dylib (45) <38D4CB9C-10CD-30D3-8B7B-A515EC75FE85> /usr/lib/system/libremovefile.dylib
    0x7fff9673b000 -     0x7fff96753ff7  libsystem_asl.dylib (349.50.5) <096E4228-3B7C-30A6-8B13-EC909A64499A> /usr/lib/system/libsystem_asl.dylib
    0x7fff96754000 -     0x7fff96754ff7  libsystem_blocks.dylib (67) <10DC5404-73AB-35B3-A277-A8AFECB476EB> /usr/lib/system/libsystem_blocks.dylib
    0x7fff96755000 -     0x7fff967e2fef  libsystem_c.dylib (1158.50.2) <E5AE5244-7D0C-36AC-8BB6-C7AE7EA52A4B> /usr/lib/system/libsystem_c.dylib
    0x7fff967e3000 -     0x7fff967e6ffb  libsystem_configuration.dylib (888.60.2) <BECC01A2-CA8D-31E6-BCDF-D452965FA976> /usr/lib/system/libsystem_configuration.dylib
    0x7fff967e7000 -     0x7fff967eafff  libsystem_coreservices.dylib (41.4) <7D26DE79-B424-3450-85E1-F7FAB32714AB> /usr/lib/system/libsystem_coreservices.dylib
    0x7fff967eb000 -     0x7fff96803fff  libsystem_coretls.dylib (121.50.4) <EC6FCF07-DCFB-3A03-9CC9-6DD3709974C6> /usr/lib/system/libsystem_coretls.dylib
    0x7fff96804000 -     0x7fff9680afff  libsystem_dnssd.dylib (765.50.9) <CC960215-0B1B-3822-A13A-3DDE96FA796F> /usr/lib/system/libsystem_dnssd.dylib
    0x7fff9680b000 -     0x7fff96834ff7  libsystem_info.dylib (503.50.4) <611DB84C-BF70-3F92-8702-B9F28A900920> /usr/lib/system/libsystem_info.dylib
    0x7fff96835000 -     0x7fff96857ff7  libsystem_kernel.dylib (3789.60.24) <6E9E485F-91F6-36B7-A125-AE91DC978BCC> /usr/lib/system/libsystem_kernel.dylib
    0x7fff96858000 -     0x7fff9689ffe7  libsystem_m.dylib (3121.6) <86D499B5-BBDC-3D3B-8A4E-97AE8E6672A4> /usr/lib/system/libsystem_m.dylib
    0x7fff968a0000 -     0x7fff968beff7  libsystem_malloc.dylib (116.50.8) <A3D15F17-99A6-3367-8C7E-4280E8619C95> /usr/lib/system/libsystem_malloc.dylib
    0x7fff968bf000 -     0x7fff96918ffb  libsystem_network.dylib (856.60.1) <369D0221-56CA-3C3E-9EDE-94B41CAE77B7> /usr/lib/system/libsystem_network.dylib
    0x7fff96919000 -     0x7fff96922ff3  libsystem_networkextension.dylib (563.60.2) <B021F2B3-8A75-3633-ABB0-FC012B8E9B0C> /usr/lib/system/libsystem_networkextension.dylib
    0x7fff96923000 -     0x7fff9692cff3  libsystem_notify.dylib (165.20.1) <B8160190-A069-3B3A-BDF6-2AA408221FAE> /usr/lib/system/libsystem_notify.dylib
    0x7fff9692d000 -     0x7fff96935fe7  libsystem_platform.dylib (126.50.8) <897462FD-B318-321B-A554-E61982630F7E> /usr/lib/system/libsystem_platform.dylib
    0x7fff96936000 -     0x7fff96940ff7  libsystem_pthread.dylib (218.60.3) <B8FB5E20-3295-39E2-B5EB-B464D1D4B104> /usr/lib/system/libsystem_pthread.dylib
    0x7fff96941000 -     0x7fff96944ff7  libsystem_sandbox.dylib (592.60.1) <DC780631-BD23-36B1-9376-668619E18D25> /usr/lib/system/libsystem_sandbox.dylib
    0x7fff96945000 -     0x7fff96946ff3  libsystem_secinit.dylib (24.50.4) <F78B847B-3565-3E4B-98A6-F7AD40392E2D> /usr/lib/system/libsystem_secinit.dylib
    0x7fff96947000 -     0x7fff9694effb  libsystem_symptoms.dylib (532.50.47) <3390E07C-C1CE-348F-ADBD-2C5440B45EAA> /usr/lib/system/libsystem_symptoms.dylib
    0x7fff9694f000 -     0x7fff96962ff7  libsystem_trace.dylib (518.60.2) <6B145B10-5874-3E89-90CD-D370DB475BA1> /usr/lib/system/libsystem_trace.dylib
    0x7fff96963000 -     0x7fff96968ffb  libunwind.dylib (35.3) <3D50D8A8-C460-334D-A519-2DA841102C6B> /usr/lib/system/libunwind.dylib
    0x7fff96969000 -     0x7fff96992ff7  libxpc.dylib (972.60.2) <1C9AF716-69DF-359F-85E9-7DFDE362F9A2> /usr/lib/system/libxpc.dylib

External Modification Summary:
  Calls made by other processes targeting this process:
    task_for_pid: 0
    thread_create: 0
    thread_set_state: 0
  Calls made by this process:
    task_for_pid: 0
    thread_create: 0
    thread_set_state: 0
  Calls made by all processes on this machine:
    task_for_pid: 461150
    thread_create: 0
    thread_set_state: 715

VM Region Summary:
ReadOnly portion of Libraries: Total=145.2M resident=0K(0%) swapped_out_or_unallocated=145.2M(100%)
Writable regions: Total=50.3M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=50.3M(100%)
 
                                VIRTUAL   REGION 
REGION TYPE                        SIZE    COUNT (non-coalesced) 
===========                     =======  ======= 
Activity Tracing                   256K        2 
Kernel Alloc Once                    8K        2 
MALLOC                            39.3M       12 
MALLOC guard page                   16K        4 
MALLOC_LARGE (reserved)            316K        2         reserved VM address space (unallocated)
STACK GUARD                       56.0M        2 
Stack                             8192K        2 
VM_ALLOCATE                       2052K        3 
VM_ALLOCATE (reserved)              64K        2         reserved VM address space (unallocated)
__DATA                            2592K       53 
__LINKEDIT                       116.9M        6 
__TEXT                            28.3M       49 
shared memory                       12K        4 
===========                     =======  ======= 
TOTAL                            253.7M      130 
TOTAL, minus reserved VM space   253.3M      130 


System Profile:
Bluetooth: Version 5.0.4f18, 3 services, 27 devices, 1 incoming serial ports
Memory Module: BANK 0/DIMM0, 8 GB, LPDDR3, 2133 MHz, 0x80CE, 0x4B3445424533303445422D45474347202020
Memory Module: BANK 1/DIMM0, 8 GB, LPDDR3, 2133 MHz, 0x80CE, 0x4B3445424533303445422D45474347202020
USB Device: USB 3.0 Bus
USB Device: iBridge
Thunderbolt Bus: MacBook Pro, Apple Inc., 19.6
Thunderbolt Bus: MacBook Pro, Apple Inc., 19.6
Model: MacBookPro13,3, BootROM MBP133.0226.B23, 4 processors, Intel Core i7, 2,9 GHz, 16 GB, SMC 2.38f7
Graphics: Intel HD Graphics 530, Intel HD Graphics 530, Built-In
Graphics: Radeon Pro 460, AMD Radeon Pro 460, PCIe, 4096 MB
Network Service: Wi-Fi, AirPort, en0
AirPort: spairport_wireless_card_type_airport_extreme (0x14E4, 0x15A), Broadcom BCM43xx 1.0 (7.21.171.126.1a2)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-07-08 15:37 UTC] cmb@php.net

-Status: Open +Status: Verified -PHP Version: master-Git-2017-08-13 (Git) +PHP Version: 7.4

[2021-07-08 15:37 UTC] cmb@php.net

It seems to me that <https://github.com/php/php-src/pull/2682>
would not have fixed the root cause, namely that we're setting the
error message to itself[1], and this is empty for the given
reproducer at least, so it's not helpful anyway.

[1] <https://github.com/php/php-src/blob/php-7.4.21/ext/mysqlnd/mysqlnd_connection.c#L796>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2022 The PHP Group All rights reserved.	Last updated: Wed Jun 29 23:05:46 2022 UTC