PHP :: Bug #75735 :: [embed SAPI] Segmentation fault in sapi_register_post_entry
php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75735 [embed SAPI] Segmentation fault in sapi_register_post_entry
Submitted: 2017-12-26 15:28 UTC Modified: -
From: volodymyr at wildwolf dot name Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.1.12 OS: Ubuntu 17.04 x64
Private report: No CVE-ID: None
 [2017-12-26 15:28 UTC] volodymyr at wildwolf dot name
Description:
------------
Please see below — the second call to PHP_EMBED_START_BLOCK() crashes the application.

Same happens in PHP 7.2.0 as well.

Configure options:

--with-config-file-path=/home/vladimir/.phpenv/versions/7.1.12-zts-debug/etc --with-config-file-scan-dir=/home/vladimir/.phpenv/versions/7.1.12-zts-debug/etc/conf.d --prefix=/home/vladimir/.phpenv/versions/7.1.12-zts-debug --libexecdir=/home/vladimir/.phpenv/versions/7.1.12-zts-debug/libexec --without-pear --with-gd --enable-sockets --with-jpeg-dir=/usr --with-png-dir=/usr --enable-exif --enable-zip --with-zlib --with-zlib-dir=/usr --with-kerberos --with-openssl --with-mcrypt=/usr --enable-soap --enable-xmlreader --with-xsl --enable-ftp --enable-cgi --with-curl=/usr --with-tidy --with-xmlrpc --enable-sysvsem --enable-sysvshm --enable-shmop --with-mysql=mysqlnd --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd --with-pdo-sqlite --enable-pcntl --with-readline --enable-mbstring --disable-debug --disable-fpm --enable-embed --enable-bcmath --disable-phpdbg --enable-maintainer-zts --with-libdir=lib64


Test script:
---------------
#include <sapi/embed/php_embed.h>

int main()
{
        PHP_EMBED_START_BLOCK(0, 0)
        PHP_EMBED_END_BLOCK();

        PHP_EMBED_START_BLOCK(0, 0)
        PHP_EMBED_END_BLOCK();

        return 0;
}


Expected result:
----------------
Program exits normally.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff73d826b in sapi_register_post_entry (post_entry=post_entry@entry=0x7ffff7dae160 <php_post_entries>) at /tmp/php-build/source/7.1.12/main/SAPI.c:951
951             if (SG(sapi_started) && EG(current_execute_data)) {
(gdb) bt
#0  0x00007ffff73d826b in sapi_register_post_entry (post_entry=post_entry@entry=0x7ffff7dae160 <php_post_entries>) at /tmp/php-build/source/7.1.12/main/SAPI.c:951
#1  0x00007ffff73d8362 in sapi_register_post_entries (post_entries=post_entries@entry=0x7ffff7dae160 <php_post_entries>) at /tmp/php-build/source/7.1.12/main/SAPI.c:940
#2  0x00007ffff73db5d0 in php_setup_sapi_content_types () at /tmp/php-build/source/7.1.12/main/php_content_types.c:64
#3  0x00007ffff73ca23c in ts_allocate_id (rsrc_id=rsrc_id@entry=0x7ffff7dd67b8 <sapi_globals_id>, size=size@entry=560, ctor=ctor@entry=0x7ffff73d5db0 <sapi_globals_ctor>, dtor=dtor@entry=0x7ffff73d5d90 <sapi_globals_dtor>) at /tmp/php-build/source/7.1.12/TSRM/TSRM.c:259
#4  0x00007ffff73d616c in sapi_startup (sf=sf@entry=0x7ffff7db7e40 <php_embed_module>) at /tmp/php-build/source/7.1.12/main/SAPI.c:84
#5  0x00007ffff74f2f74 in php_embed_init (argc=0, argv=0x0) at /tmp/php-build/source/7.1.12/sapi/embed/php_embed.c:182
#6  0x0000555555554a2e in main () at test.c:8


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-12-26 17:10 UTC] volodymyr at wildwolf dot name
Added three lines to the beginning of sapi_register_post_entry():

printf("SG=%p\n", TSRMG_BULK(sapi_globals_id, sapi_globals_struct*)); // Line 951
printf("SG(sapi_started)=%d\n", (int)SG(sapi_started)); // Line 952
printf("EG=%p\n\n", TSRMG_BULK(executor_globals_id, zend_executor_globals *)); // Line 953

Modified the test script a bit:

int main(int argc, char** argv)
{
        printf("First block\n");
        PHP_EMBED_START_BLOCK(argc, argv)
        PHP_EMBED_END_BLOCK();

        printf("Second block\n");
        PHP_EMBED_START_BLOCK(argc, argv)
        PHP_EMBED_END_BLOCK();
}

Compiled and run:

First block
SG=0x55c1cdb6c190
SG(sapi_started)=0
EG=0x21

SG=0x55c1cdb6c190
SG(sapi_started)=0
EG=0x21

SG=0x55c1cdb6c190
SG(sapi_started)=0
EG=0x55c1cdb6f9b0

SG=0x55c1cdb6c190
SG(sapi_started)=0
EG=0x55c1cdb6f9b0

Second block
SG=0x55c1cdbf8d30
Помилка адресування (збережено знімок оперативної пам’яті)

Looks like this has something to do with SG(sapi_started).

Running under valgrind:

$ USE_ZEND_ALLOC=0 valgrind ./test
==16297== Memcheck, a memory error detector
==16297== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==16297== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==16297== Command: ./test
==16297== 
First block
SG=0x100adf70
SG(sapi_started)=0
==16297== Invalid read of size 8
==16297==    at 0x53462D3: printf (stdio2.h:104)
==16297==    by 0x53462D3: sapi_register_post_entry (SAPI.c:953)
==16297==    by 0x53463E1: sapi_register_post_entries (SAPI.c:940)
==16297==    by 0x534964F: php_setup_sapi_content_types (php_content_types.c:64)
==16297==    by 0x533823B: ts_allocate_id (TSRM.c:259)
==16297==    by 0x5460FF3: php_embed_init (php_embed.c:182)
==16297==    by 0x108989: main (test.c:7)
==16297==  Address 0x100adf18 is 8 bytes before a block of size 8 alloc'd
==16297==    at 0x4C2DA5F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16297==    by 0x4C2FDDF: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16297==    by 0x53381E8: ts_allocate_id (TSRM.c:255)
==16297==    by 0x5460FF3: php_embed_init (php_embed.c:182)
==16297==    by 0x108989: main (test.c:7)
==16297== 
EG=(nil)

SG=0x100adf70
SG(sapi_started)=0
EG=(nil)

SG=0x100adf70
SG(sapi_started)=0
EG=0x100b25f0

SG=0x100adf70
SG(sapi_started)=0
EG=0x100b25f0

Second block
SG=0x112dfce0
==16297== Invalid read of size 8
==16297==    at 0x534629E: sapi_register_post_entry (SAPI.c:952)
==16297==    by 0x53463E1: sapi_register_post_entries (SAPI.c:940)
==16297==    by 0x534964F: php_setup_sapi_content_types (php_content_types.c:64)
==16297==    by 0x533823B: ts_allocate_id (TSRM.c:259)
==16297==    by 0x5460FF3: php_embed_init (php_embed.c:182)
==16297==    by 0x108AA2: main (test.c:11)
==16297==  Address 0x100adec0 is 0 bytes inside a block of size 32 free'd
==16297==    at 0x4C2ED5B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16297==    by 0x533803F: tsrm_shutdown (TSRM.c:190)
==16297==    by 0x54611C6: php_embed_shutdown (php_embed.c:229)
==16297==    by 0x108A7F: main (test.c:8)
==16297==  Block was alloc'd at
==16297==    at 0x4C2DB2F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16297==    by 0x533830D: allocate_new_resource (TSRM.c:279)
==16297==    by 0x5338570: ts_resource_ex (TSRM.c:368)
==16297==    by 0x5460FCA: php_embed_init (php_embed.c:176)
==16297==    by 0x108989: main (test.c:7)
==16297== 
==16297== Invalid read of size 8
==16297==    at 0x53462A1: sapi_register_post_entry (SAPI.c:952)
==16297==    by 0x53463E1: sapi_register_post_entries (SAPI.c:940)
==16297==    by 0x534964F: php_setup_sapi_content_types (php_content_types.c:64)
==16297==    by 0x533823B: ts_allocate_id (TSRM.c:259)
==16297==    by 0x5460FF3: php_embed_init (php_embed.c:182)
==16297==    by 0x108AA2: main (test.c:11)
==16297==  Address 0x11123650 is 0 bytes inside a block of size 376 free'd
==16297==    at 0x4C2ED5B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16297==    by 0x5338034: tsrm_shutdown (TSRM.c:189)
==16297==    by 0x54611C6: php_embed_shutdown (php_embed.c:229)
==16297==    by 0x108A7F: main (test.c:8)
==16297==  Block was alloc'd at
==16297==    at 0x4C2FD4F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16297==    by 0x53381E8: ts_allocate_id (TSRM.c:255)
==16297==    by 0x10ECAEF1: ???
==16297==    by 0x53B37FA: zend_startup_module_ex (zend_API.c:1843)
==16297==    by 0x53B5CA5: zend_startup_module (zend_API.c:2454)
==16297==    by 0x53BAC04: zend_extension_startup (zend_extensions.c:184)
==16297==    by 0x539F64F: zend_llist_apply_with_del (zend_llist.c:171)
==16297==    by 0x53BAD26: zend_startup_extensions (zend_extensions.c:205)
==16297==    by 0x533B397: php_module_startup (main.c:2305)
==16297==    by 0x5460F6C: php_embed_startup (php_embed.c:109)
==16297==    by 0x54610C1: php_embed_init (php_embed.c:200)
==16297==    by 0x108989: main (test.c:7)
==16297==
==16297== Invalid read of size 1
==16297==    at 0x53462A6: sapi_register_post_entry (SAPI.c:952)
==16297==    by 0x53463E1: sapi_register_post_entries (SAPI.c:940)
==16297==    by 0x534964F: php_setup_sapi_content_types (php_content_types.c:64)
==16297==    by 0x533823B: ts_allocate_id (TSRM.c:259)
==16297==    by 0x5460FF3: php_embed_init (php_embed.c:182)
==16297==    by 0x108AA2: main (test.c:11)
==16297==  Address 0x1b4 is not stack'd, malloc'd or (recently) free'd
==16297==
==16297==
==16297== Process terminating with default action of signal 11 (SIGSEGV)
==16297==  Access not within mapped region at address 0x1B4
==16297==    at 0x53462A6: sapi_register_post_entry (SAPI.c:952)
==16297==    by 0x53463E1: sapi_register_post_entries (SAPI.c:940)
==16297==    by 0x534964F: php_setup_sapi_content_types (php_content_types.c:64)
==16297==    by 0x533823B: ts_allocate_id (TSRM.c:259)
==16297==    by 0x5460FF3: php_embed_init (php_embed.c:182)
==16297==    by 0x108AA2: main (test.c:11)

The very first error can probably be ignored - it looks like executor globals are not ready yet.

The second one probably means that SAPI globals structure has not been (properly) allocated.
 [2017-12-26 17:53 UTC] volodymyr at wildwolf dot name
Could be related:

7.0.17-zts-debug works
7.0.18-zts-debug does not work (crashes in php_startup_ticks(), main/php_ticks.c:32)
7.1.0-zts-debug does not work
 [2017-12-26 18:21 UTC] volodymyr at wildwolf dot name
Disregard the previous comment, 7.0.17-zts-debug was actually NTS :-(

7.0.0-zts-debug crashes as well (malloc.c:3759: _int_malloc: Assertion `(unsigned long) (size) >= (unsigned long) (nb)' failed.).

NTS versions seem to work so the bug seem to affect only ZTS.
 [2017-12-27 04:53 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=dc3822c3431ec3229ad439c3e4e4b956218777af
Log: Fixed bug #75735 ([embed SAPI] Segmentation fault in sapi_register_post_entry)
 [2017-12-27 04:53 UTC] laruence@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Tue Aug 21 23:01:31 2018 UTC