php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75735 [embed SAPI] Segmentation fault in sapi_register_post_entry
Submitted: 2017-12-26 15:28 UTC Modified: -
From: volodymyr at wildwolf dot name Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.1.12 OS: Ubuntu 17.04 x64
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: volodymyr at wildwolf dot name
New email:
PHP Version: OS:

 

 [2017-12-26 15:28 UTC] volodymyr at wildwolf dot name
Description:
------------
Please see below — the second call to PHP_EMBED_START_BLOCK() crashes the application.

Same happens in PHP 7.2.0 as well.

Configure options:

--with-config-file-path=/home/vladimir/.phpenv/versions/7.1.12-zts-debug/etc --with-config-file-scan-dir=/home/vladimir/.phpenv/versions/7.1.12-zts-debug/etc/conf.d --prefix=/home/vladimir/.phpenv/versions/7.1.12-zts-debug --libexecdir=/home/vladimir/.phpenv/versions/7.1.12-zts-debug/libexec --without-pear --with-gd --enable-sockets --with-jpeg-dir=/usr --with-png-dir=/usr --enable-exif --enable-zip --with-zlib --with-zlib-dir=/usr --with-kerberos --with-openssl --with-mcrypt=/usr --enable-soap --enable-xmlreader --with-xsl --enable-ftp --enable-cgi --with-curl=/usr --with-tidy --with-xmlrpc --enable-sysvsem --enable-sysvshm --enable-shmop --with-mysql=mysqlnd --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd --with-pdo-sqlite --enable-pcntl --with-readline --enable-mbstring --disable-debug --disable-fpm --enable-embed --enable-bcmath --disable-phpdbg --enable-maintainer-zts --with-libdir=lib64


Test script:
---------------
#include <sapi/embed/php_embed.h>

int main()
{
        PHP_EMBED_START_BLOCK(0, 0)
        PHP_EMBED_END_BLOCK();

        PHP_EMBED_START_BLOCK(0, 0)
        PHP_EMBED_END_BLOCK();

        return 0;
}


Expected result:
----------------
Program exits normally.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff73d826b in sapi_register_post_entry (post_entry=post_entry@entry=0x7ffff7dae160 <php_post_entries>) at /tmp/php-build/source/7.1.12/main/SAPI.c:951
951             if (SG(sapi_started) && EG(current_execute_data)) {
(gdb) bt
#0  0x00007ffff73d826b in sapi_register_post_entry (post_entry=post_entry@entry=0x7ffff7dae160 <php_post_entries>) at /tmp/php-build/source/7.1.12/main/SAPI.c:951
#1  0x00007ffff73d8362 in sapi_register_post_entries (post_entries=post_entries@entry=0x7ffff7dae160 <php_post_entries>) at /tmp/php-build/source/7.1.12/main/SAPI.c:940
#2  0x00007ffff73db5d0 in php_setup_sapi_content_types () at /tmp/php-build/source/7.1.12/main/php_content_types.c:64
#3  0x00007ffff73ca23c in ts_allocate_id (rsrc_id=rsrc_id@entry=0x7ffff7dd67b8 <sapi_globals_id>, size=size@entry=560, ctor=ctor@entry=0x7ffff73d5db0 <sapi_globals_ctor>, dtor=dtor@entry=0x7ffff73d5d90 <sapi_globals_dtor>) at /tmp/php-build/source/7.1.12/TSRM/TSRM.c:259
#4  0x00007ffff73d616c in sapi_startup (sf=sf@entry=0x7ffff7db7e40 <php_embed_module>) at /tmp/php-build/source/7.1.12/main/SAPI.c:84
#5  0x00007ffff74f2f74 in php_embed_init (argc=0, argv=0x0) at /tmp/php-build/source/7.1.12/sapi/embed/php_embed.c:182
#6  0x0000555555554a2e in main () at test.c:8


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-12-26 17:10 UTC] volodymyr at wildwolf dot name
Added three lines to the beginning of sapi_register_post_entry():

printf("SG=%p\n", TSRMG_BULK(sapi_globals_id, sapi_globals_struct*)); // Line 951
printf("SG(sapi_started)=%d\n", (int)SG(sapi_started)); // Line 952
printf("EG=%p\n\n", TSRMG_BULK(executor_globals_id, zend_executor_globals *)); // Line 953

Modified the test script a bit:

int main(int argc, char** argv)
{
        printf("First block\n");
        PHP_EMBED_START_BLOCK(argc, argv)
        PHP_EMBED_END_BLOCK();

        printf("Second block\n");
        PHP_EMBED_START_BLOCK(argc, argv)
        PHP_EMBED_END_BLOCK();
}

Compiled and run:

First block
SG=0x55c1cdb6c190
SG(sapi_started)=0
EG=0x21

SG=0x55c1cdb6c190
SG(sapi_started)=0
EG=0x21

SG=0x55c1cdb6c190
SG(sapi_started)=0
EG=0x55c1cdb6f9b0

SG=0x55c1cdb6c190
SG(sapi_started)=0
EG=0x55c1cdb6f9b0

Second block
SG=0x55c1cdbf8d30
Помилка адресування (збережено знімок оперативної пам’яті)

Looks like this has something to do with SG(sapi_started).

Running under valgrind:

$ USE_ZEND_ALLOC=0 valgrind ./test
==16297== Memcheck, a memory error detector
==16297== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==16297== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==16297== Command: ./test
==16297== 
First block
SG=0x100adf70
SG(sapi_started)=0
==16297== Invalid read of size 8
==16297==    at 0x53462D3: printf (stdio2.h:104)
==16297==    by 0x53462D3: sapi_register_post_entry (SAPI.c:953)
==16297==    by 0x53463E1: sapi_register_post_entries (SAPI.c:940)
==16297==    by 0x534964F: php_setup_sapi_content_types (php_content_types.c:64)
==16297==    by 0x533823B: ts_allocate_id (TSRM.c:259)
==16297==    by 0x5460FF3: php_embed_init (php_embed.c:182)
==16297==    by 0x108989: main (test.c:7)
==16297==  Address 0x100adf18 is 8 bytes before a block of size 8 alloc'd
==16297==    at 0x4C2DA5F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16297==    by 0x4C2FDDF: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16297==    by 0x53381E8: ts_allocate_id (TSRM.c:255)
==16297==    by 0x5460FF3: php_embed_init (php_embed.c:182)
==16297==    by 0x108989: main (test.c:7)
==16297== 
EG=(nil)

SG=0x100adf70
SG(sapi_started)=0
EG=(nil)

SG=0x100adf70
SG(sapi_started)=0
EG=0x100b25f0

SG=0x100adf70
SG(sapi_started)=0
EG=0x100b25f0

Second block
SG=0x112dfce0
==16297== Invalid read of size 8
==16297==    at 0x534629E: sapi_register_post_entry (SAPI.c:952)
==16297==    by 0x53463E1: sapi_register_post_entries (SAPI.c:940)
==16297==    by 0x534964F: php_setup_sapi_content_types (php_content_types.c:64)
==16297==    by 0x533823B: ts_allocate_id (TSRM.c:259)
==16297==    by 0x5460FF3: php_embed_init (php_embed.c:182)
==16297==    by 0x108AA2: main (test.c:11)
==16297==  Address 0x100adec0 is 0 bytes inside a block of size 32 free'd
==16297==    at 0x4C2ED5B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16297==    by 0x533803F: tsrm_shutdown (TSRM.c:190)
==16297==    by 0x54611C6: php_embed_shutdown (php_embed.c:229)
==16297==    by 0x108A7F: main (test.c:8)
==16297==  Block was alloc'd at
==16297==    at 0x4C2DB2F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16297==    by 0x533830D: allocate_new_resource (TSRM.c:279)
==16297==    by 0x5338570: ts_resource_ex (TSRM.c:368)
==16297==    by 0x5460FCA: php_embed_init (php_embed.c:176)
==16297==    by 0x108989: main (test.c:7)
==16297== 
==16297== Invalid read of size 8
==16297==    at 0x53462A1: sapi_register_post_entry (SAPI.c:952)
==16297==    by 0x53463E1: sapi_register_post_entries (SAPI.c:940)
==16297==    by 0x534964F: php_setup_sapi_content_types (php_content_types.c:64)
==16297==    by 0x533823B: ts_allocate_id (TSRM.c:259)
==16297==    by 0x5460FF3: php_embed_init (php_embed.c:182)
==16297==    by 0x108AA2: main (test.c:11)
==16297==  Address 0x11123650 is 0 bytes inside a block of size 376 free'd
==16297==    at 0x4C2ED5B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16297==    by 0x5338034: tsrm_shutdown (TSRM.c:189)
==16297==    by 0x54611C6: php_embed_shutdown (php_embed.c:229)
==16297==    by 0x108A7F: main (test.c:8)
==16297==  Block was alloc'd at
==16297==    at 0x4C2FD4F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16297==    by 0x53381E8: ts_allocate_id (TSRM.c:255)
==16297==    by 0x10ECAEF1: ???
==16297==    by 0x53B37FA: zend_startup_module_ex (zend_API.c:1843)
==16297==    by 0x53B5CA5: zend_startup_module (zend_API.c:2454)
==16297==    by 0x53BAC04: zend_extension_startup (zend_extensions.c:184)
==16297==    by 0x539F64F: zend_llist_apply_with_del (zend_llist.c:171)
==16297==    by 0x53BAD26: zend_startup_extensions (zend_extensions.c:205)
==16297==    by 0x533B397: php_module_startup (main.c:2305)
==16297==    by 0x5460F6C: php_embed_startup (php_embed.c:109)
==16297==    by 0x54610C1: php_embed_init (php_embed.c:200)
==16297==    by 0x108989: main (test.c:7)
==16297==
==16297== Invalid read of size 1
==16297==    at 0x53462A6: sapi_register_post_entry (SAPI.c:952)
==16297==    by 0x53463E1: sapi_register_post_entries (SAPI.c:940)
==16297==    by 0x534964F: php_setup_sapi_content_types (php_content_types.c:64)
==16297==    by 0x533823B: ts_allocate_id (TSRM.c:259)
==16297==    by 0x5460FF3: php_embed_init (php_embed.c:182)
==16297==    by 0x108AA2: main (test.c:11)
==16297==  Address 0x1b4 is not stack'd, malloc'd or (recently) free'd
==16297==
==16297==
==16297== Process terminating with default action of signal 11 (SIGSEGV)
==16297==  Access not within mapped region at address 0x1B4
==16297==    at 0x53462A6: sapi_register_post_entry (SAPI.c:952)
==16297==    by 0x53463E1: sapi_register_post_entries (SAPI.c:940)
==16297==    by 0x534964F: php_setup_sapi_content_types (php_content_types.c:64)
==16297==    by 0x533823B: ts_allocate_id (TSRM.c:259)
==16297==    by 0x5460FF3: php_embed_init (php_embed.c:182)
==16297==    by 0x108AA2: main (test.c:11)

The very first error can probably be ignored - it looks like executor globals are not ready yet.

The second one probably means that SAPI globals structure has not been (properly) allocated.
 [2017-12-26 17:53 UTC] volodymyr at wildwolf dot name
Could be related:

7.0.17-zts-debug works
7.0.18-zts-debug does not work (crashes in php_startup_ticks(), main/php_ticks.c:32)
7.1.0-zts-debug does not work
 [2017-12-26 18:21 UTC] volodymyr at wildwolf dot name
Disregard the previous comment, 7.0.17-zts-debug was actually NTS :-(

7.0.0-zts-debug crashes as well (malloc.c:3759: _int_malloc: Assertion `(unsigned long) (size) >= (unsigned long) (nb)' failed.).

NTS versions seem to work so the bug seem to affect only ZTS.
 [2017-12-27 04:53 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=dc3822c3431ec3229ad439c3e4e4b956218777af
Log: Fixed bug #75735 ([embed SAPI] Segmentation fault in sapi_register_post_entry)
 [2017-12-27 04:53 UTC] laruence@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 08 22:01:27 2024 UTC