php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75968 php-fpm restarts master process in a loop when using Program execution Function
Submitted: 2018-02-16 15:22 UTC Modified: 2018-02-23 16:54 UTC
Votes:26
Avg. Score:5.0 ± 0.2
Reproduced:21 of 21 (100.0%)
Same Version:14 (66.7%)
Same OS:10 (47.6%)
From: schnederle at futureweb dot at Assigned: bukka (profile)
Status: Duplicate Package: FPM related
PHP Version: 7.2.2 OS: Centos/RHEL 7.4
Private report: No CVE-ID: 2015-9253
 [2018-02-16 15:22 UTC] schnederle at futureweb dot at
Description:
------------
Follow-Up to already reported Bug #70185 (https://bugs.php.net/bug.php?id=70185)
Still a Problem with current PHP 7.2.2.

When using Program execution Functions (passthru(), exec(), shell_exec(), system(), ...) the php-fpm: master process reproduceable crashes with signal 15 (SIGTERM) which leads to crash-loop, 100% CPU usage and spamming of Logs (30GB within 1 day on my Dev-Server)

Test script:
---------------
<?php
exec('/usr/bin/postcss css_from.css --use autoprefixer --autoprefixer.remove "false" --output css_to.css');
echo 'Done';
?>

Actual result:
--------------
Millions of:
...
[16-Feb-2018 14:48:30] WARNING: [pool www] child 53778 exited on signal 15 (SIGTERM) after 0.046685 seconds from start
[16-Feb-2018 14:48:30] WARNING: [pool www] child 53782 exited on signal 15 (SIGTERM) after 0.045416 seconds from start
[16-Feb-2018 14:48:30] WARNING: [pool www] child 53785 exited on signal 15 (SIGTERM) after 0.045331 seconds from start
[16-Feb-2018 14:48:30] WARNING: [pool www] child 53787 exited on signal 15 (SIGTERM) after 0.044765 seconds from start
...

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-02-16 15:32 UTC] schnederle at futureweb dot at
correction - not the master process crashes but php-fpm continues to restart the process over and over again using 100% of the CPU on the php-fpm master process. (crash loop)
 [2018-02-16 15:38 UTC] nikic@php.net
-Status: Open +Status: Feedback
 [2018-02-16 15:38 UTC] nikic@php.net
Is it possible to provide a **self-contained** reproducer for this? That is, using something like "ls" rather than "postcss"?

If not, please provide detailed instructions on how to reproduce this, including any necessary input files and instructions for the installation of necessary programs.
 [2018-02-16 15:51 UTC] schnederle at futureweb dot at
was able to reproduce behaviour "self contained":

Script 1:
<?php
stream_set_blocking(STDIN, false);
echo "Blah";
?>

Script 2:
<?php
passthru('/usr/bin/php /path/to/1.php');
?>

Reproduceable on 2 Machines with php-fpm 7.2.2 and earlier.

As it can be used to DOS Shared Hosting Servers (i.e. all Plesk Servers use PHP-FPM) I think this got some Security implications too.
 [2018-02-16 15:54 UTC] nikic@php.net
-Status: Feedback +Status: Open
 [2018-02-20 10:38 UTC] schnederle at futureweb dot at
someone with proper rights please assign CVE-2015-9253 to this Bug Report.

Source:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9253
- https://www.futureweb.at/security/CVE-2015-9253/
 [2018-02-20 23:07 UTC] cmb@php.net
-Type: Bug +Type: Security -Private report: No +Private report: Yes -CVE-ID: +CVE-ID: 2015-9253
 [2018-02-20 23:11 UTC] stas@php.net
-Package: Reproducible crash +Package: FPM related
 [2018-02-20 23:11 UTC] stas@php.net
Could someone explain to me why this is a security issue? Which permission border is being crossed?
 [2018-02-20 23:12 UTC] stas@php.net
I mean, if you have process exec privileges, couldn't you just "kill -9" your parent  FPM process from shell and achieve the same effect?
 [2018-02-21 13:18 UTC] cmb@php.net
> Could someone explain to me why this is a security issue?

Sorry, I can't.  I've merely switched to private, since a CVE had
been assigned.
 [2018-02-23 03:27 UTC] stas@php.net
-Assigned To: +Assigned To: bukka
 [2018-02-23 14:03 UTC] bukka@php.net
This seems just like a duplicate of the https://bugs.php.net/bug.php?id=70185 that is public already so there is no reason to keep this as a security bug IMHO.
 [2018-02-23 16:54 UTC] nikic@php.net
-Status: Assigned +Status: Duplicate -Type: Security +Type: Bug
 [2018-02-23 16:54 UTC] nikic@php.net
Duplicate of bug #73342. Unassigning privacy status as this has been public for a long time already.

Bug #73342 also has a patch attached, though I haven't checked if it makes sense.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Mar 21 01:01:30 2019 UTC