php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75282 xmlrpc_encode_request() crashes with "zend_mm_heap corrupted"
Submitted: 2017-09-29 06:56 UTC Modified: 2018-10-21 10:22 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: marina at moodle dot com Assigned: cmb (profile)
Status: Closed Package: XMLRPC-EPI related
PHP Version: 7.2.0RC3 OS: Ubuntu
Private report: No CVE-ID: None
 [2017-09-29 06:56 UTC] marina at moodle dot com
Description:
------------
Test script works fine in PHP7.0 and 7.1 but not on 7.3RC3

$ php -v
PHP 7.2.0RC3 (cli) (built: Sep 28 2017 16:47:01) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.2.0-dev, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.2.0RC3, Copyright (c) 1999-2017, by Zend Technologies
$ php -r "echo xmlrpc_encode_request('func', 'text', []);"
zend_mm_heap corrupted

Test script:
---------------
echo xmlrpc_encode_request('func', 'text', []);

Expected result:
----------------
<?xml version="1.0" encoding="iso-8859-1"?>
<methodCall>
<methodName>func</methodName>
<params>
 <param>
  <value>
   <string>text</string>
  </value>
 </param>
</params>
</methodCall>


Actual result:
--------------
zend_mm_heap corrupted

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-09-29 06:59 UTC] marina at moodle dot com
sorry made a mistype, read "PHP7.2RC3" (typed 7.3 instead, living in the future)
 [2017-10-04 21:49 UTC] gmblar+php at gmail dot com
Cannot reproduce this bug on macOS 10.13 or with the docker image php:7.2.0RC3-cli. Which version of ubuntu do you use?
 [2017-10-05 01:29 UTC] marina at moodle dot com
Thanks for reply. I use Ubuntu 14.04.5 LTS
 [2017-10-05 10:53 UTC] nikic@php.net
I've run this through valgrind in a number of variations (with/without zmm, with/without opcache) and did not get any memory errors.
 [2017-10-24 06:53 UTC] marina at moodle dot com
I have the same problem on RC4
reported also here:
https://github.com/oerdnj/deb.sury.org/issues/724
 [2017-10-24 08:17 UTC] ondrej@php.net
I was more lucky in generating the segfault.  Sometimes it ends only with zend_mm_heap message, but sometimes it breaks with "Segmentation fault" dumping a core, so here's the full backtrace:

Core was generated by `php -r echo xmlrpc_encode_request('func', 'text', []);'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  zend_mm_free_heap (ptr=<optimized out>, heap=<optimized out>) at /build/php7.2-E8VsQc/php7.2-7.2.0~rc4/Zend/zend_alloc.c:1374
1374	/build/php7.2-E8VsQc/php7.2-7.2.0~rc4/Zend/zend_alloc.c: No such file or directory.
(gdb) bt full
#0  zend_mm_free_heap (ptr=<optimized out>, heap=<optimized out>) at /build/php7.2-E8VsQc/php7.2-7.2.0~rc4/Zend/zend_alloc.c:1374
        chunk = 0x55d651a00000
        info = 310887680
        page_offset = 384
#1  _efree (ptr=ptr@entry=0x55d651b80dc0) at /build/php7.2-E8VsQc/php7.2-7.2.0~rc4/Zend/zend_alloc.c:2433
No locals.
#2  0x00007f260f593786 in zif_xmlrpc_encode_request (execute_data=<optimized out>, return_value=0x7f261281b080) at /build/php7.2-E8VsQc/php7.2-7.2.0~rc4/ext/xmlrpc/xmlrpc-epi-php.c:704
        xRequest = 0x55d651a40dd0
        outBuf = 0x55d651b80dc0 "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<methodCall>\n<methodName>func</methodName>\n<params>\n <param>\n  <value>\n   <string>text</string>\n  </value>\n </param>\n</params>\n</methodCall>\n"
        vals = 0x7f261281b0f0
        out_opts = 0x7f261281b100
        method = 0x7f261285d358 "func"
        method_len = 4
        out = {b_php_out = 0, b_auto_version = 1, xmlrpc_out = {xml_elem_opts = {verbosity = xml_elem_pretty,
              escaping = (xml_elem_markup_escaping | xml_elem_non_ascii_escaping | xml_elem_non_print_escaping), encoding = 0x7f260f594108 "iso-8859-1"}, version = xmlrpc_version_1_0}}
#3  0x000055d650e1c11a in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER () at /build/php7.2-E8VsQc/php7.2-7.2.0~rc4/Zend/zend_vm_execute.h:617
        call = 0x7f261281b090
        fbc = 0x7f261287c500
        ret = 0x55d651a00000
#4  execute_ex (ex=0x55d651b80dc0) at /build/php7.2-E8VsQc/php7.2-7.2.0~rc4/Zend/zend_vm_execute.h:59737
No locals.
#5  0x000055d650e24d43 in zend_execute (op_array=op_array@entry=0x7f261287c2a0, return_value=return_value@entry=0x7ffcdeb7db10) at /build/php7.2-E8VsQc/php7.2-7.2.0~rc4/Zend/zend_vm_execute.h:63763
No locals.
#6  0x000055d650d70a25 in zend_eval_stringl (str=0x55d651a40ad0 "echo xmlrpc_encode_request('func', 'text', []);", str_len=<optimized out>, retval_ptr=0x0, string_name=0x55d650e870cb "Command line code")
    at /build/php7.2-E8VsQc/php7.2-7.2.0~rc4/Zend/zend_execute_API.c:1080
        __orig_bailout = 0x7ffcdeb7ddd0
        __bailout = {{__jmpbuf = {94378971973536, -2745732968994631115, 94378968772811, 94378981067472, 0, 0, -2859598804687056331, -8357072563008892363}, __mask_was_saved = 0, __saved_mask = {__val = {
                0, 139801496245024, 139801185484817, 139801496371424, 139801496371200, 139801496371648, 0, 0, 94378965993598, 139801496375296, 4744115309160432649, 94378982105424, 1, 139801496375320,
                94377611363337, 94378982105472}}}}
        local_retval = {value = {lval = 94378982105520, dval = 4.6629412747803189e-310, counted = 0x55d651b3e1b0, str = 0x55d651b3e1b0, arr = 0x55d651b3e1b0, obj = 0x55d651b3e1b0, res = 0x55d651b3e1b0,
            ref = 0x55d651b3e1b0, ast = 0x55d651b3e1b0, zv = 0x55d651b3e1b0, ptr = 0x55d651b3e1b0, ce = 0x55d651b3e1b0, func = 0x55d651b3e1b0, ww = {w1 = 1370743216, w2 = 21974}}, u1 = {v = {
              type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {next = 21974, cache_slot = 21974, lineno = 21974, num_args = 21974,
            fe_pos = 21974, fe_iter_idx = 21974, access_flags = 21974, property_guard = 21974, extra = 21974}}
        pv = {value = {lval = 139801496363088, dval = 6.9071116590201753e-310, counted = 0x7f261287a050, str = 0x7f261287a050, arr = 0x7f261287a050, obj = 0x7f261287a050, res = 0x7f261287a050,
            ref = 0x7f261287a050, ast = 0x7f261287a050, zv = 0x7f261287a050, ptr = 0x7f261287a050, ce = 0x7f261287a050, func = 0x7f261287a050, ww = {w1 = 310878288, w2 = 32550}}, u1 = {v = {
              type = 6 '\006', type_flags = 20 '\024', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 5126}, u2 = {next = 3482432889, cache_slot = 3482432889, lineno = 3482432889,
            num_args = 3482432889, fe_pos = 3482432889, fe_iter_idx = 3482432889, access_flags = 3482432889, property_guard = 3482432889, extra = 3482432889}}
        new_op_array = 0x7f261287c2a0
        original_compiler_options = <optimized out>
        retval = <optimized out>
#7  0x000055d650d70bb9 in zend_eval_stringl_ex (str=<optimized out>, str_len=<optimized out>, retval_ptr=<optimized out>, string_name=<optimized out>, handle_exceptions=1)
    at /build/php7.2-E8VsQc/php7.2-7.2.0~rc4/Zend/zend_execute_API.c:1121
        result = <optimized out>
#8  0x000055d650e26d9e in do_cli (argc=3, argv=0x55d651a40a60) at /build/php7.2-E8VsQc/php7.2-7.2.0~rc4/sapi/cli/php_cli.c:1042
        __orig_bailout = 0x7ffcdeb7ef60
        __bailout = {{__jmpbuf = {0, -2859598804040084939, 140724045082452, 0, 0, 94378971853632, -2859598804596878795, -8357072723372469707}, __mask_was_saved = 0, __saved_mask = {__val = {
                94378968659083, 94378968659107, 94378968563908, 94378968563929, 94378968659120, 94378968659140, 94378968659157, 94378968659178, 94378968659188, 94378968659202, 94378968659224,
                94378968659243, 94378968659270, 94378968659299, 0, 7955998172649846063}}}}
        c = <optimized out>
        file_handle = {handle = {fd = 321349184, fp = 0x7f2613276640 <_IO_2_1_stdin_>, stream = {handle = 0x7f2613276640 <_IO_2_1_stdin_>, isatty = 1357296728, mmap = {len = 94378968659061, pos = 0,
                map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0x0}, reader = 0x0, fsizer = 0x0, closer = 0x0}}, filename = 0x55d650e6b57f "Standard input code", opened_path = 0x0,
          type = ZEND_HANDLE_FP, free_filename = 0 '\000'}
        behavior = <optimized out>
        reflection_what = 0x7f261281b030 ""
        request_started = 1
        exit_status = 0
        php_optarg = 0x55d651a40ad0 "echo xmlrpc_encode_request('func', 'text', []);"
        php_optind = 3
        exec_direct = 0x55d651a40ad0 "echo xmlrpc_encode_request('func', 'text', []);"
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        arg_free = <optimized out>
        arg_excp = <optimized out>
        script_file = <optimized out>
        translated_path = <optimized out>
        interactive = 0
        lineno = 0
        param_error = <optimized out>
        hide_argv = 0
#9  0x000055d650be0d7e in main (argc=3, argv=0x55d651a40a60) at /build/php7.2-E8VsQc/php7.2-7.2.0~rc4/sapi/cli/php_cli.c:1404
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {94378981068080, -2859598804040084939, 140724045082452, 0, 0, 94378971853632, -2859598804018064843, -8357073310343425483}, __mask_was_saved = 0, __saved_mask = {__val = {
                0, 32, 139801500679104, 94378981064720, 139801536659472, 0, 140724045082984, 139801538908616, 0, 140724045082800, 139801536726775, 1, 0, 139801520185648, 139801520183000, 1}}}}
        c = <optimized out>
        exit_status = 0
        module_started = 1
        sapi_started = 1
        php_optarg = 0x55d651a40ad0 "echo xmlrpc_encode_request('func', 'text', []);"
        php_optind = 3
        use_extended_info = 0
        ini_path_override = 0x0
        ini_entries = 0x55d651a40d30 "html_errors=0\nregister_argc_argv=1\nimplicit_flush=1\noutput_buffering=0\nmax_execution_time=0\nmax_input_time=-1\n"
        ini_entries_len = 0
        ini_ignore = 0
        sapi_module = <optimized out>
 [2017-10-24 09:34 UTC] nikic@php.net
Looks to me like there is a mismatch in the used allocator. libxmlrpc was patched to use ZMM in https://github.com/php/php-src/commit/3a0872d08fc71d9bb9ec3d431260f838725d3b8d. Could it be that Debian handles this library somehow differently and uses a non-patched version?
 [2017-10-24 17:20 UTC] ondrej@php.net
Debian and Ubuntu (and I guess Fedora, but I have just asked @remi) doesn't use embedded libraries.  So the xmlrpc.so definitely use the non-patched system library.
 [2017-10-24 18:18 UTC] nikic@php.net
Right, https://github.com/php/php-src/commit/3a0872d08fc71d9bb9ec3d431260f838725d3b8d needs to be reverted. I had assumed libxmlrpc is abandonware, but seemingly it isn't.
 [2017-10-24 18:48 UTC] ondrej@php.net
Thanks, that's considerate.  I know it isn't easy with the distro packagers :).
 [2017-10-24 18:53 UTC] ondrej@php.net
Maybe don't revert is as whole, but just wrap the free vs efree in ext/xmlrpc/xmlrpc-epi-php.c into #if XMLRPC_MODULE_TYPE == builtin/external ?
 [2017-10-25 00:54 UTC] marina at moodle dot com
Thanks Ondrej, everything works for me now as I commented also on https://github.com/oerdnj/deb.sury.org/issues/724

Nikic, we are gradually moving away from xmlrpc in Moodle but there is still some functionality that depends on it, unfortunately.
 [2017-10-25 06:53 UTC] remi@php.net
Obviously a HAVE_LIBXMLRPC is missing (config.m4), and should be used to select to proper free / efree method for data allocated by the lib.
 [2018-10-07 16:19 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2018-10-07 16:19 UTC] cmb@php.net
<https://github.com/php/php-src/pull/3591> is supposed to resolve
this bug.
 [2018-10-21 10:13 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=502b187ae8cbd24f4d8c05b8a3c4e52079314bbd
Log: Fix #75282: xmlrpc_encode_request() crashes
 [2018-10-21 10:13 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2018-10-21 10:22 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Wed Nov 14 15:01:27 2018 UTC